Algorithm ic

LOGIC
Grazyna Mir Rows ka
Andrzej Salwicki

D. Reidel Publishing Company

PWN - Polish Scientific Publishers
 G. MIRKOWSKA and A. SALWICKI
Institute of Mathematics Institute o f Informatics
University of Warsaw University of Warsaw

ALGORITHMIC
LOGIC

D. REIDEL PUBLISHING COMPANY

A MEMBER OETHE KLUWER ACADEMIC PUBLISHERS GROUP

<f§? li
DORDRECHT / BOSTON / LANCASTER / TOKYO

PWN-POLISH SCIENTIFIC PUBLISHERS

WARSZAWA
 Library of Congress Cataloging-in-Publication Data
CIF
Mirkowska-Salwicka, Grazyna.
Algorithmic logic.
Bibliography: p.
Includes index.
1. Formal languages. 2. Algorithms. 3. Logic,
Symbolic and mathematical. I. Salwicki, Andrzej.
II. Title.
QA267.3.M57 1986 511.3 85-2201
ISBN 90-277-1928-4

This edition published by PWN—Polish Scientific Publishers, Warszawa, Poland,

in co-publication with
D. Reidel Publishing Company, P.O. Box 17, 3300 AA Dordrecht, Holland

Distributors for Albania, Bulgaria, Cuba, Czechoslovakia, German Democratic

Republic, Hungary, Korean People’s Democratic Republic, Mongolia, People’s
Republic of China, Poland, Romania, the U.S.S.R., Vietnam and Yugoslavia

ARS POLONA
Krakowskie Przedmiescie 7, 00-068 Warszawa 1, Poland

Sold and distributed in the U.S.A. and Canada

by Kluwer Academic Publishers,
101 Philip Drive, Assinippi Park, Norwell, MA 02061, U.S.A.

in all other countries, sold and distributed

by Kluwer Academic Publishers Group,
P.O. Box 322, 3300 AH Dordrecht, Holland

All Rights Reserved

Copyright © 1987 by PWN—Polish Scientific Publishers—Warszawa.
N o part of the material protected by this copyright notice may be reproduced or
utilized in any form or by any means, electronic or mechanical, including photo­
copying, recording or by any information storage or retrieval system, without written
permission from the copyright owner.

PRINTED IN POLAND
 CONTENTS

P R E F A C E ........................................................................................ IX
CHAPTER I. INTRODUCTION ............................................ 1
1. The m o tiv a tio n s ...................................................................... 1
2. An informal introduction to formalized la n g u a g e s ............... 5
3. Assigning meanings to p r o g r a m s ......................................... 11
4. Semantic properties of p r o g r a m s ......................................... 16
5. Expressivity. An introduction to the language of algorithmic
lo g ic ............................................................................................ 18
6. On applications ...................................................................... 20

CHAPTER II. LOGIC OF DETERMINISTIC ITERATIVE

PROGRAMS ......................................................................... 23
1. Language.................................................................................... 24
2. Semantics.................................................................................... 30
3. E xpressiveness......................................................................... 38
4. Properties of the semantic consequence o p e r a t io n ............... 51
5. A xiom atization......................................................................... 56
6. Models and consistency ....................................................... 65
7. Useful tautologies and inference r u l e s ................................. 69
8. An example of a correctness p r o o f ..................................... 75
Bibliographic remarks ........................................................... 77

CHAPTER III. METAMATHEMATICAL INVESTIGATIONS

OF ALGORITHMIC L O G IC ................................................ 79
1. Lindenbaum a l g e b r a ............................................................... 79
2. The Completeness T h eo rem .................................................... 89
3. Two corollaries of the Completeness T h e o r e m ............... 95
4. The standard execution method is implicitly defined by the
axiomatization of algorithmic logic........................................ 97
VI CONTENTS

5. Gentzen type axiom atization................................................ 103

6. The normal form of p ro g ra m s ............................................ 109
7. E q u ality .................................................................................... 115
8. Generalized t e r m s .................................................................. 119
9. Partial fu nctions...................................................................... 122
10. Many sorted structures........................................................... 127
11. Definability and program m ability........................................ 131
12. Inessentiality of definitions................................................... 135
Bibliographic r e m a r k s ........................................................... 137

CHAPTER IV. ALGORITHMIC PROPERTIES OF DATA

S T R U C T U R E S ...................................................................... 138
1. Data structures in p ro g ram m in g ........................................ 138
2. D ictio n aries............................................................................. 141
3. Theory of d ictio n a rie s.......................................................... 142
4. Representation theorem for models of ATD ................... 149
5. On complexity of A T D ....................................................... 151
6. The theory of priority q u e u e s ............................................ 154
7. The theory of natural numbers ........................................ 155
8. S tacks........................................................................................ 159
9. The theory of stacks.............................................................. 160
10. The representation theorem for s ta c k s ................................. 164
11. Implementation of arithmetic and d ictionaries.................. 166
12. Theory of links and stacks—A T S L .................................... 167
13. Implementation of stacks in LOG LAN programming
language.................................................................................... 173
14. Q u e u e s .................................................................................... 176
35. Binary t r e e s ............................................................................. 179
16. Binary search trees.................................................................. 181
17. An interpretation of the theory of priority q u e u e s ............... 184
18. An implementation of priority q u e u e s ............................. 187
19. A rrays........................................................................................ 190
20. Hashtables................................................................................. 193
21. Rational n u m b e rs .................................................................. 194
22. Complex n u m b e rs .................................................................. 195
23. Real n u m b e rs .......................................................................... 200
24. Concluding r e m a rk s .............................................................. 202
Bibliographic r e m a r k s ........................................................... 204
 CONTENTS YU

CHAPTER V. PROPOSITIONAL ALGORITHMIC LOGIC 206

1. Syntax and s e m a n tic s ........................................................... 208
2. Semantic properties of program sc h e m e s .......................... 212
3. Properties of semantic stru c tu re s........................................ 221
4. The semantic consequence operation is not compact . . . 228
5. The syntactic consequence o p e ra tio n ................................. 229
6. Examples of propositional th e o rie s ..................................... 233
7. Lindenbaum a lg e b ra .............................................................. 237
8. Deterministic and total interpretations of atomic programs 239
9. Partial functional in terp retatio n s........................................ 243
10. Bounded non-determinism: The CompletenessTheorem . 248
11. Elimination of bounded non-deterministic program vari­
ables ........................................................................................ 257
12. Yanov s c h e m e s ...................................................................... 261
13. Application of PAL in m icroprogram m ing.......................... 263
Bibliographic r e m a r k s ........................................................... 268

CHAPTER VI. NON-DETERMINISM IN ALGORITHMIC

L O G I C .................................................................................... 269
1. Non-deterministic while-programs and their semantics . . 270
2. Properties of non-deterministic p r o g r a m s .......................... 273
3. The Substitution T h e o re m ................................................... 277
4. Non-deterministic algorithmic l o g ic ..................................... 282
5. Certain metamathematical re s u lts ........................................ 286
6. On isomorphism of data structures..................................... 289
7. On the equivalence of non-deterministic p ro g ra m s ............... 291
Bibliographic r e m a r k s ........................................................... 297

CHAPTER VII. PROBLEMS AND THEORIES INSPIRED BY

THE LOGLAN PROJECT ................................................ 298
1. Concurrent programs ........................................................... 299
2. MAX sem an tics...................................................................... 300
3. Comparison with some other concepts of concurrency . . 303
4. A comparison of MAX and ARB semantics in the case
of Petri n e ts ............................................................................. 311
5. Critical remarks concerning MAX se m a n tic s.................. 315
6. LIBERAL sem antics.............................................................. 318
VIII CONTENTS

7. An algorithmic theory of r e fe re n c e s ................................. 328

8. Representation theorem for ATR t h e o r y .......................... 332
9. Specification of univocal references..................................... 338
10. Virtual m e m o r y ...................................................................... 339
11. Concatenable type declarations............................................ 341
12. An implementation of rational n u m b e r s .............................. 344
Bibliographic r e m a r k s ........................................................... 346

A ppendix A. B oolean a l g e b r a s .................................................... 348

A ppendix B. T he proof of L emma 2.2 from C hapter III . . 352
B ib l io g r a ph y ..................................................................................... 356
I n d e x ................................................................................................... 369
 PREFACE

The purpose of this book is manyfold. It is intended both to present

techniques useful in software engineering and to expose results of
research on properties of these techniques.
The major goal of the book is to help the reader in elaboration of his
own views on foundations of computing. The present authors believe
that semantics of programs will always be the necessary foundation
for every student of computing. On this foundation one can construct
subsequent layers of skill and knowledge in computer science. Later
one discovers more questions of a different nature, e.g. on cost and
optimality of algorithms. This book shall be mainly concerned with
semantics.
Secondly, the book aims to supply a new set of logical axioms and
inference rules appropriate for reasoning about the properties of algo­
rithms. Such tools are useful for formalizing the verification and analy­
sis of algorithms. The tools should be of quality—they should be
consistent and complete. These and similar requirements lead us toward
metamathematical questions concerning the structure of algorithmic
logic.
Algorithmic properties are expressed by algorithmic formulas in a
straigthforward way. Therefore the analysis of algorithms, i.e. their verifi­
cation and evaluation of their effectiveness can be based on algorithmic
logic. Our third aim is to expose the possible applications of algorithmic
logic in the description of structures and systems, especially those
appearing in computer science.
Finally, we wish to stress strong connections between the formal
methods described in this book and the methodologies supported
by modern programming languages. This phenomenon has two aspects
commercial and scientific. Scientific—since modern tools of programm­
ing inspire many problems. Commercial—since formal methods
X PREFACE

of AL can be used in software engineering for creating industrial means

of production of software.
We are aware that algorithmics, i.e. the creation of new more efficient
algorithms and the discovery of new data structures, differs from study
of rules of reasoning about algorithms. The book may be useful for
those who wish to learn about formal, logical methods of computer
science, but we cannot assure, however, that the reader will learn how
to conduct a research in computer science. The topics presented in this
book belong to the mathematical foundations of computer science.
The main questions considered are: analysis of algorithms and the
analysis of the process of analysing algorithms. The formal counterparts
of these notions are the notions of proof of a semantical property
of a program and metamathematical properties of the system of algo­
rithmic logic. The formal tools developed by algorithmic logic have
many applications in specification of abstract data types, in verification
of algorithms and the implementation of data structures, and in de­
fining the semantics of programming languages.
This book can serve as a textbook for a course on the theory of pro­
grams or logic of programs or as a textbook of logic for computer scien­
tists. It does not assume any special mathematical background from
the reader, but skill in programming and experience with mathematical
reasoning are desirable.
The book can also serve as an auxiliary textbook for courses on
programming languages and on methods of programming. Indicating
the elements of the logic of programs may be helpful in courses for
beginners.
This book arose from lectures that both authors have given on algo­
rithmic logic at the University of Warsaw, Christian-Albrechts Uni-
versitat in Kiel, Universite Paris 6 and in IAC Roma.
During one semester couise we skip Chapters V, VI and final parts
of the Chapters III and IV. For a two semester course it is advisable
to add material on the logic of recursive procedures. An introductory
course of computer science or a course on methods of programming
can use the material contained in Chapters II (methods of verification)
and IV (specification of data structures and related topics). In these
lectures we stress the relationship between ideas of hierarchical and
modular programming and the ideas contained in the book.
The defects of this book are caused by the authors. One such defect
 PREFACE XI

is the omission of recursion and procedures. The authors presented

elsewhere the results concerned to algorithmic logic of programs with
block structures and recursive procedures and also their own approach
toward semantics of functional procedures. We do not include these
results here since, so far, they have found little application in the practice
of verification. We hope that future research will bring answer to our
doubts.
We are sure that new branches of algorithmic logic will appear in con­
nection with new methods and tools of programming, especially a
logic of concurrent programs. One can foresee a broader, commercial
application of AL in specification of data types and their implementation
leading toward production of software modules in programming lan­
guages which allow extension of modules by their concatenation.
We would like to express our gratitude to dr L. Banachowski and
prof. Z. Pawlak for their critical remarks which helped us to improve
several parts of the manuscript. We have also profited from the com­
ments of many colleagues and students, we thank to all of them.
The book would never appear without the sympathetical help and
patience of the Polish publishers. We thank Mrs K. Regulska and
others for the help in preparation of the manuscript and Mr J. Roguski
for the help in proof-reading.
 CHAPTER I

INTRODUCTION

1. THE MOTIVATIONS

The design and applications of algorithms must be accompanied by

analysis and verification. We shall try to answer a few questions which
can arise in connection with this claim.
(i) Why is analysis needed? When should one start this analysis?
(ii) What does the word “algorithm” mean? How do we conceive
the process of programming?
(iii) What kind of analysis should we ask for?
Let us begin with a few remarks. The last years have brought in an
enormous increase not only in the number of algorithms designed,
but also in the magnitude of computational processes determined by
those algorithms, in the speed of application (the time which elapses
between the construction of a new program and its applications is now
very short compare this with nineteenth-century science and technology)
and in mass production an algorithm can be copied and used many
times in various circumstances. This means that, the cost of an error
can be enormous; its practical consequences might be disastrous. Hence,
analysis and verification ought to be included in the process of pro­
gramming from the very beginning.
Algorithms have long been in use in mathematics and technology.
However, for most of the time the meaning of the term has been im­
precise. It has been assumed that the notion of “algorithm” and the
notion of “function” (also not defined precisely) are identical. In the
nineteenth century the difference between these two notions was re­
cognized. In mathematical research, the way indicated by Frege, Cantor
(cf. Fraenkel, 1958), and others led to many beautiful and important
results and theories. Nevertheless, the notion of the algorithm, and
2 I INTRODUCTION

of computability, were overlooked. They became the centre of attention

in metamathematics around 1930, in connection with the works of
Hilbert, Godel, Church, Turing, Kleene, Markov, Herbrandt, Post, and
others (cf. Machtey, 1978). It was necessary to have a definition of an
effectively computable function in order to answer questions like “is there
an algorithm for solving a given problem?”. A negative answer needed
a formal definition of the notion of an algorithm. As a result, many
equivalent definitions of an algorithm appeared, e.g., Markov’s normal
algorithms (Markov, 1954), ^-recursive functions, and recursive func­
tions. In connection with this, Church formulated an important conjec­
ture, namely that all formalized definitions of the notion of an algorithm
coincide. Mathematical logic has been oriented towards negative results,
proving that there is no algorithm for solving a given problem. In
computer science, however, we have a positive program of research,
not only a negative one. In this book we present various definitions
of the notion of an algorithm, and we shall study the consequences
of the difference between them.
As a practical example, consider the following well-known procedure
known as Euclid’s algorithm.

E xample. Finding the greatest common divisor of two integers

involves the following computational process:
1. Divide ax by a2, find the remainder a3 and check whether it is
zero or not; if a3 = 0 then the process terminates and a2 is the greatest
common divisor of a1 and a2, if a3^ 0 then
2. divide a2 by a3, find the remainder a4; if a4 = 0 then the process
terminates and a3 is the result; if a4 # 0 then
3. divide a3 by a4, etc.
The process will terminate after at most a2 steps (why?).
The algorithm itself reads as follows:
while the remainder of the division of x by y is not equal to zero repeat
let r be the remainder;
put y as new x;
put r as new y;
otherwise (i.e., if the remainder is equal to zero)
y is the greatest common divisor.
Observe that the same algorithm can also be used to find the maximal
common length of two segments, or the greatest common divisor of two
 1. THE MOTIVATIONS 3

polynomials. What is needed is only a new understanding of the words

“divide”, “find the remainder” and “compare with zero”.
A study of this simple algorithm leads us to the following conclusions:
(i) The notion of an algorithm is of a syntactical nature.
(ii) An algorithm must be interpreted in order to determine a com­
puting process.
fiii) Interpretation of an algorithm consists in assigning meanings
to operators (the meaning of an operator is an operation in the corre­
sponding set), and in assigning initial data.
(iv) Once we have fixed the meanings of operators, we can apply
the algorithm to many initial data sets.
Let us compare these remarks with the abstract definition of an al­
gorithm proposed by Kolmogorov, Uspienski and Malcev (cf. Malcev,
1965). An algorithm should have the following features:
(i) The algorithm and the initial state determine (or accept) a sequence
of states. A state is a finite object. For every state of the algorithm
a finite set of possible next states is determined.
(ii) The relation of direct successorship of states is verifiable
in finite time.
(iii) If there is no next state, then the total result should be indicated.
(iv) The initial state can be chosen from a potentially infinite set.
Every algorithm should be verified before its eventual application.
There is no doubt about this. But we must first clarify which properties
of the algorithm are to be verified, and which methods assure the appro­
priateness of an eventual answer.
Let us observe that before an algorithm is constructed the following
question must be considered: “Does an algorithmic solution of the
problem in question exist?”. The history of science, especially of mathe­
matics, provides many cases where a negative answer has been found.
Often, attempts to solve a problem have yielded many elegant results
before the final answer was reached “no, there exists no algorithm for
doubling a cube, for trisecting an angle, for squaring a circle, for solv­
ing the word problem in semigroups, for deciding whether a given
formula is a tautology of the predicate calculus”, etc.
Much time has been wasted in the attempt to construct systems
for the verification of software, optimization of programs, and so on.
Research of this kind will not be fruitless if one starts with an awareness
of the unsolvability of the problems in question. The systems arrived
4 I INTRODUCTION

at, can be of only limited use, or, possibly, they might work in an inter­
active manner indicating trouble spots to those who operate them.
Hence the first type of semantic questions met in algorithmics (the
name sometimes used for the field of design and analysis of algorithms)
can be called computability problems. These include, for example,
questions like: “Is a given function or relation computable?” More
precisely, suppose we are given an algebraic system 31, also called
a data structure. (The system consists of a set called the universe, com­
prising certain operations and relations. Does there exist an algorithm
to compute a function / i n 31?).
This and similar problems can be treated if one defines the meaning
of the notion of algorithm.
Suppose we are given an algorithm and a requirement, also called
a specification. The second group of semantic questions can be called
correctness problems. Here one can find questions such as: “Is an algo­
rithm correct with respect to a specification?” “Does the algorithm
in question terminate?” “Is an algorithm a proper implementation
of the system required?”
The third important class of semantic questions, optimality prob­
lems, contains questions like: “Is a given algorithm the best solution
of a problem?” “Does an optimal algorithm exist?” (From the abstract
theory of computational complexity we have learned that there exist
problems such that every algorithm solving one of those problems
can be replaced by a better algorithm which has asymptotically lower
computational complexity.)
The necessity of solving the above-mentioned problems in practice
makes it clear that we need to find a general mathematical theory of pro­
grams. One possible way to approach this problem is to present a theory
of programs as a logical formalized system: algorithmic logic is one
of the first attempts in this direction.
The status of computer science as a deductive or an empirical science
is of secondary importance. In any case, it seems obvious to us that
research in computer science and the development of its applications
necessarily require a proper deductive system. To reason about algo­
rithms we need appropriate inference rules which describe the semantics
of programming constructs. This need has been explained in many
publications (cf. Dijkstra, 1976; Scott, 1970). The research program
of algorithmic logic takes into consideration the demand for the con­
 2. INTRODUCTION TO FORMALIZED LANGUAGES 5

struction of a deductive system suitable for algorithmics. This program

contains many questions already known from metamathematics. Are
these questions important in computer science? Professor A. Mostowski
wrote “many mathematicians do successful research in mathematics
without knowledge of mathematical logic, mathematical logic is not
necessary for them” (cf. Mostowski, 1948). It is true, however, that
mathematics had developed its logical tools long before metamathema-
tical studies were initiated. For computer science the situation is ra­
dically different. It has had no time to elaborate its tools. Theories
concerning the semantics of programming languages, and various
logics of programs, have been developed almost simultaneously with
new algorithms under the pressure of quickly growing demands. These
theories have found many applications in the practice of designing
new programming languages. Nevertheless, we must warn the reader
that algorithmic logic is not a magic wand for solving the problems
of computer science. It can help, however, in understanding them.

2. A N INFORMAL INTRODUCTION TO FORMALIZED LANGUAGES

There is no such thing as “The programming language”, the best and

the unique one. This will be obvious to the reader, who must have
encountered a few languages in practice and have heard about dozens
of others. Can we even hope that there is one general pattern in this
rich variety of programming languages? After a short examination
we find that the answer is “no”. But we should still like to find a classifi­
cation and, later, some tools facilitating the work of programmers,
or some methodological hints on how to develop software.
After a little thought, one can propose a classification of languages
built around the programming constructs allowed in a language. At the
bottom of this classification we find deterministic, iterative languages.
In this class, programs are built from certain atomic instructions by
means of program connectives of composition, branching, and iteration.
Two languages of this class can differ in the sets of functional and/or
relational signs appearing in their alphabets. Higher in our classifica-
cation are those languages which admit procedures.
The process of enriching a language can be continued. At the top
of our hierarchy we should place a language which allows most of the
6 I INTRODUCTION

constructions known today. Hence, a language of the highest quality

(remember that we are discussing only the richness of the programming
constructs offered!) should contain co-routines and parallel processes,
classes and methods for their extensions, ability to signal between
modules, etc. We do not know a language which could be called func­
tionally complete. The criterion for functional completeness of a pro­
gramming language which we would like to propose is the following:
a language should contain all the known essential tools for composing
algorithms (from the program connectives to the concurrent processes)
and all the tools for defining data structures. (The LOGLAN program­
ming language developed at the University of Warsaw seems to be a good
approximation, cf. Bartol et al., 1983).

R emark. It is believed that all possible ways of defining algorithms

are known. The most recent discoveries are co-routines, exception
handlers, and parallel processes. There is no consensus of opinion
as to which are the basic tools for the definition of data types. Arrays
and records are not satisfactory. The present authors believe that classes
extendable by the prefixing mechanism form a complete set of tools
for data types. Research in this direction is far from complete. □

We must emphasize here that the number of existing programming

languages exceeds thousand. Can one define general rules of compu­
tation, independent of the varying details of orthography?
There is some hope. First, we can remark that programming lan-
guageshave a common feature. Their main goal is to make communica­
tion among programmers possible. But programs have also to be com­
municated to a computer (equipped with an appropriate translator), and
hence must be written in a formal way. Accordingly, we can conceive
every programming language as a formal language, defined by its alpha­
bet and the set of well-formed expressions. Every programming lan­
guage has an intersubjective, mechanical way of deciding whether an
expression is in the language or not.
Let us analyse alphabets. An alphabet is simply a set of signs. One can
distinguish various subsets in it:
(i) sings of program connectives and constructions, for example
while do...od (sign of iteration), procedure... and call... (signs of pro­
cedure declaration and procedure instruction),
 2. INTRODUCTION TO FORMALIZED LANGUAGES 7

(ii) logical signs, e.g., ~ for negation, a for conjunction, v fo r dis­

junction,
(iii) functional and relational signs,
(iv) variables,
(v) auxiliary signs, e.g., brackets.
These symbols have different roles. Variables and functional sym­
bols allow us to construct arithmetical expressions. For example, if
x, y, z are variables and + , • are two-argument signs of operations, then
x* y + z
is an arithmetical expression.
In a formal approach we treat such expressions as patterns or defi­
nitions of new functions, whose values can be computed whenever
we known the values of variables x, y, z and the meanings of the func­
tional symbols. Such expressions will be called terms.
In a similar way we can create Boolean expressions. They assume
logical values true or false, and they usually play the role of tests in pro­
gramming languages. If x - y and x + y are terms and < is a, sign of
a two-argument relation, then
(x-y) < (x+y)
is a Boolean expression, which may or may not be valid depending
on the values of the variables and on the meaning of the symbols + , - , < .
For example, if x, y are subsets of a set A, + , • are the set-theoretical
sum and intersection respectively, and < is interpreted as inclusion,
then the value of the above Boolean expression is true. However, it is
not so if < is interpreted as equality. (The problem of interpretation
will be discussed with greater precision in the next section.)
Thus a Boolean expression can be treated as the definition scheme
of a relation, which becomes a relation when one fixes the interpretation
of the functional and relational symbols, and the interpretation of the
variables.
Using logical operators such as the signs of conjunction, negation
and disjunction we can construct more complicated Boolean expressions.
We shall call these formulas.
The formalization of a programming language still requires a precise
description of the notion of a program. In the sequel we shall consider
various classes of programs. We shall analyse and compare programming
8 I INTRODUCTION

languages with respect to the repertoire of the programming constructs

they offer.
A rough classification of programming concepts allows us to dis­
tinguish the following classes of programs:
(i) the class of deterministic iterative programs,
(ii) the class of non-deterministic iterative programs,
(iii) the class of programs with recursive, non-functional pro­
cedures and blocks,
(iv) the class of programs with recursive, functional procedures,
(v) the class of programs which permit declaration of new types,
(vi) the class of parallel programs,
(vii) the class of schemes of programs.
In this book we shall consider only some of these classes. Moreover,
we shall not discuss recursively enumerable programs, Friedman’s
schemes, or random assignments, which in the authors’ opinion are
mathematical abstractions having little in common with the programm­
ing practice. The reader is advised to study these concepts in the lit­
erature (Tiuryn, 1981c; Harel, 1978c).
In most existing programming languages a program is considered
to be a sequence of instructions. The set of instructions consists of
atomic actions, and some tools for composing them.
We shall look more closely at the structure of deterministic iterative
programs. We shall explain the constructions by means of graphs,
usually called flow-diagrams. Each flow-diagram has one entry and
one exit.
We shall start with the simplest instruction, the assignment statement.
If x is a variable and t is a term, then the graph shown in Figure 2.1
is a flow-diagram of the assignment instruction.

_L r

6
Fig. 2.1
 2. INTRODUCTION TO FORMALIZED LANGUAGES 9

If we are given the diagrams of two programs P1 and P2

04- a 1j -<
-

Fig. 2.2

(Figure 2.2), then we can compose them by putting one after the other.
The flow-diagram of the composed program is described in Figure 2.3.
It is obtained by identifying the exit of P x with the entry of P2.

p p
r i *2

Fig. 2.3

Given two programs Px and P2 and a formula y, we can produce

very useful constructions called branching (or conditional instruction)
and iteration, as shown in Figure 2.4.

Fig. 2.4

It is easy to see that the set of programs defined in this way forms
an algebra, which is generated from assignments by means of the oper­
ations of composition, branching, and iteration. We shall call programs
of this class structural or modular ones.
10 I INTRODUCTION

To recapitulate, we have seen that the set of well-formed expressions

of a programming language can be split into three subsets: the set of terms
(arithmetical expressions), the set of formulas (Boolean expressions),
and the set of programs. These expressions have no meaning in them­
selves. They can be considered as patterns which allow us to compute
different functions or relations, depending on the interpretation.
In order to illustrate the main assertion of this section, namely that
programs by themselves have no meaning, we present a few examples. We
use a Pascal-like orthography, in the hope that this will be understandable
to the reader.
E xample 2.1. Consider the following program K (Kleene’s algorithm)
(cf. Aho, 1974):
K: begin
for i := 1 to n do Cf* : — eul(i, /) od;
for 1 ^ /, j ^ n and i # j do Ct° = l(i,j) od;
for k := 1 to n do
for 1 ^ i 9j ^ n do
C?J : = C f r 'u C f c ' •( C £ r ‘) * . C V od
od:
for 1 ^ i , j ^ m do c ( i , j ) : = Cj" od
end.
It is well known that there exist at least three interpretations of the
above program, and each implies a different meaning.
(i) Let us interpret the program in the structure
(A, u, *, £>
where
A the universe of the structure, is the family of all subsets of the
set of finite words over an alphabet A 0,
u is a set-theoretical union,
• is the operation of concatenation of languages,
* is the star-operation on languages (i.e., for X e A, X* = s u X u
vX-XuX-X-X ...),
s is a one-element set which contains the empty word over A 0.
Let /(/,/) be a one-element set which consists of a symbol from the
set A 0, produced while some automaton 31 changes the state from i to j.
Then the program K computes regular events. The meaning of the ele­
ment c ( i , j ) is the set of all words which lead from state i to state j in
the automaton 31.
 3. ASSIGNING MEANINGS TO PROGRAMS 11

(ii) Let us interpret program K in the two-element Boolean algebra

B0 = <{0, l} ,u , n , *, 0>
where
u the disjunction, is an interpretation of u ,
n the conjunction, is an interpretation of-,
* for every * e B, x* = 1,
0 is the interpretation of e.
Let us assume that for a given graph G
1 iff edge (/,/) is in G
{0 otherwise
Then the results of program K are:
C (i,j) = 1 iff (/,/) belongs to the transitive closure
of G, i.e., if there exists a path from i to j.
(iii) Consider the data structure
C = <i?+, min, + , *, 0>
where
R + is the set of non-negative real numbers extended by the maximal
element + go,
min the minimum operation, is the interpretation of u ,
+ is the arithmetical sum and the interpretation of •,
* is a one-argument operation such that n* = 0 for all possible
n e R +,
0 is a constant zero, the interpretation of s.
Let /(/,/) be the cost of traversing the edge (i,j) in the given graph G
and assume l(i,j) = + co if there is no edge (i9j ) in G. Then the re­
sults computed by program K can be interpreted as follows: c (i,j)
is the cost of the shortest path in G from i to j.

3. ASSIGNING MEANINGS TO PROGRAMS

We have seen in the previous section that one program may have many
interpretations. The process of interpretation (i.e., semantics) is defined
separately of the syntactical rules. Syntax decides which expressions
are well-formed ones; it does not determine the meaning of an expression.
It is generally agreed that in order to define an interpretation of a pro­
12 I INTRODUCTION

gramming language we have to fix the meaning of all symbols of the

language. First, we ought to decide which elements will appear as the
values of variables and, second, we ought to associate with every func­
tional symbol the corresponding function (or partial function) and
with every relational symbol the corresponding relation. In this way
we can determine a relational system, also called a data structure.
A given data structure determines a mapping which with any ex­
pression of the language associates its meaning. This method of defining
semantics can be attributed to the work of Tarski and of Mostowski
(cf. Rasiowa, 1970).
For example, in the data structure of real numbers we can associate
with the term (x+ y + z)/3 the three-argument function of the arithme­
tical mean, where + is interpreted as addition and / as division.
Similarly, in the same data structure the formula (x2 > y 2 => x > y)
can be conceived as a two-argument function which associates with
every pair (x ,y ) of real numbers the logical value true when \x\ ^ \y\
or x > y and false otherwise.
In this book we shall assume that every formula has a defined value
which is true or false; in other words, we shall work with a two-element
Boolean algebra.
At this point let us observe that there are other possible concepts;
for example, a multivalued logic can also be accepted as the semantic
base of the logical part of a language. There are also systems which
admit a third logical value (cf. MacCarthy, 1963), and systems which
regard a Post algebra as an algebra of logical values (cf. Rasiowa, 1975c;
Perkowska, 1972). Such systems will not be discussed in this book.
To complete our description of the interpretation of a programming
language, it remains to assign meaning to programs. There is no unani­
mous opinion on how to understand particular constructions. Users
and researchers are free to make their own choice.
However, there is almost common agreement in associating with
every program a binary relation. Every program can be regarded as
a mapping which transforms an initial memory state, i.e., data, into
a final memory state, i.e., results. The connection between the input
and the output states is called the input-output relation determined
by the program and by the assumed data structure.
Now we must tackle the problem of how to define the input-output
relation. The first approach is based on the modular structure of pro­
 3. ASSIGNING MEANINGS TO PROGRAMS 13

grams. We can define the meaning of a program step by step, putting

together interpretations of simple instructions. For example the input-
-output relation associated with the program
begin K x ; K2 end

is a composition of the input-output relation associated with K t and

the input-output relation associated with K2.
This method of assigning meaning to programs is called operational
semantics.
A deeper insight into the method allows us to observe the process
by which the initial state of memory is transformed into the result.
This process is called computation. Usually we define the computation
of a program in a given data structure as a sequence of configurations,
each of which describes a valuation of variables, i.e., a memory state,
and a list of instructions to be executed. Two consecutive configurations
in this sequence ought to be in the relation of direct successorship.
This notion of computation is not the only possible one. Another
definition is related to the notion of proof. One can ask whether there
exists a proof that the results of a program K applied to data v are
equal to w. This idea, originating in the papers of Herbrand and G5del
(cf. Hermes, 1965), continues to be used in the notion of formal com­
putation and in the PROLOG programming language.
Consider the following example. The language admits two functors:
a zero argument constant 0 and a one-argument functor s. The inter­
pretation of the functors will be standard in the set of natural numbers.
We shall introduce two new functors by means of the equations

f i x , 0) = x, f ( x , sOO) = •*(/(*> J))>

g(x, 0) = 0, g (x , s(y)) = f ( g ( x , y), x).

Figure 3.1 shows a diagram which can be interpreted as a proof

that g(s(0), s(0)) is equal to s(0).

R emark. This may seem an odd way to find that 1*1 = 1. The lit­
erature concerning PROLOG and other non-imperative languages, and
also the discussion about the ‘fifth generation5 of computers, show
that there are many computer scientists who are convinced of the future
applicability of such a style of programming. □
14 I INTRODUCTION

J\x, 0) = x fix, s(y)) = s(f(x, t))

/(0, 0) = 0 /(0 , 5(0)) — s(f(0, 0)) g(x, s(y)) ~ j(g ( x , y), x )

\
j &(x, 0) = 0

/ g(^(0), 5(0)) = f [ g ( m , 0), S(0))

/ g(s(0), 0) = 0

/g(5(0), (0)) = 1(0)

/(o , v(0)) = ,v(0)
j j
g(5(0), 5(0)) = /(0,5(0))
Fig. 3.1

Another look at the example can lead to the following observations.

A proof-like computation is composed of subcomputations by the
rules of computing, which resemble the rules of inference. In our example
the rules used were simply
r(x) = rj(x)
rule of substitution,
r(x/w) = r)(x/w)
( t i ) = rj 9 Xi — t 2
t
rule of replacement,
t ( t i / t2) = rj
where r, rj, , r 2 are terms, t ( t 1) means that r x is a subexpression
of r, and r ( r 1/ r 2) is the result of replacing one or more occurrences
of Tx in r by r 2.
The method of defining the meaning of a program by means of the
notion of computation is very useful for the class of deterministic
and the class of non-deterministic iterative programs. It is not obvious
whether this method can be used to define the semantics of more de­
veloped programs, e.g. programs with recursion or objects of types
declared in a program.
 3. ASSIGNING MEANINGS TO PROGRAMS 15

For this reason another method has been suggested by Scott and
Strachey (1971). Their proposal is to treat a program as an implicit
definition of an input-output mapping between states. The mapping
(i.e., semantics) is the least solution of a system of functional equations
which can be associated with every program. The elegance and simpli­
city, of this method, which is called denotational semantics, have attracted
many researchers. The programmers can comment that, when this
method of identification of a mathematical object is used, its application
in verifying properties of programs is not always possible.
The third method of defining semantics, the axiomatic semantics
is similar to denotational semantics. A semantics is axiomatically defined
whenever a set of axioms and inference rules is given such that every
true semantic property of a program can be proved in the system.
Obviously, we require that the system should be consistent. Denota­
tional semantics can be placed half way towards axiomatic semantics.
One can regard implicit equations as axioms. There are no syntactic
rules of inference; instead, the method offers a powerful semantic
tool—the least fixed point of the system of equations is proposed as
a solution.
For us, operational semantics based on the notion of computation
seems the most natural. Axiomatic semantics or mathematical identi­
fication of meaning are secondary for a programmer who deals with
computations in his everyday practice. The programmers intuitions are
formed by computations. We realize that for the designer or imple-
menter of a programming language, denotational and axiomatic sem­
antics may be very attractive. However, even the designer of a lan­
guage should not overlook questions of effectiveness of implementation
connected with the operational semantics.
Practice allows us to make experiments and to develop our intuitions
about a computational process. However, this is not enough. What
we need is the possibility of formulating a specification before the
software is designed, and verifying the correctness of software with
respect to this specification. Let us quote here the well-known assertion
that computational experiments can help us to find a bug in our pro­
gram, but no experiment can prove correctness of the program with
respect to a potentially infinite set of initial data. The verification should
be made before applying the program to the data. This is the proper
place for axiomatic semantics. It offers axioms and inference rules
16 I INTRODUCTION

which can be used in the process of verification of the properties of

a program. It is written in a language of logical formulas, and the same
language can be used for specifications. The language of axiomatization
differs from the language of programs. It is unlikely that the first-order
predicate calculus could serve as a logical basis for the axiomatization
of semantics. We shall explain this in the next section.

4. SEMANTIC PROPERTIES OF PROGRAMS

Having chosen a definition of the notion of computation, one can ob­

serve various semantic phenomena. Their nature differs, according
to the definition of computation. In the case of formal computations,
the crucial problem is whether a computation exists. In the case of com­
putations which are sequences of states, the most important question
is whether a computation is finite or infinite. If a computation is under­
stood as an algebraic process of composing the meanings of sub­
expressions to obtain the meaning of the whole expression, the question
would be: “Does the process give a result?”
Let us survey the properties of programs which will be discussed
in this book. For the case of computations defined as sequences of con­
figurations the relevant properties of deterministic iterative programs
are termination, correctness and equivalence.
Termination. Does the program in question have finite computations?
Are all computations of the program finite? If they are not, then what
is the sufficient and necessary condition for the finiteness of the compu­
tations?

E xa m ple 4.1. In some interpretations Euclid’s algorithm always

terminates, e.g., in the structure of rational numbers. For the ancient
Greeks the discovery that the algorithm does not necessarily terminate
if interpreted in the structure of segments of planar geometry was
a shock. □

The problem of termination can be stated in various circumstances.

The question whether a given program M terminates in any interpre­
tation and for any data differs from the question whether the same pro­
gram M will terminate in a data structure 51.
 4. SEMANTIC PROPERTIES OF PROGRAMS 17

Correctness. Does the program compute the results which were expected
from it? Our requirements (specification) can be given as a pair of
conditions, an input condition (precondition) for the data and an
output condition for the results (postcondition).

Example 4.2. Suppose that the specification is:

(precondition) a and b are two positive integers,
(postcondition) the result is the greatest common divisor of a and b.
Suppose the program considered is Euclid’s algorithm. One should
be convinced a priori—before possible computation—that the final
value of the computation is the greatest common divisor of a
and b. □

In order to prove correctness one uses:

(i) the structure of the specification and of the program,
(ii) certain properties of the data structure, i.e., of interpretation.

Equivalence. Do two programs M and K compute the same results?

This question is connected with the classification of programs as ‘better’
and ‘worse’. Two programs are equivalent if for equal data either
both do not terminate ( = diverge) or both terminate and give results
satisfying the same postcondition. Hence, if one program is correct
with respect of the specification (a, /?) the other is also correct with
respect to (a,/?). In this case one can begin an analysis of costs of the
two algorithms in order to find the better program.

When the programming language considered is more developed

and admits classes and deallocation of objects (cf. LOGLAN), one
should ensure the property that no computation will lead to a situ­
ation in which reference is made to a non-existent object.
This survey of various semantic properties can be continued. In the
sequel we shall study several of the already mentioned properties, and
introduce many others.
As regards prooflike computations, the main question is not the
termination of a computation. By definition all formal computations
are finite. The main problem is whether a computation exists. Another
kind of problem is the reasons for the non-existence of a prooflike
computation. It may be caused by an inconsistency in the system of pro­
18 I INTRODUCTION

cedures (axioms), e.g.,

/(* ) = /( * ) + !,
or, by circular definitions, e.g.,
g(x) = g(x).
It is worthwhile to distinguish the two cases; in the second case the
functional equation can be solved by an arbitrary choice of the function g,
whereas the first case is a hopeless one—there is no function / which
will satisfy such an inconsistent system of axioms.
We should like to end this section leaving the reader with the con­
viction that the variety of interesting and important semantic phe­
nomena is great and worth studying.

5. EXPRESSIVITY. AN INTRODUCTION TO THE LANGUAGE

OF ALGORITHMIC LOGIC

Semantic properties of programs should be an object of study. We should

like to prove or disprove them, just as in mathematics we prove or dis­
prove various theorems.
Before we try to construct a system for reasoning about the semantic
properties of programs, we should find a way to express them as for­
mulas (logical or mathematical ones, according to the reader’s prefer­
ence). The natural candidate is a language of first-order logic. Can we
express properties like termination, correctness, etc., as formulas of the
first-order predicate calculus? After a closer examination we find that
we cannot. The termination property allows us to express many prop­
erties known as non-expressible in the language of first-order logic.
As one of many possible examples, let us mention the property
of a number being a natural number.
There is no formula of first-order logic defining natural numbers;
on the other hand, the property
the program
begin y : = 0; while x ^ y do y := y + 1 od end
terminates
holds iff the number x is a non-negative integer.
Consider the loop
while oc(x) do x : = f ( x ) od.
 5. EXPRESSIVITY 19

The termination property is equivalent to an infinite disjunction

<x(x) or x (x /f(x )) or a (* //(/(* ))) o r...
This observation was first made by Engeler, 1967, who proposed the
use of L (0i wlogic. The language of allows any infinite disjunctions
and conjuctions. It can be observed that this language is too rich. For
example, there is an algorithm to construct the i-th component of the
infinite disjunction above.
Another possibility is the use of weak second-order logic, WSL.
The termination property of a program can be expressed as follows:
“there is a finite sequence of states such that...”. This expression is typi­
cal of weak second-order logic. Again, WSL seems much richer
than is necessary for an analysis of programs.
One can certainly study the properties of programs in L0Ji0J or in WSL,
but we suggest considering a minimal extension of first-order logic
which will allow us to investigate the properties of programs, i.e.,
algorithmic logic.
The language of algorithmic logic will be the least extension of the
language of first-order logic such that expressions of the form

(program) (formula)
are also regarded as formulas.
The proposed meaning of the formula Koc, where K is a program
and a is a formula, would read “the formula Koc is satisfied in a data
structure 31 at a valuation v iff the computation of the program K
which starts from the initial data v in the structure 31 is finite and the
results satisfy the formula a”.
Let us look at a few of the semantic properties:
(i) a program K terminates iff the formula (Ktrue) is valid,
(ii) a program K is correct with respect to a precondition a and
a postcondition /? iff the formula (a => Kfi) is valid,
(iii) two programs K and M are equivalent with respect to a postcon­
dition a iff the formula (Koc = Mac) is valid.
The cases of non-deterministic or concurrent programs require slight
modifications. A non-deterministic program can possess more than
one computation. It is then natural to split the question about results
into two different problems: “Do all results satisfy the required prop­
erty?” and “Is there a result which satisfies the property?”. Accordingly,
20 I INTRODUCTION

we assume in the algorithmic language the following two modal con­

structions :
0 Koc with the meaning “it is possible that after a finite computation
of program K the property a holds”,
[3 Koc with the meaning “it is necessary that all computations of the
program K should be finite and all results should have the property a ”.
The property of strong termination of a non-deterministic program
K can be expressed in such a language by the formula □ ATtrue. Various
notions of program correctness can be expressed by formulae like
(a => 0 AT/?), ( a a ~ Q K ~ ji)9 ( oca $ ATtrue => AT/?). Now, the goal of
the verification of the properties of programs has a formal counter­
part. In order to verify that a non-deterministic program AT meets the
conditions of a specification a, /?, it is enough to prove, or disprove,
a corresponding formula, e.g. (oc=> § AT/?).
Communications like “the deterministic program K applied to the
data d gives the result r” can be verified by a repetition of the computing
experiment. However, one can also make the more general statements
“for every data satisfying a precondition a the program AT will termin­
ate”, etc. The validity of such statements cannot be checked by ex­
periment. In order to prove or disprove such statements it is necessary
to use more general tools, such as inference rules or axioms.
Let us remark that, as in mathematics, it is not necessary to present
a complete formal proof with all the details. It is often more convinc­
ing simply to present arguments that a proof exists. In this way we can
exchange communications about software and its properties, much
as chemists exchange communications about experiments and deduc­
tions based upon them. The development of software can be treated
as a social scientific skill, with intersubjective methods of verifying
the communications about the properties of software.

6. ON APPLICATIONS

In this section we shall discuss the practical consequences of research

on algorithmic logic.
Algorithmic logic (AL) can be applied in the analysis of semantic
properties of programs. The completeness property of AL makes the
objective program sound. AL offers methods of verification of partial
and total correctness, and moreover it permits the analysis of on-going
 6. APPLICATIONS 21

processes. Even the estimation of the complexity of algorithms can

be formalized in AL. Let us observe that the formulas
(if jff then K t tffi and (if /? then K fi)"+1
assert that the number of iterations of the loop-statement
while /? do K od
will not exceed the number n + 1.
The whole system of Floyd-Hoare logic is included in AL, and thus
all examples of the proofs in this systems are in AL. Floyd-Hoare
logic (cf. Hoare, 1969) is not complete: not every valid semantic prop­
erty has a proof. Algorithmic logic supplements the missing parts
of axiomatization. There is an co-rule in AL, i.e., a rule of inference
with infinitely many premises which is necessary for the completeness
of the system. However, we do not intend to present formal proofs
in all cases. In most examples it is enough to have reasonable arguments
for the validity of the assertion, i.e., it is enough to prove that the proof
exists.
There are numerous arguments showing that data structures can
be specified with the help of AL (cf. Chapter IV). What is the importance
of this? Not only do algorithmic formulas allow us to define data struc­
tures which are not axiomatizable in first-order logic, not only is the
axiomatization of these structures compact, but also—and this is much
more important—algorithmic axioms facilitate the task of proving
the correctness of many algorithms.

E xa m ple . Algorithmic specification (axiomatization) of the data

structure of natural numbers consists of three formulas:
s(x) = 0,
s(x) = s(y) => x = v,
(y := 0; while x ^ y do y : = s(t ) od) true.
One can prove the termination of a program, e.g.,
M: u := 0; z : = x; while u = y do u := s(u); z := s{z) od
by a natural transformation of the program appearing in the axiom.
Since we have assumed that this program terminates, and since the
program M can be obtained by transformations which do not spoil the
termination property, the program M also has the termination prop­
erty. In this way we can hide induction in algorithmic reasoning. □
22 I INTRODUCTION

The implementation of data structures can also be considered on the

basis of AL. It finds a formal counterpart in the notion of an interpre­
tation of one algorithmic theory within another. Chapter IV contains
more details and examples illustrating the method of development
of type declarations (in LOGLAN), together with the proof of their
correctness, which is based on this idea.
AL can be treated as an axiomatic method of defining semantics
(we deal with this problem in Chapter III). Axiomatization of AL can
be used by implementors as a test in an assessment procedure for an
implementation of a programming language.
For more developed languages one can propose a method of de­
fining language semantics by constructing a collection of algorithmic
theories. Various theories can define different aspects of LOGLAN’s
semantics. When put together, they will form a system completely
describing the semantics of a rich programming language (cf. Chap­
ter VII).
Another application of AL is in the definition of semantics based
on formal proofs. The notion of formal computation can lead to a new,
non-imperative programming language (Salwicki, 1975).
Algorithmic logic and other logics of programs can be used in the
process of teaching programmers and even mathematicians. It may
be that in the long run AL will help us to a better understanding not
only of programming, but also of mathematics. It is AL which provides
us with another viewpoint on data structures. Algorithmic properties
have equal rights with first-order properties: they may simplify rea­
soning about data structures.
 CHAPTER II

LOGIC OF DETERMINISTIC ITERATIVE PROGRAMS

The main questions dealt with in this chapter are: “What are the
semantic properties of programs?” and “How can they be expressed
in a formalized language?”
We start with the definition of a class o f algorithmic languages which
admit iterative programs. Iterative programs are built from assignment
statements by means of program connectives like composition, branch­
ing and iteration. Each program is interpreted as a binary input-output
relation in the set of all computer memory states. We then define the
notion of computation. This allows us to discuss semantic properties
of programs, like termination, correctness, etc. The importance of these
notions for the analysis of programs is obvious.
To express semantic properties of programs we shall use algorithmic
formulas, i.e., the constructions of a form K[i where K is a program
and is a formula. The intuitive meaning of this formula is “after
execution of program K the property holds”. Such constructions allow
us to express properties of programs and data structures which are
not expressible in the first-order language.
The next step is to formulate laws and rules concerning computa­
tional processes. They provide us with formal tools for reasoning about
programs. We aim to construct a formal system in which all valid sen­
tences are provable and all provable sentences are valid. However,
a more strict investigation of the semantics of the algorithmic language
leads to the conclusion that the compactness property does not hold.
This means that there exists a sentence which is a semantic con­
sequence of an infinite set of formulas and which is not a consequence
of any finite subset of this set. The most important consequence of this
fact is that the logical system we are going to construct cannot be a fi-
nitistic one.
In this chapter we shall present a formal system of algorithmic logic
in the Hilbert style which uses infinitistic rules of inference of the co-type.
We shall prove that all provable formulas of this system are valid.
24 II LOGIC OF DETERMINISTIC ITERATIVE PROGRAMS

We conclude the chapter with some examples of formal proofs in the

formalized system of algorithmic logic.

1. LANGUAGE

We shall now consider the algorithmic language L of deterministic

while-programs. There are three kinds of well-formed expressions in L :
terms, formulas and programs. In this section we shall introduce these
three notions formally.
Let us assume that the alphabet of the language L contains enumer­
able sets of signs of relations P (predicates for short), signs of functions 0
(functors for short) and variables V. There are two kinds of variables,
propositional and individual. Hence the set V is a set-theoretical union
of two disjoint sets of propositional variables V0 and of individual
variables Vi.

D efinition 1.1. By the type o f language L we shall understand the

system < {,n(p}(pe0, {mQ}0Sp) o f two families o f natural numbers such
that for every op e 0 , n^ is an arity o f the functor (p and for every q e P,
mQ is an arity o f the predicate q. □

The notion of term is just the same as in classical logic. We shall

recall the definition below.

D efinition 1.2. The set o f terms T is the smallest set which contains
the set o f individual variables Vt and is closed with respect to the rule
that i f (p is an n-argument functor, qoe 0 9 and r l9 ... , r n are terms, then
the expression <p(r1, ..., rn) is a term. □

R emark. In most examples throughout this book we shall consider

two-argument functors and two-argument predicates. In keeping with
tradition we shall then write x < y, x + y instead of < (x, y), +(x, y)
as in the definition above. □

E xample 1.1. Assuming x, y, z, i are individual variables and •, + are

two-argument functors, then (/•>>)+ (x *t) + (x *z) are terms. □

Lemma 1.1. The system % = {(p^)<pef) is an abstract algebra

with the set Vt being the set o f free generators in T, such that for every
 1. LANGUAGE 25

n-argument functor op e (p% is an operation in T and for arbitrary terms

r l9 ..., rn we have
(p%{rl9 ..., r„) = 9o(rl9 rn). □

The set of all formulas F will be described later after the definition
of programs. We now recall the notion of an open formula.

D efinition 1.3. The set o f open formulas F0 is the least set that con­
tains the set o f propositional variables V0 and such that
(i) if a, p belong to F0 then the expressions (aVjS), (a a /?), (a => /?),
~ a also belong to F0,
(ii) if r l9 ..., rn are terms and o is an n-argument predicate, then
q ( t 19 . . . 9 rn) belongs to F0. □

The formulas defined in (ii) above are called elementary formulas.

In other words every propositional variable is an open formula; every
elementary formula is an open formula, the conjunction, the alterna­
tive, the implication of open formulas is an open formula, and the
negation of an open formula is an open formula.

E xample 1.2. Assume/?, q are propositional variables and < , < , = are
two-argument predicates. Let x 9 y 9 z and + , • be as in Example 1.1.
The expressions
(1) (x = ((/• y) + z) a (z < y aO^ /)),
( ( ~ ? a p)=> (x + y ) - z < x + ( y - z ))
are then open formulas. □

Lemma 1.2. The system <F0,u , n , > is a free abstract algebra

in the class o f all algebras (A , ol9 o2, o3, o f) with three binary oper­
ations ol9 o2, 03 and one unary operation 04, and such that for arbitrary
a, ft e F0 we have
au/? = (aVjff),
a n /J — ( oca f t ) ,

oc —
» p = (a => /?),
—a = ~ a .
The set o f all propositional variables and elementary formulas is a set
° f free generators o f the algebra <F0, u , n , , - > .
26 II LOGIC OF DETERMINISTIC ITERATIVE PROGRAMS

The proof is analogus to that in classical logic, and also to the proof
of Lemma 1.3 below. □
D efinition 1.3. The set o f all programs IT is the least set such that:
(i) Every expression o f the form (x := r) or (q : = y) is a program,
where x is an individual variable, r is a term, q is a propositional variable,
y is an open formula.
(ii) Jf y is an open formula and M and M ' are programs then the
expressions if y then M else M ' fi, while y do M od, begin M; M ' end
are programs. □

The set of all expressions defined in (i) shall be called the set o f assign­
ment instructions and will be denoted by S. Note that the pairs of words
then—else, else—fi, do—od, begin—end, play the role of parentheses
similar to (,). To avoid superfluous parentheses we shall write for example
1° begin M 1 ; ...; M n end instead of begin M t ; begin M 2 ; ... begin
M„_1 ; M n end ... end end;
2° while y do M x; M 2 od instead of while y do begin M 1 ; M 2 end od;
3° if y then M i ; M 2 else M[ ;M2 fi instead of if y then begin M i ;
M 2 end else begin M [ ; M 2 end fi. According to the definition the ex­
pression (x :== x) is a program for every variable x. We shall denote
such a program by Id.
For the sake of simplicity we shall write if y then M fi instead of if y
then M else Id fi.
If M is a program and i— a natural number, then M l is a shortened
form of the program begin M; ; M end; M° = Id. The program begin
i times
M; M ' end is called the composition of programs M, M '; the program
if y then M else M ' fi is called the branching between the two programs M
and M', the program while y do M od is called the iteration o f the pro­
gram M.

Example 1.3. Let x, y, z, i be individual variables, + , — two-argu­

ment functors, ^ a two-argument predicate and 0, 1 zero-argument
functors (i.e. constants). The following expression is then a program
begin
z : = x;
i := 0;
while z ^ y
 1. LANGUAGE 27

do
z := z - y ;
i : = i +1
od;
end; □

Lemma 1.3. The system 77 = <77, o , {*y}yeFo, {ify}yeFo> is cm

abstract algebra such that for every y e F0, o and ifr are two-argument
operations in 77, and *y, is a one-argument operation in I I and for every
M, M ' e 77 we have
Mo M f — begin M, M ' end
*V(M) = while y do M od
ify(M , M ') = if y then M else M ' fi.
Moreover, 77 w a /ree algebra in the class o f similar algebras with the
set S o f assignment instructions being the set o f free generators.
P roof. Let % = (A , {*y}yeFo>{ify}y^f0> be an algebra similar to 77,
and let/: S -> ^ be any mapping from the set of generators S' into >L The
mapping / can be extended in a unique way to the function h: I I A,
defined by induction on the length of programs:
h(s) = /(V) for every assignment instruction s e S.
/*(begin M; M ' end) = h(M) o h(M'),
h(if y then M else M ' fi) = ify(h(M), h(M '))9
h(while y do M od) == *y(h(M ))
for each programs M, M ' and every formula y e F0.
By the definition, h is an extension of / and h is a homomorphism.
The uniqueness of h follows from the property that every program
in n is of exactly one of the following forms: it is an assignment in­
struction, a composition of two programs, an iteration of a program
or it is a branching between two programs. Moreover, the represen­
tation of a program is unique. □

Now we can define the set of all formulas of the language L.

D efinition 1.4. The set o f all formulas F is the least extension o f the
set F0 such that:
(i) I f M is a program and a is a formula, then Ma is a formula.
28 II LOGIC OF DETERMINISTIC ITERATIVE PROGRAMS

(ii) I f M is a program and a is a formula, then |J M a , f |M a are for­

mulas.
(iii) I f x is an individual variable and a(x) is a formula, then (3x)a(x)
and (Vx)a(x) are formulas.
(iv) I f a and /? are formulas, then (av/?), (aA/J), (a => /?) am/ ~ a
are formulas. □

We call the signs p ), U universal and existential iteration quantifiers,

and the signs V, 3 universal and existential classical quantifiers.
Any formula in which neither iteration quantifiers nor classical
quantifiers appear is called a quantifier-free algorithmic formula.

Example 1.4. Let M be the program defined in Example 1.3. The

expression
(2) M (x = ((/* t ) + z) a (z < ja O^ 0)
is then a quantifier-free formula, and

(3) (3 j ) ( 0 := y) U (* := * + l ) * < x)
is a formula, where x, y 9 z, i are individual variables; + , * are
two-argument functors, < , = , ^ are two-argument predicates; 0, 1
are zero-argument functors. □

As in the case of the previous definitions we can formulate a theorem

about the algebraic structure of the set F. Indeed, every program M e 77
can be treated as a one-argument operation in F such that for a given
formula a it gives as a result the formula A/a. However the problem
with quantifiers is much more difficult since they in fact define the gen­
eralized operations with infinitely many arguments.
At the end of this section we shall introduce some auxiliary notions.
Let w be any well-formed expression of the language L. By V(w) we
shall denote the set of all variables that appear in w.
Let ^ be an assignment instruction of the form (u := w'). By Vfv we
shall then denote the expression which is obtained from w by the sim­
ultaneous replacement of all occurrences of the variable w, in the
expression w9 by the expression w'.

E xample 1.5. Let ^ be an assignment instruction (y := x + y).

 1. LANGUAGE 29

1. As a first simple example let us consider the case where w is a term

((/• j) - f z ) from Example 1.1. Then sw is a term of the form

(O' - (* + j))+ z )-
2. As a second example let us take the formula (1) to be w. The ex­
pression Jw is then a formula of the form
(x = ((/• (x + y ))+ z )A (z < (x +; f) a O < /)).
Obviously if x does not appear in the expression w then sw is ident­
ical to w.
3. Note also these negative examples. When w is the formula (2) or
(3) then the expression sw is not a well-formed expression. □

The observations from the above examples can be summed up in

the following lemma.

Lemma 1.4. For every assignment instruction s\

10 I f w is an open formula, then s iv is an open formula.
20 I f w is a term, then Tw is a term.
The easy proof is left to the reader. □

Now we give the strict definitions of the free and bounded occurrence
of an individual variable in a formula.

D efinition 1.5. The occurrence o f an individual variable x in a for­

mula a is bounded by a classical quantifier iff x occurs in a part o f a o f
the form (3x)/J or (Vx)/J for some formula [3. In the opposite case an
occurrence o f x is called free. □

E xample 1.6. The occurrence of z in formula (3) is free; the occur­

rence of y in this formula is bounded by the existential quantifiers (3y).
In the formula ((3v)x < y v x = y ) both occurrences of x are
free; the first occurrence of y is bounded and the second, free. □

We write a(x) indicating that the variable x is free in a.

Let us denote by true the formula (p v ~p) and by false the formula
(p a ~p), for a fixed propositional variable p\ let oc — j3 be a shortened
form of ((a => 0)A 05 =>«)).
30 II LOGIC OF DETERMINISTIC ITERATIVE PROGRAMS

2. SEMANTICS

In this section we shall define precisely the algebraic semantics of algo­

rithmic language. We shall start from the interpretation of the language
signs in the corresponding relational system and two-element Boolean
algebra. Then we shall extend this interpretation to all well-formed
expressions of language, terms, formulas and programs.
Let L be an algorithmic language of the type < {/ip}*,«=*, {me}eePy
where & is the set of functors in L and P is the set of predicates in L.

D efinition 2.1. By a data structure for L we shall understand a re­

lational system 31 which consists o f the universe A and operations and
relations such that:
1° For every n(f-argument functor <p, there exists n(f-argument
operation <p% in A.
2° For every m(-argument predicate q9 there exists mQ-argument
relation o*{ in A.
Hence a data structure for L is a relational system
^ <-^> {i?'l
o f the type {mQ}eeP}. □

The given data structure for L determines the interpretation of function

and relation signs in the language. We shall call the interpretation
o f a functor 99, and the interpretation o f a predicate q. Let 31 be a data
structure for L, and let both 31 and L be fixed for the rest of this section.
Individual variables of L will be interpreted as elements of A and
propositional variables of L will be interpreted as elements of two-el­
ement Boolean algebra:
= < { 1 ,0 } , V , A , =>, ~>.

D efinition 2.2. By a valuation in the given data structure 31 we shall

mean a mapping
v: VQyjVi -> A v { 0 , 1}
such that
v(p) g {0, 1} for p g V0,
v(x) gA fo r x g Vi. □
 2. SEMANTICS 31

The set of all possible valuations will always be denoted by W. The

given data structure 91 for L determines in a unique way the interpretation
of a term as a mapping in A.
For every term r we have a corresponding function
r%: W -> A
which is defined recursively as follows:
= v(x) for x e Vi,
'p (r,, r„h(v) = <pn(Tt%(v), rn%{v)).
Here we have used the fact that every term r is either a variable
or is in the form <p(rl5 ..., rn) and the representation is unique.
Note that we have in fact defined a homomorphism h between the alge­
bra of terms and the algebra <A , such that
h(r) = r ^ ) .
By Theorem 1.1 the homomorphism is uniquely determined by the
given valuation v.

Example 2.1. Let R be the data structure of real numbers and let
addition ( + ) and multiplication (•) be an interpretation of functors
-r, • of the language L.
The term ((/ - y) + z) then determines the three-argument function
/(/, v, z) in R such that for every valuation v in R
f(v { i), v(y), v(z)) = r«(v).
In particular, / ( 1 ,2 ,3 ) = 5. □

The element Ts%(v) of A is called the value o f the term r in the struc­
ture 91 at the valuation v.
Analogously, every formula a of the language L determines a mapping
ol% from the set of all valuations W into the Boolean algebra B0,

oc%: W -> B0.

Every program M of the language L determines a partial function M%
from set W into itself, called interpretation o f program M,
M<&: W -+ W.
Both mappings will be defined by simultaneous induction with respect
to the length of expressions:
32 II LOGIC OF DETERMINISTIC ITERATIVE PROGRAMS

pn(v) = v(p) for p e V0

g(*i, t „)k (v ) = 1 iff ( r lSn(® ), r n%( v ) ) e Q n

for ^-argument predicate q and arbitrary terms r l9 ..., r„.

If oc%(v) and V ) are defined, then
(a v (3)$i(v) = ocv(v)ufa(v),
= aa (©)nj8u(©),
(a => P)n(v) = a*(tf)

Let s be an assignment instruction of the form (u : = w), s%(v) is

then a valuation v' such that
s/(w) = >%(*>) and v \z ) = v(z) for u ^ z.
Assume that the mappings y%9 M%\ and M% have been defined
: M%(v) if y%{v) 1 and
M%(v) is defined,
if y then M else M ' fi<a(*>) M%[v) if y%(v) = 0 and
Mw(v) is defined,
undefined otherwise,
if Myiiv) is defined
and is
begin M; M ' end^(^)
defined,
undefined otherwise,
M%{v)
if Mh(v) is defined for
all j ^ i and y%(M{\(v))
while y do M od$i(?0 = = 1 for j < i,
= 0 for j = /,
undefined otherwise,
We continue the definition of the interpretation of formulas:

{
ots&(v') if M<%(v) is defined and v' =
0 otherwise,
(UMa)^(V) = l.u.b.(Mla)gi^) (cf. Appendix A),
ie N
{(~}Mu)yL(v) — g.l.b.(M*a)«a(fl) (cf. Appendix A),
ie AT
((3x)a(x))®(®) = l.u.b. aa(»5),
aeA
((Vx)z(x)}u(v) = g.l.b. a®f©5),
aeA
 2. SEMANTICS 33

where v* is a valuation such that

v*(x) = a and v*(z) = v(z) for all z ^ x.

R emark 2.1. According to the definitions given above, the mappings

oc®, M% depend on the finite set of variables that occur in the for­
mula a, the term r or the program M . Hence only a finite part of the
arguments described by the valuation is used in order to establish the
values ocn(v), r%(v), In order to simplify our definitions we shall
treat these mappings as defined on the set W. □

For a given data structure 31 and valuation v, oc<%(v) will be called

the value o f the formula a in the structure 31 at the valuation v. Analog­
ously whenever M%(v) is defined, we shall call it the result o f a pro­
gram M in the structure 31 at the initial data (valuation) v.

R emark 2.2. If a program M does not contain while then for

every data structure 31, the mapping M% is total. □

E xample 2.2. We shall consider the program M described in Example

1.3. Let the set of natural numbers be the universe of a data structure,
and let the interpretation of functors —, + and predicate > be the
obvious one.
Below we shall describe the process of evaluating the result of the
program M at an initial valuation v in the data structure 31.
M%(v) = (while z > y do z := z —y; /:= = /+ ! od)^(^0)
where
®0 = (z := x)%(O' : = 0)«(®)),
i.e.
v 0(z) — v ( x \ v 0(u) = v(u) for all u ^ z and u ^ i
®o(0 = 0.
Let n be the quotient obtained on dividing v(x) by v(y). This gives
v (z)—7 • v(y) ^ 0 for all j ^ n.
Let
Vj = (begin z := z —y; i : = i + 1 enA)n(v0).
Thus for all j ^ n
vj{i) = j, Vj(z) = v ( z ) - j • v(y)
34 II LOGIC OF DETERMINISTIC ITERATIVE PROGRAMS

and for j < n,

(z > yh(Vj) = 1, {- 5= = o.
Hence,
Msii(y) = (begin z := z —y; i := i+ l end)*a(fl0) = v',
where
v ’(i) = v'(z) = v(x) —n • v(y)9
v'(u) = *>(w) for w 7^ z, w 7^ i. □

The strict analysis of the example allows us to observe that the process
of evaluating a result of a program consists of consecutive steps in accord­
ance with the structure of the program.
The notion of computation defined below captures the intuition
of the evaluation process.

D efinition 2.3. By a configuration we shall mean any ordered pair

(v; cr) such that v is a valuation and o is a finite sequence o f programs. □

D efinition 2.4. By a computation o f a program M in a data structure 31

and an initial valuation v, we shall understand a sequence o f configur­
ations such that the initial configuration is o f the form (v; M } and
any two consecutive configurations satisfy the successorship relation
defined in l°-5° below:
Assume that <v'; M x, ..., M„) is a configuration o f the computation.
1° I f is an assignment instruction s, then the next configuration is
<**(*0; m 29 Af„>.
2° I f M 1 is in the form begin Mn ; M 12 end, then the next configur­
ation is
W l M ll9 M 129 M 29 ..., Afn>.
3° I f M i is in the form if y then Mn else M 12 fi, then the next con­
figuration is
<»'; M u ,M 2, if = 1,
<V; M 12, M 2, , Mn} if y*(«) = 0.
4° I f M x is in the form while y do M od, then the next configuration
is either
<V; M 2, M 3, , Mn), when y«(©) = 0
 2. SEMANTICS 35

or
< y ; M, M u M 29 M 3, ..., M„>, when ya (a) = 0.
5° I f a configuration o f a computation is in the form (v; ) i.e., i f it
has an empty list o f programs, //ze/z ft /s the last configuration o f the
computation and the computation is called finite. The valuation v is
called the result o f the computation. □

Example 2.3 (Evaluation of a formula value). Let a be the formula

(x := 0 ) ( ( J ( x := x + 1) t < x) where 0 is a zero-argument functor,
+ 1 is a one-argument functor and < is a two-argument predicate.
Let 91 be a data structure such that the set of natural numbers is its
universe and 0 is the number zero, + 1<« is the successor, <<« is the or­
dering relation in the set of natural numbers. If v is any valuation
in 91, then
= ( U ( * := x + ])y < *)»(®S)
= l.u.b.((x := x + l ) ‘y < xW ^g).
ieN

Assume that
®i = (X : = X + 1 )» (© S ),

i.e.
v fx ) — i and v fz ) = v(z) for z # x.
Then
a*(®) = l.u.b.(j < x)9,(®i) = l.u.b. (vi(y) < v ^ x ))
ieN ieN

= l.u .b . (w,-0>) < / ) = 1.

ie N

Hence, for every valuation v in the structure 91, the formula a has the
value 1. □

We shall now state some simple properties of a semantic character,

which will be useful in the sequel.

Lemma 2.1. For every term r, open formula y, assignment instruction

s and program M, for every data structure 91 and valuation v , we have
the following:
(1) T«(^a(®)) = i r 3[(V),
36 II LOGIC OF DETERMINISTIC ITERATIVE PROGRAMS

(2) (-vy>)i(w) = sy%(v),

(3) I f V{M)c\V{a) — 0 and M% is defined at v, then

ock(v ) =
(4) For every formula a in which the signs o f quantifiers and while
do not appear, there exists an open formula ad such that
aa(*0 = ai(©),
for every data structure 51 and every valuation v in 31.

P roof. Let 31 be any data structure and v any valuation.

(1) The proof is by induction on the length of the expression.
Assume that s is of the form (w : = w) and %(V) = v.
Let x be an individual variable. By Definition 2.2 of valuation and
by the definition of the mapping s% we then have
iff u =£ x
= sx%(v).
iff u = x

Let cp be an ^-argument functor, and let us assume property (1) for

the terms r l9 ..., r rt, i.e.
= (sii)v(v) for / = 1 ,2 , ..., n.
Thus
<p( *i , •••, (,%(©)) = (p<$i(rm ( v ) , ..., r m (v))

= ...,s r n%(v)) = s<p(rl9 Tn)n{v)-

Hence for every term r and every assignment instruction s (1) holds.
The proofs of (2) and (3) although a little longer, but are based
on the same idea and are therefore omitted.
(4) It is sufficient to prove property (4) for formulas of the form Mft9
where ft is an open formula and M is a while-free program.
The proof is by induction on the length of M.
(a) Suppose M is an assignment instruction s. According to property
(2) for every data structure 31 and valuation v 9 (s(3)%(v) = sfa(v).
By Lemma 1.4, sfl is an open formula. Thus s]i is the formula we need.
The inductive assumption is: suppose that for the programs M l9 M 2
and every formula /? there exist open formulas /?l5 /?2 such that
 2. SEMANTICS 37

(M ifthiiv) = /Va(®) and (M2/S)a (w) = /52Sl(t>),

for every data structure 31 and every valuation v.
(b) Let M be the program if y then M l else M 2 fi. By the definition
of the mapping M® we have
(Mfav(v) = (y A M 1fasn( v ) v ( ^ y A M 2fa^(v).
Hence by the inductive assumption
(Mfav(v) = (yAj81)3i( c ) v ( - y A ^ 2)a(«;),
for every data structure 31 and valuation v. Thus the open formula
we need is in this case of the form ( ( / a ^ ) v (~yA /?2)).
(c) Let M be of the form begin M 1 ; M 2 end.
Let fa be an open formula such that
(Af2/ ? ) = fa^iff) for all 31 and v,
and let fa be an open formula such that
{M1fa)^{v) — fa%{v) for all 31 and v .
Hence,
(begin M 1 ; M 2 end fa%(y) = {M x{M2fa)^{v) =
= (M xfa)n(v) = Pm {v).
Thus fa is the formula we need.
This concludes the proof of (4). □

D efinition 2.5. We shall say that the valuation v in a data structure 31

satisfies the formula a, 31, v f= a iff ot%{v) — 1.
The formula a can be satisfied iff there exists a data structure 31 and
a valuation v such that |=z a.
The formula a is valid in the structure %ffor short 31 a, iff every
valuation in 31 satisfies the formula a.
The formula a is a tautology, |n a, iff a w valid in every data struc­
ture 31 for algorithmic language L. □

R emark. If a can not be satisfied, then ~oc is a tautology. □

Example 2.4. Let <3 be a simple formula of the form

while ~ (x — 0) do x : — x —2 od true.
If 31 is a data structure with the set of real numbers as universe and
the obvious interpretation of —, 2, = , 0, then every valuation v such
38 II LOGIC OF DETERMINISTIC ITERATIVE PROGRAMS

that v(x) is an even non-negative number satisfies the formula <5 and
any other valuation does not satisfy 8.
Hence 8 is satisfiable, but is not valid in 31 and is not a tautology.
Consider another simple example, in this case letting 8 be the formula
(5) M (otvft) = (Mot v Mft)
where M is a program and a, ft are formulas.
Let 31 be a data structure and v be a valuation. Then by the definition
of semantics 31, v\=. M(otv ft) iff M%(v) is defined and 31, v '\— (a v ft)
for v* = M%(v). Hence 31, v M(otw ft) iff 31, v |z: Mot or 31, v \=z Mft iff
31, v\= (Mot v Mft). Since 31, v are arbitrarily chosen, then 8 is valid in
every data structure, i.e., 8 is a tautology. □

3. EXPRESSIVENESS

We should like to show how useful algorithmic language is and how

strong it is in expressing the properties of programs, computations
and data structures. Intuitively, we shall say that a property of semantic
character is expressible in algorithmic language if there exists an algo­
rithm formula ot such that for every data structure and every valuation,
the formula ot is true if and only if the property holds.

Termination property
The most important property, and one of the easiest to describe, is the
termination property expressed as “the program has a finite compu­
tation”, (see also Chapter I, § 4). According to the definition of se­
mantics (cf. § 2), 31, v M true means that the program M has a finite
computation which starts from the initial valuation v in the data struc­
ture 31.
Thus the termination property can be expressed by the formula
M true.
This formula gives us no information about how the terminating
property of a program depends on its structure, but it can be useful
to verifying the termination property. The appropriate facts are sum-
mated up in the following lemma. We shall use fin(M) as a denotation
of the formula M true, hoping that the wording of the lemma will
thereby be more suggestive.
 3. EXPRESSIVENESS 39

Lemma 3.1. For every data structure $1, every open formula y, every
assignment instruction s, and arbitrary programs M, M \ the following
properties hold:
(1) 31 |n fin(V) ee true,
(2) 311= fin(begin M; M ' end) = fin(M'),
(3) 31 fin (if y then M else AT fi)
= (y a fin(M)) v ( ~ y a fin(M')),
(4) 31 }= fin (while y do M od) = U M ~ y .
Proof. The first three properties are very simple and easy to verify,
so we shall not prove them here. We would like to call the reader’s
attention to property (4). Its character is a little different from that
of the others.
By the definition of semantics (cf. § 2) for an arbitrary valuation v,
we have
31, v [= fin (while y do M od)
iff there exists such a natural number /, that M l is defined at v and
y%(M^(v)) = 1 for j < U y*{M k{v)) = 0 (i.e., after the i-th iteration
of the program M the formula y does not hold at the resulting valuation)
iff there exists f, such that 31, v [= M l ~ y iff 31, v [ z K j M - y . □
Observe that property (4) of Lemma 3.1 can be reformulated as
follows: For every valuation v
31, v |= fin(w hile y do M od) iff
there exists a natural number / such that
31, v [= fin(Mf) and 31, v' [= ~ y , v r = M%(v).
Sometimes it is convenient to have information as to whether the
program diverges. Let loop (M) denote the formula ~ M true. Obviously,
for every data structure 31 and valuation v
3l,^[=loop(M ) iff
M has an infinite computation in the structure 31 and the
valuation v.
Under the assumptions of the previous lemma we have the following:

Lemma 3.2.
3 1 1= loop (5) = false,
40 II LOGIC OF DETERMINISTIC ITERATIVE PROGRAMS

31 [= loop (if y then M else M ' fi) = (loop(M) a y) v

v ( ~ y Aloop(M')),
311= loop(begin M; M f end) — loop( M ) v M loop(M'),
31 loop (while y do M od) = O M y v U * f y then M f i
(yAloop(M )).
P roof. We omit the exact proof of the lemma. Let us note only
that the program while y do M od has an infinite computation either if
the formula y is true after each iteration of M, or if after some iteration
of the program M the resulting valuation satisfies the formula y and
starting from that valuation, M has an infinite computation. □

Observe now that the expression 31, v j= M true means that v is proper
data for the program M in the structure 31, i.e., there exists a valuation v*
such that M%(v) = v \ Hence, the formula M true describes the domain
of the program M, i.e., the domain of the mapping M%.

The strongest postcondition

The question naturally arises as to whether it is possible to describe
the counter domain of M. The answer is positive, but an additional
assumption on the algorithmic language is required.
Let us assume that the algorithmic language contains the predi­
cate == interpreted in the data structure 31 as identity. Throughout this
section it will be convenient to accept the following abbreviations:
Let oci9 for i = 1, ...,« , be a formula; / \ is then a shortened
form of the formula
(ax a a 2 a ... Aa„),
and V ai is a shortened form of the formula
1<i < n

(oq Va2 v ... va„).

Let u — (uL, ..., un) and t = (tl9 ..., t„) be two vectors of different
variables such that for every / ^ m ^ n, ut and tt are individual variables,
and for every i,m < i ^ n, and tt are propositional variables, and
{ul9 ..., un}c\ {tl9 ..., tn} = 0 ; it = t is then a shortened form of the
formula
A 0'< = n) a A (mi = u).
1 m <i ^n
 3. EXPRESSIVENESS 41

Moreover (3u)oc is a shortened form of the formula

(3wi) • (3wm) \/ begin wm+i . ^m+i >••• > ==
gj e {true, false}
m<j^n
end a.
Let M be a program and let / = {t1, ..., be the vector of all variables
that occur in M. We shall consider the formula (3u) M (t/u)(t — u).

91, v |= (3u) M(t /ti) (t = w) iff

there exists a corresponding vector "a of values of u such
that for v' = M(tju)%{vp , 91, v* |n (f = ti) iff
there exists a such that
v’ — and v'{ui) = for all i ^ n iff
there exists an initial valuation v' such that the valuation
v is the result of a finite computation of M starting from
the valuation v'.
Let t be the vector of all variables that occur in M and a. Denote
by ocM the formula (3w)(a(f/w)A M (t/u) it = w)). By virtue of the above
we have for every valuation v 9
91, v [= true M iff
v is a result of a computation of M in the data structure 91.
Analogously,
%9v \=lolM iff
there exists a valuation v' such that 91, v '\=.ol and v is
a result of a computation of the program M in the structure
91 from the valuation v'.
The formula ocM describes in a data structure 91 the set of all valuations
which are the results of computations of the program M from the initial
valuations satisfying the formula a.

D efinition 3.1. The formula d is called the strongest postcondition

o f a formula a with respect to the program M iff the following conditions
hold in every data structure 91:
0) * != ((« a M true) => M(5), i.e. d is a postcondition.
42 II LOGIC OF DETERMINISTIC ITERATIVE PROGRAMS

(ii) For every formula if 51 \=.{{ccaM true) => AT/?) then

51 (=: (<3 => p) (<5 is the strongest postcondition, c/. Chap­
ter I). □

R emark. The formula aM is the strongest postcondition of a formula

a with respect to the program M.
For a valuation v let 51, v [= (a a M true). It then follows that 51, v \=z oc
and there exists v such that v = Msa(v). By the definition of construc­
tion ocM we have that there exists a valuation v such that v — Ms#(v)
and 51, v f= ocM. Hence 51, v |=: M(ocM).
Suppose that p is an arbitrary formula and
51 f= ((a a M true) => Mfi).
For a given valuation v, let
51, v p ocM and non 51, v \~ p.
Thus there exists a valuation v' such that
51, v' |=i- a and v = M%(vr) and non 51, v p p.
Consequently, there exists a valuation v f such that
non 51, v f |=z Mp and 51, v' [=: (a a M true)
which contradicts the assumption. □

Example 3.2. Let M be a program in the algorithmic language L such

that
M : begin
while (z —y) > 0
do
z := z - y \
y -= y + 2
od;
if z — y then y : — 0 else v z fi
end.
Let the data structure for the language L be the set of real numbers
with the obvious interpretation of the signs = , > , + , —, 2, 0.
The formula y = x —[\/x]2 is the strongest postcondition of the
formula ( j = 1 a z = x a x > 0) with respect to the program M. In
fact, for every valuation v 9
 3. EXPRESSIVENESS 43

, v |=: (y = 1 a z = x a x > 0)M iff

there exists a valuation v' such that
91, v' \=z (y = I a z = x a x > 0) and v =
However, v = if and only if there exists v" such that
v " = (begin z := z - y ; y: = y + 2 end)^?/),
where
n — max (?;'(x) —(1+ 3+ ... + 2i—1) > 0)
ie AT
and
_ W ’(z) iff ®"(z) < ®"CA
W^ \o iff v"(z) = ©"(>’)•
Hence
^v (x )~ (1 + 3 + 5 ... + 2n— 1) iff v(x) > n2,
\o iff ?;(x) = n2.
Thus
91, *>|=: (j> = 1 a z = x a x > 0)M iff
W,v\=:( y = X - [ \ / x ] 2). □

The following lemma shows some simple properties of the strongest

postcondition.

Lemma 3.3. Let % be a data structure such that the predicate = is

interpreted as identity.
(a) The following formulas are valid in 91:
(1) (ocvp)M == (aM v/?M),
(2) (a a p)M => ( ocM a pM\
(3) a begin M; M ' end = ((aM )M '),
(4) a if y then M else M ' fi = ((aA y)M v(aA ~ y )M ').
(b) I f 911 (a => /?), fAew 911= (aM => /?M).

Proof. Let v be an arbitrary valuation in 91.

(1) % v \=(olvP)M iff
there exists v' such that 91, v' [= (a v p) and M%{v') = v iff
there exists v f such that 91, v' |= a and = v, or
44 H LOGIC OF DETERMINISTIC ITERATIVE PROGRAMS

there exists a valuation v" such that 9l,*>"|=/? and

M%(v") = v iff
91, ^ |= olM or
9l,*t=j8M iff
91, ^ 1= (aM v f)M).
The validity of formulas (2) and (4) can be proved analogously.
(3) 91, v}=. oc begin M ; M ' end iff
there exists a valuation v f such that 91,*>'|=a and
v = (begin M ; M ' end)^(^') iff
there exists a valuation v' and a valuation v" such that
91, v ' [= a and M%(v) = v", M%(vn) = v iff
there exists a valuation v" such that 9 l , ? / ' f a n d
= v iff
91, v |= (aM)M'.
(b) Suppose for every valuation v,
91, v 1=: (a => /?).
If 91 9v \= ocM 9 then there exists a valuation v f such that 9 1 ,? /|—oc
and v = M^\{vr). According to the assumption, if 9 l,? /|= a , then
91, v 1= p. Hence there exists a valuation v \ such that 91, v'\~P and
v = M%(v). Thus 91, v\~pM . This proves that for every v in 91,
91, v t= (ocM => PM), i.e. 91 [= (<xM => PM). □

The weakest precondition

D efinition 3.2. The weakest precondition (cf. Chapter I) o f a for­

mula a with respect to the program M is a formula S such that for every
data structure 91
(i) 91 fn (<5 => M ol) (i.e. d is precondition),
(ii) for every formula p9
if 911= (p => Ma), then 91 f= (p => d)
(i.e. d is the weakest precondition). □

Obviously, the formula Ma satisfies both conditions (i) and (ii) and
therefore Ma is the weakest precondition.
 3. EXPRESSIVENESS 45

The notion of weakest precondition is dual to the notion of the strong­

est postcondition, since the formula Mac describes the maximal set
of (data) valuations for which the program M has a finite computation
with result satisfying the formula a.
Below, we shall mention some of the properties of the weakest pre­
condition.

Lemma 3.4.
(a) In every data structure 21 the following formulas are valid
(1) begin M; AT end a = M(Af'a),
(2) if y then M else M ' fi a = ((y A M a )v (^ y A M 'a )),
(3) M(ocvfi) = (AfavAfjff),
(4) M(oca /?) = (M oca Mf$).
(b) I f the formula (a => /?) is valid in a data structure 21, then the
formula (Mac => Mfi) is valid in 2t.
Proof.
(a)
(1) Let v be a valuation in a data structure 21.
21, v [n begin M; M ' end a iff
there exists a valuation v f such that (begin Af; AT' end)<a(z;)
= v' and 21, v' [= a iff
there exist valuations v ', v" such that M%(v") = v \ M%(v)
— v '\ 2t, v' [= a iff
there exists valuation v ” such that v" = M\n(v) and
21, |= M'oc iff
21, v |=:M(M'a).
The analogous proofs of (2), (3) and (4) are omitted (see also
Example 2.4).
(b) Let us assume that
211= O => /?)•
If 21, v }=: Mac for some valuation v, then by the definition of semantics,
there exists a valuation v f such that
M%(v) — v' and 21, v' [= a.
Hence there exists a valuation v' such that M^(v) = v f and 21, v’ /?,
i.e. 21, v }=: Mft.
46 II LOGIC OF DETERMINISTIC ITERATIVE PROGRAMS

As a consequence
31 [=: (Moc => Mp).

Correctness
D efinition 3.3. Program M is correct with respect to an input for­
mula oc and an output formula p in a data structure 31 iff the formula
(oc => Mfi) is valid in 31. □

D efinition 3.4. Program M is partially correct with respect to an

input formula oc and an output formula f} in a data structure 31 iff
311= ( ( a a M true) => Mp). □

Example 3.3. The following program is partially correct with respect

to the input formula (z = i a j = u) and the output formula z = (x + u)
and is not correct in the data structure 91 (cf. Example 3.2)
while y =£ 0 do z : = z + 1 ; y := y —1 od.
For every valuation v in the data structure 91, if v(z) = ^(x) and the
program under consideration terminates, then v(y) is a natural number
and obviously the result of the computation satisfies the formula
z = (x + u). □

Lemma 3.5. Let us denote by an algorithmic language with the

binary relation = , and let 31 be a data structure for L = such that = is
interpreted as an identity relation. A program M in the language is
partially correct with respect to an input formula oc and an output for­
mula fi iff 91 jz: (ocM => /?).
Proof. By Definition 3.4 it is sufficient to prove that the following
condition holds:
311= (ocM => P) iff 31 ((M tru e a a) => Mfi).
Let 311=: (ocM => p) and let v be an arbitrary valuation. If 319v\=z
|= (M true a oc), then 31, v |=: a and there exists a valuation v f such that

M*i{v) = v f.
Hence, there exists a valuation v' such that 31, v'\=aM and v' = M%(v).
Since 31 [= (ocM => j3), then 31, ^ |= Mfi.
Conversely, assume that
311= ((M true a oc) => Mft).
 3. EXPRESSIVENESS 47

If for a valuation v, ^H9v\=z otM then there exists a valuation v' such
that 91, v ' a and = v. Hence there exists a valuation v',
such that
91, v' \=z (M true a a) and ^
By assumption, there exists a valuation v' such that
91, v' } = : and M%(v) — v,
i.e. 91, ^ [=/?. As a result, 91 }=: (aM => /?). □

Verification condition

D efinition 3.5. By an annotated version o f a program we shall un­

derstand an expression defined by induction with respect to the length
o f program as follows:
(i) For all formulas a, /?, the expression {oc}s{(3} is an annotated
version o f an assignment instruction s.
Let M x and M 2 be annotated versions o f the programs M i and M 2,
respecitvely.
For all formulas a, (3 and every open formula y;
(ii) The expression {a} if y then M t else M 2 f i {/?} is an annotated
version o f the program if y then M l else M 2 fi.
(iii) The expression {a} while y do od {(3} is an annotated version
o f the program while y do od.
(iv) The expression {a} begin M i ; M 2 end {(3} is an annotated ver­
sion o f the program begin M i ; M 2 end. □

We shall write M to denote an annotated version of the program

M. For short, we shall say that M is an annotated program.
Informally, by an annotated program we shall mean a modification
of a program such that every instruction is provided with two comment-
conditions. The intuition is that they describe the properties of states
before and after execution of an instruction. We shall call them the
precondition and postcondition.

E xample 3.4. The following expression M is an annotated version

of the program M described in Example 3.2:
(ai) {y = 1az = x a x > Oa / = 0}
begin
48 II LOGIC OF DETERMINISTIC ITERATIVE PROGRAMS

(a2) {y = 2/+1 az = x — i 2 a x > Oa j > 0}

while z —y > 0 do
(a3) {z > y a z = x i 2 A y — H + 1 a x > 0 a i ^ 0}
i '.= / +1 j
(a4) {z > y \ z = x - ( i - \ ) 2A y = 2 / - 1 a a > Oaz > 0}
z := z - y ;
(a5) {z > Oaz = x — ( i — l)2—(2/—1)a j = 2 / - 1 ax > 0 a
a / > 0}
V := J + 2 ;
i
(a6) {x > Oaz ^ Oa z > Oa j ; = 2 i+ l az = j t - ( 2 y —1)}

od;
( a 7) {z ^ y A y = 2/+1 a z = x — i 2 a x > Oa / ^ 0}
(a8) {x—z2 ^ 2 / + 1 a z = x — i 2 A y = 2/+1}
if z = y then
(a9) { x — i 2 = 2 / + 1 az = x —i2 }
y := 0
(a io) {j = 0 a x = 0‘+ l ) 2}
else
(axl) {z2 < x < (z+ 1)2a z = x —/2}
j := z
(<*12) {y = x - i 2 a i2 < x < (z + 1)2}
fi
6*13) (J = * “ [ |/* ] 2}
end
0 *14 -) {j =
In this example, formulas (a2)-(a 6) can be repeated in order to
obtain a version of the annotated program formally corresponding
to Definition 3.5. Observe that whenever a computation passes from
one instruction to the other instruction then the following property
holds: if a formula a written before the instruction M is satisfied by
a state preceding the execution of the statement M, then the formula
appearing after the instruction M is satisfied by the state resulting from
the previous one after execution of the instruction M, cf. the formulas
(a3 =>( / : = z+ l)a4),
((«2 a z - j; < 0) => a7). □
 3. EXPRESSIVENESS 49

D efinition 3.6. By the verification condition o f an annotated pro-

A A

gram M we shall understand the formula VC(M) defined by induction

as follows:
A

(i) Jf M is o f the form {ot}s{f}} where s is an assignment instruction

and a, /? are arbitrary formulas, then VC(M) = (a => sp). For i = 1,2,
/<?/ Af* be an annotated program with the precondition oc{ and the postcon­
dition Pi.
(ii) I f M is o f the form {a} if y then M x else M 2 fi {ft} then
VC(M) = VCCMJ a VC(M2) a ((a a y) => a,)A
a ( ( a A ~ y ) => « 2) a ((/St v /S2) => /?).
A A A

(iii) I f M is o f the form {a} begin ; M2 end {(}} then

VC(M) = VC(Afi) a VC(M2) a (a => a t)A (ft => <z2) a
A ( ft => ft-
Cjv) I f M is o f the form {a} while y do M t od {(i}, then

VC(M) = V C (M ,) a (((a v ft)A y )= > * j ) a

a (((a v ft)A ~ y )= > ft- □

D efin itio n 3.7. The verification condition VC(M ) o f an annotated

A A

program M is proper in a data structure 91 if and only i f\ C ( M ) is

valid in 91. □

E xam ple 3.5. A. Let us consider the following annotated program:

{n < 0}
n n-n
{n > 0}.
Its verification condition is the formula
(ft < 0 => (n : = n -ft) n > 0).
This verification condition is proper in the structure of integers with
the usual interpretation of the predicates < , > and functors • , 0.
Note that it is not proper in the structure of integers if the functor • is
interpreted as addition.
B. The verification condition of the annotated program M of
Example 3.4 is as follows:
50 H LOGIC OF DETERMINISTIC ITERATIVE PROGRAMS

VC(Af) = (&! => oc2) a (pt-i ^ ^s) ^ (^13 ^ #14) a

A ( a 5 => ( v : = ^ + 2 ) a 6) A ( a 3 => ( / : = i+ l ) a 4) A

A ( a 4 => (z : = z - T ) a 5 ) A ( ( ( a 2 v a 6) A z - > ’ > 0)

=> a 3) A ( ( ( a 2 v a 6) a z - j < 0) => a 7) A
a ( a 9 => ( 3 ;: = 0) a l o ) A ( a l t => (v : = z ) a 12)A
A ((a8a z = y) => a9)A ((a8az j) => a n )A
a ((a i o ^ a i2) ^ ^13)* n
A

L emma 3.6. Let M be an annotated version o f a program M with the

precondition a and the postcondition /?, and let 31 be an arbitrary data
structure.
I f the verification condition VC(M) is proper in the structure 31, then
the program M is partially correct with respect to the input formula a
and the output formula /?, i.e.
(1) 31 [= VC(Af) implies 31|= (( oca M true) => M 0).
We shall proceed by induction with respect to the length of
P ro o f .
the program M.
Implication (1) is obvious when M is an assignment instruction
(cf. Definition 3.6).
Let us assume that (1) has been proved for the annotated program M {
with the precondition a£ and the postcondition jii9 where i — 1,2.
A

Let us consider the annotated program M of the form {a} if y then

M 1 else M 2 fi {/?}•
Suppose that for a data structure 31,
(2) 311= VC(M)
and non 31 ((a a M true => Mfi). Hence there exists a valuation v
in 31 such that v \=. ( o c a M true) and 31, v |= ~ Mfi. This means
that there exists a finite computation of the program M from the
valuation v with the result v' such that
(3) 31, * [= a
and
(4) non 9t,t>'
By the inductive assumption and (2)
(5) 3 1 ((ocx a M \ true) => M x fif),
 4. SEMANTIC CONSEQUENCE OPERATION 51

91 (zn (( oc2a M 2 true) => M 2(l2),

( 6) 9t |= ((<% a y) => ocx ) a ((a a ~ y ) => a 2 ) A ((/ 3i v / ? 2) => /?).

By (3) and (6), 9t, ^ |= (ax v a2), and since 9 I,^ |= M true, then
91, a [= Mi true and 91, v \=z y and v* = M ^\{v)
or
91, ^ |= M2 true and 91, [= ~ y and v' = M 2%(v).
Thus by (5)
9l,a'|= /?i or 9 I,‘* /|=/?2.
As a consequence of (6), 9I,?/|= /? which contradicts assumption (4).
Hence
9 11= (( ocaM true)=> 0 ).
The remaining cases can be discussed analogously. □

4. PROPERTIES OF THE SEMANTIC CONSEQUENCE

OPERATION

4.1. We shall say that a data structure 91 is a model for

D efin itio n
the set o f formulas Z, for short 91 f= Z, iff for every formula oc e Z, oc is
valid in the structure 91, 911—a.

E xam ple 4.1. Let Z be a set which consists of all formulas of the form
(1) (M~oc=> ~ Ma),
where M is a program and a is a formula.
Let 91 be an arbitrary data structure and v a valuation in 91.
Suppose 91, v |= M ~ oc and non 91, v [= ~ Moc. Hence 91, v |=
tzM ~oc and 91, ^ 1= Moc. Then there exists a finite computation
of the program M such that its result satisfies the formula oc and the
formula ~ a , which is a contradiction. Hence for every valuation v
9 I ,^ i= M ~ a implies 91, a |
Thus, every data structure 91 is a model for the set of formulas Z.
For our next example let us take as Z the set
(2) {while y do M od true, P|M y},
where y is an open formula, and M is a program. We shall prove that
there is no model for the set Z.
52 II LOGIC OF DETERMINISTIC ITERATIVE PROGRAMS

Let 21 be a data structure and let v be a fixed valuation. If

21, v jn P)My, then according to the definition of semantics (cf. § 2), every
time we execute the program M, the obtained valuation i e N,
satisfies the formula y. Hence the program while y do M od has an infinite
computation in the data structure 21 starting from the valuation v.
Thus (while y do M od)%(v) is not defined. In consequence, v does
not satisfy the formula
while y do M od true
and therefore Z has no model.
For our third example let AR be the set which consists of the three
formulas
~succ(x) = 0,
(3) (succ(x) = succ(j O => x = y),
(x : = 0 )(while x =£ y do x : = succ(x) od x —y )
where succ is a one-argument functor, 0 is a constant, = is a binary
predicate and x, y are individual variables.
Let 21 be a data structure such that its universe is the set of natural
numbers N and
succgj (n) = n + 1 for n e N,
= is the identity relation in N,
0<R = 0.
Obviously 21 is a model of the set AR. The first formula states that 0 is
not the successor of any natural number; the second formula ensures
that successors of different natural numbers are different natural num­
bers, and the third formula states that every natural number is obtained
from 0 by applying the successor operation a finite number of times. □
D efinition 4.2. We shall say that a formula a is a semantic con­
sequence o f the set o f formulas Z, for short Z\ncc, iff a is valid in every
model o f Z. In other words, for every data structure 21, 21 j=Z implies
21 i= a. □
4.2. Let us consider the set of formulas Z,
E xa m ple
Z = {(M X M ‘oc)=> p)}ieN.
We shall show that the formula d,
d= => 0)
is a semantic consequence of Z.
 4. SEMANTIC CONSEQUENCE OPERATION 53

Let 51 be a model of Z and suppose that for some valuation v we have

non 51, v j=: (M' {jMoc => /?).
Hence
(4) 51,^ 1=M' \jM cc
and
(5) 5l,s>t=:~j9.
By the definition of semantics (cf. § 2) and by (4)
l.u.b.(Ml‘a)gi(®') = 1 for
ieN

i.e., there exists a natural number f0 such that

51,*/ [~ M iQoc.
Thus by (5),
51, ^ 1= ~(Af'(Af£°a)=> jff).
This contradicts the assumption that 51 is a model of the set Z. □

D efinition 4.3. By the semantic consequence operation we shall un­

derstand an operation Cn which assigns to every set o f formulas Z the
set Cn(Z) o f all formulas oc such that Z\=zoc. □

The following lemma shows some of the properties of the semantic

consequence operation.

L emma 4.1. For arbitrary sets o f formulas Z and Z ' the following
properties hold:
(i) Z cz Cn(Z),
(ii) i f Z cz Z', then Cn(Z) cz Cn(Z'),
(iii) Cn (Cn(Z)) = Cn(Z).
P ro o f .
(i) This property is an immediate consequence of Definition 4.3,
(ii) Suppose a e Cn(Z) and Z cz Z'. Then every model of Z is a model
of {a} and every model of Z ' is a model of Z. Hence Z f \= a and there­
fore a e Cn(Z'),
(iii) By the first two properties
Cn(Z) cz Cn(Cn(Z)).
To prove the converse, let a e Cn(Cn(Z)).
54 II LOGIC OF DETERMINISTIC ITERATIVE PROGRAMS

Let 31 be a model for the set Z. The structure 21 is then a model

of the set Cn(Z). Since a e Cn(Cn(Z)), the formula a is valid in 21.
Hence Z\=zoc, i.e. a e Cn(Z). □

Lemma 4.1 juxtaposes the properties of the semantic consequence

operation which are analogous to those of the classical consequence
operation. We now indicate some of the differences.
One of the basic results of classical logic is the Compactness Theorem,
which states that if Z is a set of formulas such that each of its finite
subsets has a model, then the set Z also has a model.
The following considerations show that this result fails for the se­
mantic consequence operation defined here.

E xam ple 4.3. Let Z be the set of formulas

Z = {(x := 0)((x := succ(x))*‘ 0 < x},ev
and let a be the formula ( x : = 0) Q ( x : = succ(x)) 0 ^ x, where 0
is a constant, succ is one-argument functor and 0 ^ is a one-argument
predicate.
We shall prove that Z j=: a, but that there is no finite subset Z 0 ci Z
such that Z 0 a.
Let 21 be a model for the set Z, it then follows that for every valu­
ation v and every natural number z,
21, v' [=1 (x : = succ(x))‘ 0 ^ x, where v' = Vq.
Thus
g.l.b.(((x := succ(x))* 0 < x)^(^') = 1.
ie N

By the definition of semantics we have

21, v [= a.
Hence the formula a is valid in 21 and therefore Z \=z oc.
Let Z j be a finite subset of the set Z,
Zj = |(x : = 0)((x : = succ(x))f 0 < x}/e/>
where I is a finite subset of the set of natural numbers N.
We shall define a data structure 21 such that
1° the universe of 21 is the set of natural numbers,
2° CKk = 0, sucqk is the successor operation in N and (0 ^ )^(zz) = 1
iff n e /.
 4. SEMANTIC CONSEQUENCE OPERATION 55

For all natural numbers /, let v t be a valuation such that

^i(x) = i and v t(z) — v(z) for all z ^ x.
Thus for every i e N ,
((x :== 0) ((x : = succ(x)))* 0 ^ x ) qi(*>)
= (((x : = succ(x))*0 ^ x)<n(vf) = (0 ^ x)%(pi).
It follows from condition 2° that for every natural number z,
((x := 0)((x := succ(x))* 0 ^ x)^(^) = 1 iff z e /.
Thus 91 is a model of Z 7 and the formula a is not valid in 91.
Since every finite subset of Z can be characterized by a corresponding
subset I of the set of natural numbers, there is no finite subset Z 0 such
that
Z 0 1= a. □

Theorem 4.1. It is not the case that whenever each finite subset o f
a given set o f formulas has a model then the set has a model, i.e. the
semantic consequence operation has no compactness property.
P roof. T o prove the theorem it is sufficient to consider the
set Z u {~ a} from the above example. □

Another difference between semantic consequence operation defined

here and the classical one is the upward Lowenheim-Skolem Theorem
(cf. Rasiowa and Sikorski, 1968). This states that if a set of statements
has an infinite model, then it has models of any infinite cardinality.
The following theorem shows that the last sentence fails in the algorithmic
case.
Let AR be the set of formulas denoted by (3).

T heorem 4.2 (on categoricity). The set AR has one enumerable model
up to isomorphism.
P roof. Example 4.1 shows that AR has an enumerable model 91
in the set of natural numbers.
Let 91 be any model of the set AR. We shall prove that 91 is isomor­
phic to 91, i.e., there exists a one-to-one mapping h from the set of
natural numbers N onto the universe A of the structure 91 such that
HO) = 0*,
h(n 4" 1) = succ^(/z(zz)), for all n e N .
56 II LOGIC OF DETERMINISTIC ITERATIVE PROGRAMS

Observe that by the third formula of (3) for every element a e 31

there exists a natural number i such that
succ3i (OqO = a.
Moreover, if succ^O^) = succ^(O^), then / = /, by the second formula
of (3). Hence for every a e A there exists exactly one natural number
/ such that
succ|x((V) = a.
Conversely, for every natural number n, there exists an element a e N
such that
succs”t(0^) = a ,
since succ^ is an operation in A.
Let us take as h the mapping
h(n) = succJj(O^) for all n e N .
It follows from the above that h is a one-to-one mapping from the set N
onto the set A.
By the definition we have for every n g N,
h(n+ l) = sucda+1(02i) = succ^succs^O^))
= sucoix (h{ri)\
Hence h is an isomorphism between and 21. □

C o r o lla r y . The set AR has an infinite model and does not have a model
o f cardinality greater than K0. □

5. AXIOMATIZATION

In this section we shall discuss the problem of the syntactic character­

ization of the semantic consequence operation. For this purpose we
shall introduce axioms and rules o f inference which allow us to deduce
syntactically valid formulas from the valid assumptions. Our aim is to
construct a system in which the syntactical process of deduction will
be equivalent to the semantic process of validation of formulas.
Let us assume that a, /?, d are arbitrary formulas, y is an open for­
mula, £ is an assignment instruction and M, M f are arbitrary programs.
We admit the following schemata of axioms;
 5. AXIOMATIZATION 57

Axl. ((a -->(])■=> ((/? => <5) => (oc => 5))) ,
Ax2. (a= > (av/3)),
Ax3. (fi => (oc v fi)),
Ax4. ((a => <5) => ((/? => <5) => ((av/1) => <5))),
Ax5. ((a a fi) => oc),
Ax6. (( oca/3) => /?),
Ax7. ((5 => a) => ((<5 => j8) => (<5 => (a a / ? ) ) ) ) ,
Ax8. (a => (/? => 5)) = ((a a /?) => (5),
Ax9. ((a a ^ a ) => fi),
AxlO. ((a => (a a ~ a )) => ~ a ) ,
A xil, fav ^ a ),
Ax 12.
Axl 3. s~oc — ~soc,
Ax 14. M ( oca fi) = (M oca Mfi),
Axl 5. M(ocv fi) — (Moc v Mfi),
Axl6. U M a = (a v U M (M a )),
A xl7. s ( a a (~)M(Moc)),
Axl8. .9((3x)a(x)) = (3j) (s ((x := j)a (x ))), where j is an in­
dividual variable not occurring in s9
Axl9. (((x : = r)oc(x)) => (3x)a(x)), where r is a term,
Ax20. (Vx)a(x) = ~(3x) ~a(x),
Ax21. begin M; M ' end oc = M(M'oc),
Ax22. if y then M else M f fi a = ((yA Moc) v (~ y A M'oc)),
Ax23. while y do M od a = ( ( ~ y a a) v (y a M(while y do M
od a))).
We shall denote the set of all axioms by Ax.
The inference rules are as follows:
a, (oc=>fi) («=> P)
rl. r2.
P (Moc => A/y5) ’
, (M((x: = y)oc(x)) => fi)
where j is an individual variable,
(M(3x) a(x) => jff)
occurring neither in oc nor in fi,
4 {(M '(M loc) => j8)}fgAf rS {Q? =>
(M '1J Ma => fi) (^ A T flM a )

r6 y then M fi)'(aA ~y) =>

(M'(while y do A/ od a) => /?)
58 II LOGIC OF DETERMINISTIC ITERATIVE PROGRAMS

In a rule of inference of the form Z/p, where Z is a set of formulas

and p is a formula, Z is called the set o f premises and p the conclusion.
Note that some of the rules of inference have infinitely many pre­
mises; we shall call them co-rules.
The set of axioms and rules of inference determines the notion of for­
mal proof. In the presence of co-rules this differs from the classical
definition of proof. Intuitively, by a formal proof we understand a tree
with all paths of finite length such that the leaves of the tree are labelled
by axioms, and other vertices of the tree labelled in accordance with
the inference rules.
D efinition 5.1. By a tree we shall mean a set D o f finite sequences
o f natural numbers called vertices, such that the empty sequence 0 is an
element o f D and i f a sequence c — (il9 ..., in) e D, then for every k ^ n ,
the sequence ck = (it , ..., ik) is an element o f D.
The empty sequence 0 is called the root o f the tree D.
I f c = (il9 ..., in) e D and cf = (il9 ..., /) e D for some j e N,
then the number n is called the level o f a vertex c and the vertex c' is called
a son o f the vertex c (<c' is the j-th son o f c, to be exact).
By a path in the tree D we shall understand a finite or infinite sequence
o f vertices ct , c2, ...» ck, ... such that for every fc, ck+l is a son o f ck.
The last element o f a finite path is called a leaf o f the tree. □
D efinition 5.2. By a proof o f a formula from the set o f formulas Z we
shall understand the ordered pair <Z), d} where D is a tree with all paths
finite and where d is a mapping which assigns a formula d(c) to every
vertex c o f D such that
1° for every leaf c o f the tree D, d{c) e Z or d{c) e Ax;
2° for every vertex c = (/x, ..., z„), which is not a leaf d(c) is a con­
clusion in a rule o f inference from all formulas d(il9 ..., inJ ) such that
( /i, ..., inJ ) is a vertex in D;
3° d(0) = oc. n
D efinition 5.3. We shall say that a formula oc is a syntactic conse­
quence o f a set o f formulas Z, Z 1— a for short, iff there exists a proof
o f the formula oc from the set Z. □
5.1. Let Z = {a, M true}, where a is an arbitrary fixed
E xa m ple
formula and M is a program. Figure 5.1 is a proof of the formula Mac
from the set Z.
 5. AXIOMATIZATION 59

((a a true) => a){Ax5} (((a a true) a) => (a => (true ■■=>a))) {Ax8}

r2

( M true => M ol) M true {Z}

Observe that in fact the relation I— determines an operation in the

set of all formulas, which to any set of formulas assigns the set of all
its syntactic consequences. □

D efinition 5.4. By the syntactic consequence operation we shall un­

derstand a mapping C which to every set o f formulas Z assigns the least
set o f formulas C(Z) such that:
(i) A x u Z c C(Z).
(ii) C(Z) is closed with respect to the rules o f inference rl-r6 . □

R emark. For every fromula a and every set of formulas Z, Z \ - ol

iff a e C(Z). □
60 II LOGIC OF DETERMINISTIC ITERATIVE PROGRAMS

As a simple corollary we can prove that the syntactic consequence

operation has properties similar to the semantic consequence operation.
We shall mention these below.

Lemma 5.1. For arbitrary sets o f formulas Z and Z x :

(i) Z C C(Z),
00 if Z c Z j , then C(Z) c C (Zt),
(iii) C (C(Z)) = C(Z).
The easy proof is left to the reader. □
Let L be an algorithmic language and C the consequence operation
defined above.
The pair (JL, C ) will be called the deductive system o f algorithmic
logic or algorithmic logic for short.
If a formula a has a proof from the empty set of formulas, i.e. f- a
then we shall say that a is a theorem o f algorithmic logic.
Let A be a set of formulas. By a formalized algorithmic theory we shall
understand the system <L, C, A). The set A will be called the set o f non-
logical axioms or specific axioms of the theory.
If a formula a has a proof from the set A , then a is a theorem o f the
algorithmic theory (JL, C, A).

Example 5.2. As an example of a theorem of the algorithmic logic

we shall consider the formula
(1) begin if y then M ' else M " fi; M end a
= if y then AT; M else M M fi a,
where y e F 0, Af, M ” e/7, oceF.
Before we present, in Figure 5.3, the formal proof of formula (1)
let us mention two auxiliary facts:
Fact 1. For all formulas ft f t , ft if then h-((<5Aft

Fact 2. For all formulas f t f t , ft if h-(jtf=>ft) then f-((<5vft)

=> (S v f t) ) .
The formal proofs of both facts makes use of classical axioms only,
thus we shall present the proof of one of them as an example (Figure 5.2).
Let us introduce the notations used in Figure 5.3
M '(M ol) = ft, M''(Mot) = ft',
begin AT; M end a = f t , begin M "; Af end a = f t .
 II LOGIC OF DETERMINISTIC ITERATIVE PROGRAMS

0" = Pi {Ax 21}

/T ee /?; [Ax21 } by Fact 1

by Fact

= ( ( r A P'i) v ( ~ y a /?','))

if y then A/' else M" fi (A/a)

= if y then A/': M else A/": M fi a

if y then A/' else M" fi (A/a)

begin if y then M' else M" fi: M end a

begin if y then M' else M" fi; M end a

= if y then M': M else A/": M fi a
Fig. 5.3

Example 5.3. The following formula is a theorem of algorithmic logic:

(2) while y do Af od a ee U if 7 then M fi (~ y A a )

where y is an open formula, M is a program and a is a formula.
First we prove that for every natural number i and for every formula a,

(3) f-(ATa=> U Moc)

 5. AXIOMATIZATION 63

The proof is by induction with respect to the number of iterations /.

For i = 0 we have
(fi) h- ((« v U M(Mx)) => ( J Mx), {Axl6}
(f2) h ( * ^ ( a v U M{Mx) ) ) , {Ax2}
(f3) I- ( (a => (a v IJA f(M a))) => ( ( ( x v ( J M (¥ a )) => ( J M a)
=>(x=>\JMa))), {Axl}
(f4) h- (((a v {J M(Ma)) => I J Mx) =>(a Mx)), { rl, f3, f2}
(f5) 1—(a => {J Mx). { r l,f l.f 4 }
Assume that for a fixed natural number i and arbitrary formula a,
(f6) (M‘x => {J Mx).
Below we shall prove that (Mi+1oc =>(JMoc) is a theorem of algorithmic
logic.
(f?) \-(Mi+1x =► M i(Mx))> {Ax21}
(f8) 1
— (M i+1a => \JM(Mx)), {rl, f6,f7}
(f9) \~([JM (Mx) => (a v ( J M(Mx)) ), {Ax2}
(flO) h ( M ‘+1a=>(xv{JM(Mx))), {Axl, f8, f9, r l }
(fll) h ( ( a v j M(Mx)) =► U Mx ), {Axl 6}
(f 12) 1—(M i+1a =► (JMx). {flO, f l l , A x l, r l }.
Hence by the principle of induction for every z,

In particular,
I—((if 7 then M f\)l( ~ y /\ a) => l_J if y then M il ( ~ y a a)).
Hence by the co-rule r6
(fl3) h - (while y do M od a I J if y then M fi ( ~ y a a)).
We shall prove
(4) I—((if y then M fi)l(~ yA a) => while y do M od a )
analogously by induction with respect to the number of iterations /.
For / = 0 we have
(f 14) b - ( ( ~ y A a ) = > (( ~ 7 a a ) v (7 a M (while y do M od a ) ) ) )
{Ax2}
I—((~ 7 A a) => while y do M od a ) {Axl, r l , Ax23, f 14}
Assume that for a fixed natural number i,
(f 15) f—((if y then M fi)l( ~ 7 Aa) => while y do M od a).
We shall prove (4) for the natural number (z+1).
(f 16) I - ( (if y then M fi)i+1( ~ y A a)
=> ((7 a M (while 7 do M od a ) ) v
v ( ~ 7 A ( if 7 then M fi)*(~7A a )))) {fl5, Ax22}
64 II LOGIC OF DETERMINISTIC ITERATIVE PROGRAMS

(f 17) l - ( ( if y then M f i) i+ 1 ( ~ y A «)
=> ( y a M (w hile y d o M od a ))v (~ y A « ))), {f!6 }
b- ( ( if y then M fi)t+1 ( ~ y A a )
=> w hile y do M od a). {Ax23,fl7}
Thus by the principle of induction (4) is proved.
By the co-rule r4 we have
(f 18) b- ( U i f y then M f i ( a) => w hile y do M od a).
By (f 13) and (fl8)
b- (while y do od a = U if y then M f i ( ~ y a «))■ □

E xam ple 5.4. For every program M, the formula

(5) ~ M fa lse
is a theorem of algorithmic logic.
First of all, we shall prove by induction with respect to the length
of the program M, that
(fl) b- (M false => false).
If M is an assignment instruction then (fl) follows immediately from
Ax 12. As an inductive assumption let us suppose that
(f2) b- (M ' false => false),
and
(f3) b- (M " false => false)
for all programs M ', M " shorter than M.
Let us consider the program M of the form begin AT; M ” end.
(f4) \—(begin M ' ; M " end false => M ’(M " false)), {A x21}
(f5) l - (M ’(M " false) => M ’ fa lse ), { f3 , r2 }
(f6) |- false) => false ), {f2, f5, A x l , r l }
I - (begin M ' ; M " end false => false). {f4, f6 , A x l , r l }
Let M be o f the form if y then M ' else M ” fi.
(f7) b- ( if y then M f else M " f i false => ((y a M* false) v
v ( ~ y A M " false))), {Ax22}
(f8) b- ((yA M ! false) => (yAfalse)), {f2, A x l-A x ll}
(f9) b- ( ( - y a M " false) => ( - y => false)), {f3, A xl-A xll }
(flO) h ( ( ^ y a false) =>false), {Ax5}
b- ((if y then M* else M " fi false) => false). {f7, F8, f 9 ,f 10}
Let M be of the form while y do M f od. By the above proof we have
b* ((if y then M* f i)1 false false) for every i e N.
 6. MODELS AND CONSISTENCY 65

Hence by the co-rule r6 and (flO)

h- (while y do M ' od false => false).
Hence we shall prove the formula (fl) for every program M . Formula
(5) follows from (fl) by AxlO and rl. □

6. MODELS A ND CONSISTENCY

In this section we shall prove that the syntactic consequence operation

is equivalent to the semantic consequence operation defined in § 4
of Chapter II. More strictly, we shall prove that for every set of for­
mulas Z, C(Z) c: Cn(Z).
The procedure consists of two steps. Firstly, it will be proved that
all axioms are tautologies; and secondly, that every rule of inference
leads from valid premises to a valid conclusion. Both facts assure us
that the set of all valid formulas in any data structure is closed with
respect to the syntactic consequence operation.
As a corollary, we observe that an algorithmic theory which possesses
a model is consistent.

Lemma 6.1. All axioms o f the algorithmic logic AL are tautologies.

Proof. We shall not verify the axioms of classical propositional
calculus A xl-A xll or the axioms of classical predicate calculus
Ax 19 and Ax20.
The formulas Axl2, Axl4, Axl5, Ax21 and Ax22 are tautologies
by Lemma 2.1, Example 2.4 and Lemma 3.4.
Let 31 be an arbitrary data structure for the algorithmic language
L and let v be an arbitrary valuation in 31.
Ax 13. Consider the formula
(5~ a = ~ sol)
where s is a substitution. By the definition of semantics we have,
3 l ,^ |= 5 ~ a iff 31, %(z;) |= ~ a iff
non 31, 5ty(z/) J=: a iff
non 31, ^ 1= 5a iff 3 I,^ f= ~ 5 a .
Ax 17. Consider the formula ( p M a = (aA p M (M a ) )) . By the
definition of semantics we have:
31, v |= P | M ol iff g.l.b^M 'a)^^) = 1 iff
66 II LOGIC OF DETERMINISTIC ITERATIVE PROGRAMS

for every i e N, = 1 iff

m (v) = 1 and g.l.b. (M l(Ma))s2i(*;) = 1 iff
ieN
« ,» t= a and f\M {M ai) iff
9r,® (=(a A H M (M a)).
Axl8. Sentences (1)—(7) below are equivalent.
(1) 31, v f=:.s(3x)a(x).
(2) 3I,^(^)|=:(3x)a(x).
(3) There exists a e 31 such that 31, vxa |= a(x), where v = %(^).
(4) There exists a e 31 such that 31 , v ya \=.(x : — y)cn{x) where
v = s^(^) and y does not occur in s or in a.
(5) There exists a e 31 such that
31, (x : = y)a(x), where y F(sa).
(6) There exists a e 31,
31, ^ ^ ( ( x := y)a(x)), where y £ F(sa).
(7) 91, © f= (3y).y((x : = j)a (x )).
Hence,
31, v 1= (^(3x)a(x) = (3y) (s(.x := y )a))
if y does not occur in s or in a.
Ax23. Sentences (8)—(12) below are equivalent.
(8) 3T,^1= while y do M od a.
(9) There exists i e N such that 31,^ 1~ M jy for j < i, M%(v)
is defined and 31, v [n M l( ~ y A a).
(10) Either / = 0 and 31, v j= ( ~ y / \ a) or i^O and 31, v f=: M (M Jy)
for j < i — 1 and 31, v f= M ( M l~1( ~ y a a)) for i e N .
(11) 31, v |= (~ yA a) or 31, ® f= y and 31, 1= while y do M od a,
where M^(v) is defined and v' = M%(v).
(12) 31, v \=z ((~ yA a) v (yA M (while y do M od a ))).
Hence
31, v |= while y do M od a
ee ((~ y a a) v ( y a M (while y do M od a ) )) . □

Lemma 6.2. jFbr every inference rule o f AL, if the premises o f the rule
are valid in a data structure 31, then the conclusion o f the rule is also
valid in 31.
 6. MODELS AND CONSISTENCY 67

P ro o f . We shall consider only three inference rules in order to show

the method of the proof. The rule r2 is proved in Lemma 3.4.
Let 91 be an arbitrary data structure.
(M({x\ = y)oc) => ft) where y does not occur in M,
r3‘ a or 0.
Suppose that
(13) 911= (M(x := y)oc => ft) and y $ F(M )uF(«)uF(j5)
and for a fixed valuation v in 91
(14) 91, ® (= M ((3x)a(x:))
and
(15) non 91,® \=p.
Hence by (14), M^(®) is defined and for v = 91, ® 1= (3x:)a(x:).
By the definition of semantics, there exists an element a e 91 such that
91, ®2 t=a(x).
Since y £ V(oc), then 91, vya f= (x := y)<*(x). Since y £ F(0), then,
by (15), non 9l,®Zt=0. Since y $ V ( M ) then, vya = Af<u«). Thus
91, ^ 1= M((x : = y) a(x)) and non 91, vy p.
As a consequence non 91, vy fn M ((x := y)oc => ft), which contra­
dicts (13).
{(0 => M '(M ioc))}ieN
(0=>
Assume
(16) 91 f= (ft => M \M la)) for every natural number i.
Let v be an arbitrary valuation such that
(17) 91,® |=0.
By (16) we have 91,® a) for every i eN . Thus, M^(®) is de­
fined and for v' = M%(v) and all i e N
91, ®' |= M loc.
By the definition of semantics, it follows that
91, ®' 1= D i-e* 91, ® 1= M ' f ) M ol.
Hence by (17), 9t, ® f= (0 =►AT H M a)*
^ {(M '(if y then M fi)‘(~ y A a ) => 0)}/eAr
(M '(while y do M od a) => 0)
Assume
(18) 91 f=(Af'((if y then M fi)f(^ y A a)) => 0) for every i
68 II LOGIC OF DETERMINISTIC ITERATIVE PROGRAMS

and suppose that for a valuation v,

21, v fn ~ ( M '(while y do M od a) => /?).
Hence
(19) 21, v \=: M* (while y do M od a)
and
(20) 2 1 ,^ - /? .
By (19) and the definition of semantics
M i(v) is defined and for v* = M<k(v)
there exists a natural number l0 such that
2 1 , ~ M jy for j < i0 and 21, v* |= M in( ~ y a a).
Thus
21, z/ f=(if y then M fi)Io(~ yA a).
Since v' = M%(v), then by (20)
21, v [=: ~(A T ((if y then M fi)io( ^ y a a)) => j8)
—a contradiction of (18).
Hence
* f= (M'(while y do M od a) =>
The fact proved above allows us to say that the inference rules rl-r6
are sound. □

C o ro llary 6.1. For every inference rule o f AL if the premises o f the

rule are tautologies, then the conclusion o f the rule is a tautology. □

T heorem 6.1. For every formula oc and every set o f formulas Z, if

Z h- a, then Z\=zoc.
In other words, the set o f syntactic consequences o f a set Z is con­
tained in the set o f all semantic consequences o f the set Z.
P ro o f . Let Z be a set of formulas. Assume that Zb-a. Hence there
exists a formal proof <Z>, d>, of the formula a from the set Z. We shall
proceed by induction on the level of the tree D to show that for every
c e D, Z f= d(c).
If 21 is a model of Z, then for every leaf c in D, d(c) is valid in 21.
Consider an internal node c of the tree D and assume that the induction
assumption holds for all sons of c, i.e. Z f= d(c{) for every son ct of c.
 6. MODELS AND CONSISTENCY 69

The formula d(c) is a conclusion of an inference rule for the premises

d(ci). By Lemma 6.2 we infer that Z [= d(c). Hence Z \=z oc. □

D efin itio n6.1. Let T be an algorithmic theory, T = <L, C, A >.

£ model o f T we shall understand any data structure 51for the language
L such that 51 f=T. □

As an immediate consequence of Theorem 6.1 we have the following

corollaries:

Corollary 6.2. For every formula oc:

(i) if oc is a theorem o f the theory T, then oc is valid in every model o f T,
(ii) if the formula oc is a theorem o f AL, then oc is a tautology. □

D efin itio n 6.2. An algorithmic theory T = <L, C, A ) is consistent iff

there exists a formula which is not a theorem o f T. □

Corollary 6.3.
(i) The algorithmic logic AL is consistent.
(ii) J f a theory T has a model, then it is consistent.
It is sufficient to prove property (ii).
P ro o f .
Let 51 be a model of a theory T = <L, C, A ) and let every formula oc
be a theorem of T. By Corollary 6.1, for an arbitrary valuation v we have
51,^1= oc and 51, v \=l ~ oc,
which is a contradiction. □

7. USEFUL TAUTOLOGIES A N D INFERENCE RULES

This section presents the tautologies and inference rules which we con­
sider useful in proving properties of programs.
The proofs in this section are not formal. We have omitted many
steps related to classical propositional calculus in order to underline
axioms and inference rules specific to algorithmic logic.
In all the formulas below a, are arbitrary formulas, M, M ' are
arbitrary programs, y, y are open formulas and Z is a set of formulas.

0) b- M ~ oc => ~ Moc.
70 II LOGIC OF DETERMINISTIC ITERATIVE PROGRAMS

P roof .
b- false, {Example 5.4}
b- ~ M (~ a A a ),
b- ( ^ M ^ a v ~M a), {Axl4}
\—(M ~ oc => ~Moc). □

(2) b- (M true => (~ M a => M ~ a )).

P ro o f .
b- ( ~ M tru e v M (a v ~ a )), {Axil}
b- ( ~ M true v (Ma v M ~ a )) , {Axl5}
b- ((M true a ^ M a ) => M ~ a ),
b- (M true => ( ^ ¥ a => a)). {Ax8} □

(2') b- (M true => (M ~ a == ~ M a)). {(1), (2)}

(3) b- (M (a =»£)=► (Ma => Af/S)).
P ro o f .
b- ((a =>£)=> (~ a v /? )),
b- (M (a =>£)=> M (~ a v $ ) , {r2}
h- (M (a => P)=> ( M ~ o t v M/S)). {Axl5}
b- (M (a =>/?)=> (~ M a vM £)), {(1)}
b- (M (a =>/?)=> (Ma => M/J)). □

(4) h- (M true => ((M a => M/J) => M (a => /?))).

P ro o f .
b- (M true => (~ M a => M ~ a)), {(2)}
b- ((M true a ~ M a) => M ~ a ), {Ax8}
b- (((M true a ~M a)vM /?) => (M^
b- ((M truevM/?) => ((~ M a v M £ ) = > M (~ a v /? » ),
{Ax8, Axl5}
1- ((M true v M/J) => ((M a => M/J) => M (a => /J))),
b- (M true => ((M a => M/?) => M (a => /J))). □

(4') 1- (M true => ((M a => M/J) = M (a => 0 ))). {(3), (4)}.
(5) For every natural number /,
b- (M*a => 1JMa).
(6) For every natural number /,
b- (P)M a => M la).
 7. USEFUL TAUTOLOGIES AND INFERENCE RULES 71

(7) For every natural number z,

F- ((if y then M fi)‘(~ y A a ) => while y do M od a).
For the proofs of (5), (6), (7) see Example 5.3.

( 8) h- ( ( a a P ) M ( a => A f a ) ) => f ~ ) M a ) .

Proof.
h - ( f ) M ( a => M a ) => M ‘ ( a => M a ) ) fo r e v e ry i e T V , { ( 5) }
( f l) F - ( H M ( a => M a ) => ( M i oc = > M i + 1oc) ) fo r e v e ry i e TV,
{ ( 3) }
F- ( ( a a p | M ( a => M a ) ) => a ) . { A x 5}
A s s u m e th a t fo r a n a t u r a l n u m b e r i,
(f2) F ((a A (~ )M (o c => M a ) ) => M ‘a ) ,
h- ((aA => Ma)) => (M 'a a (M'a => M i+ 1a))),
C \ M ( *

{fl,f2}
I- ((aA DM(oc => Afa)) => (M i+1aA (M 'a => M t+1a))).
Hence by the principle of induction
h ( (« a p)Af(a => M a)) => M fa ) for every i e TV,
F- ((a a (~}M(oc => M a)) => P |M a ). {co-rule r5} □

(9) H ( n Af(Afa) => M D M oc).

Proof.
h- (f)M (M a) => M*(Ma)) for every z e TV, {(6)}
F- (P|M (M a) => M (M fa)) for every i 6 TV, {A x 2 1 }
(f 1) F- => M f l M a), {r5}
F -(p |M a => M 1ol) for every / eTV, {(6)}
F- ( M f |M a => M (M loc)) for every z*eTV, {r2}
F- (M p )M a => M*(Ma)) for every i eTV, {A x 2 1 }
(f2) F- (Af H Ma => p | M i M ol)), {r5}
F- ( M H ^ * s D M(Ma))- {f1, f2}
(10) F- \ J M ( M ol) = M (JM a .
The proof analogous to the previous formula is omitted. □

(11) ____ __________ .

v ' ((JM a => (JM/?)
Proof. Assume that for an arbitrary fixed set of formulas Z,
Z h ( a = > |S).
72 II LOGIC OF DETERMINISTIC ITERATIVE PROGRAMS

Then for every natural number i e N

Z (- (M‘x => M % . {r2}
Hence
Z b- (AT a => ( J M p ) for every i e TV, {(5)}
Z h- ( U M x ^ U MP). {r4} □

(12) (« = > «
{f)M x ^ f W
The proof is analogous to the previous one.
a, M true
(13)
Moc
For the proof see Example 5.1.
(y => ~ M ~ y)
(14)
\y => ~ while y do M od true)
Proof. Let Z be an arbitrary set of formulas
(fl) Z (y => ~ M~y), {assumption}
Z b- (((y A M ~ y )v ~y)= > ~ y ) , {A xl-A xll}
Z f- (if y then M fi ~ y => ~y). {Ax22}
Assume that for a natural number i
(f2) Z ((if y then M fi)' ~ y => ~ y ), {inductive assumption}
Z h- ((if y then M fi)i+1 ~ y => if y then M fi ~ y ),
{r2,f2}
Z b~ ((if y then M fi)£+1—y => ((yAM^ - y ) v ~ y )),
{Ax22}
Z h- ((if y then M fi)l+1~ y => ~ y ). {fl}
Hence by the principle of induction
Z b- ((if y then M fi)l ~ y => ~ y ) for every / € N.
Thus by rule r6,
Z h- (while y do M od true => ~ y),
Z b- (y => ~ while y do M od true). □

(15) _________ ( y = > M y ) __________

(y => ~ while y do M od true)

P roof . Let Z be an arbitrary set o f form ulas.

Z (y => M y), {assum ption}
Z h- (M y => ~ M ~ y ) , {(1)}
Z l - (y => ~ M ~ y ) ,
Z (- (y => ~ while y do M od true). {rule (14)} □
 7. USEFUL TAUTOLOGIES AND INFERENCE RULES 73

_________ /___________
^ } ~ while 7 do M od true
The proof follows immediately from rule (14). □
( 1 7 ) _______________________________________________
(while y' do M od true => while y do M o d true)
P ro o f .
(fl) Z \- (y => y'), {assumption}
Z b- ( ~ y => while y do M od true). {A x23}
Suppose that for the natural number /,
Z b- ((if y' then M f i ) ' ~ y ' => while y do M od true),
{inductive assumption}
Z b- ((if y' then M fi)I+1 ~ 7 ' => if y* then M fi (while y
do M od true)). {r2, inductive assumption}
(f2) Z b- ((if y' then M fi)l+1 ~ y' => ((7 ' a M (while y do M od
true))v ( ~ y* a while y do M od true))), {A x 22}
Z b- ( ( ^ y ' A whUe y do M od true) => ^ 7), {A x23, f l }
i - ( ( ( / a M while y do M od true)v ~ y )
=> ( ~ y v ( 7 ' a 7 a M (while 7 do M od true)) v ( 7 ' a ~ 7 a
A M (w hile 7 do M od tru e )))), {A x l-A x ll}
Z b- (( 7 ' a M (while 7 do M od true) v ~ 7 )
=> ( 7 A M (w hile 7 do M od tru e)v ^ 7 ) ) ,
z 1- ( (if 7' then M f i)l+1 ^ 7 ' => ( 7 A M (w hile 7 do M od
true) v ~y))» {f2}
z 1- (O f / then M fi)i+1^ 7 ' =>while 7 do M od true),
{Ax23 }
z i- ( ( if y' then M f i) £^ 7 ' =>while 7 do M od true)
for every i e N, {principle of induction}
Z h- (while y' do M od true =^> while 7 do A f od true).
{r6} □
(18) If V(M)nV(oc) = 0 , then b -( A f true =^> (Moc = a.))
The formal proof of (18) is very long. It goes by induction on the com­
plexity of the expressions M and a. Another proof which is of semantic
character will be given in the following chapter. □

AT' true
(19)
(while 7 do M od true => while 7 do M ; M ' od true) 5
where K (A /')n F(w h ile 7 do M od) = 0 .
74 II LOGIC OF DETERMINISTIC ITERATIVE PROGRAMS

Proof.
Z b- ( ~ y => while y do M; M ' od true). {Ax23}
Assume (the inductive assumption) that for a natural number /,
Z h- ((if y then M fi)l ~ y => while 7 do M; M ' od true),
Z b- ((if y then M fi)1~ 7 => M '(if 7 then M fi)‘ ~ 7). {(18)}
Thus
Z b- ((if y then M fi)i+1y =>(7 a M (M ' (if y then M fi)l’~ y ) v
v ~ 7 a (if 7 then M fi)* ~7).
By the inductive assumption we have
Z b- ((if 7 then M fi)*+1 - 7 =* (7 a M (M ' while 7 do M; M'
od true) v ~ 7 a while 7 do M; M' od true)).
Hence
Z b- ((if 7 then M fi)l+1 ^ 7 => while 7 do M; M' od true).
{Ax23 }
By the principle of induction, for every i e N
Z h- ((if 7 then M fi)£—7 => while 7 do M; M r od true).
By rule r6
Z h- (while 7 do M od true => while 7 do M; M' od true). □

(20) I- ((y a => ~ M ~ 7)) => ~ while 7 do M od true).

Proof.
I— ( ^ 7 => ( ~ y v ~ Q M (7 => ~ M ~ 7 ))), (Ax2}
h- ((if 7 then M fi)1~ 7 => ( ^ 7 v ~ p )M (7 => ~ M ~ y ) ) )
for a natural number /, {inductive assumption}
h- ((if 7 then M fi)l+1 ^ 7 => (7A M (~ 7 v ~ f \ M ( y
/v M /■wy ) ) ) v ( ~ 7 a ( ~ 7V ~ p |M (7 => ~ M ~ 7 )))),
{inductive assumption, Ax22}.
1—( ~ 7 a ( ~ 7 v ~ p ) M{y => ~ M ~ 7 ) ) ) ^ ~ 7,
{A xl-A xll}
b- ((if7 th en M fi)i+1^ 7 => (((7 a M ~ 7 ) v
( 7 a ¥ - H % => - M - 7 ) ) ) v - 7 )),
v {Ax 15)}
b- ((if 7 then M f i )i+1~ 7 => ( (~ (7 => ~ M ~ 7) v
v => ~ M ~ 7 ) ) ) v - 7 ) ) , {(1)}
h- ((if7thenM fi)i+1 ^ 7 => (~ 7 V ~ f ] M ( y =>~
By the principle of induction, for every natural number i
h- ((if 7 then M f i y ~ y => ^ ( 7 a p ) M(y => ~ M ~ y ))).
 8. EXAMPLE OF A CORRECTNESS PROOF 75

Hence by the rule r6

h- (while y do M od true => ~ (7 a f } M ( y => ~ M ~ 7 ) ) ) ,
h- ((7 a P ) M(y => ~ M ~ y ) ) => while 7 do M od true). n

8. AN EXAMPLE OF A CORRECTNESS PROOF

In this section we shall present a proof, almost formal, of the state­

ment that the bisection algorithm correctly computes an approxima­
tion of a zero of a continuous function in an Archimedean field.
Assume that / is a function defined on an interval [a, b] such that
f ( a ) - f ( b ) < 0.

Theorem 8.1. The program K o f the form

while (b —a) > s do
x := (a+b)/2;
if f(a) •/(*) < 0 then b := x else a := x fi
od
w correct with respect to the precondition
f: {f(a) f(b) < 0 A ( b - a ) > e > 0)
and the postcondition
d: (f(a) 'f(b) < 0 a (Z>-a) ^ e).

More strictly we shall prove that the formula (£ => KS) is provable
in the theory of Archimedean fields (cf. Chapter IV).
Let us assume the following abbreviations:
M : begin
x := (a+b)/2;
iff(a) •/(x ) < 0 then b x else a : = x f i
end,
d ,: (f(a) -f(b) ^ 0 A (b -a ) = &/21) for k > 0 and 1 e A.
We shall prove a few lemmas in order to illustrate the role of axioms
and inference rules.

Lemma 8.2. The following formula is provable in the theory o f fields:

(d0 => Mdf).
76 II LOGIC OF DETERMINISTIC ITERATIVE PROGRAMS

P roof . Observe that the following two formulas are theorems in the
theory of fields:
( (b - a ) = k=>((a + b ) /2 - a = k/2 ab-(a + b)/2 = k/2)),
C*d) ) 'fib) ^ 0 => ( d f( a ) ^ 0 v d f ( a ) > 0 a </•/(£)
< 0 )).
Substitute d — /((fl+ 6 )/2 ). By propositional calculus we have
(d0 => ( ( / 0 + *)/2) -/(fl) $ 0 a ( ( a + i ) / 2 - a ) = A/2) v
v ( f ( (a + b)/2) -f(a) > 0 A f ( ( a + b)j2)-f(b) < Oa
* ( b - ( a + b ) l 2 ) = A/2))).
Applying the axiom of assignment Axl2 twice
(z := r)y = yCz/r),
we obtain
(d0 => ((x := (a+b)/2)(f(x)-f(a) < 0 a (x —a) = A/2) v
v (x := (a + b)/2)(f(x) •f(a) > Oa / ( x) •/(£) Oa
A(fc-x) = A/2))).
By axiom Ax 15
M(ccvfi) = (MxvMfi),
we have
(d0 =* (* := (a+ i)/2)(/(x)-/(a) ^ Oa (x—a) = A/2 v
v/(x) -/(a) > 0 a /(x) -/(A) «S Oa ( b - x ) = k/2)),
which is equivalent by Ax 12 to
(d0 => (x : = (a+b)/2)(f(x)-f(a) Oa (b := x ^ v
v/(x)-/(a) > 0A (a := *)d,)).
By axiom Ax22
if y then M else A fi a = ((7 a Ma) v (~ yA Aa)),
we prove
(30 = (x := (a+b)/2 )(if f{x)-f{a) ^ 0 then b \ — x
else a := x fi e^)).
Hence (<50 => M d f is provable in the theory of ordered fields. □

As a consequence of the above lemma we have

 BIBLIOGRAPHIC REMARKS 77

Lemma 8.3. For every natural number i the following formula is prov­
able in the theory o f ordered fields
{d0 => M i61). □

The proof of Theorem 8.1. For every natural number j > 0 we can
prove by Lemma 8.3 the following formula:
(1) ( ( k > e > Oa <50 a e-j = k)
=> M J(f(a)-f(b) ^ 0 a b - a = k/2j a kjj < e)).
By axioms of fields and axioms Ax 12 and Ax23 of algorithmic logic
the following two formulas are provable:
((z := e)(z := z + e)jz ^ k => e 7 ^ k ),
( M J (f(a) f(b) < 0 a b - a = k/2J a k/j < e)
=> while b —a > e do M od <5).
Hence using propositional calculus and (1) we have proved
((z := s){z := z+e)J z ^ k => ((k > e > 0 a <50) => Af<5))
for every j ^ 0. By co-rule r6 of algorithmic logic we obtain
(2) ((z := £) (while z < k do z := z-f e od true)
=>(k > e > 0 a <50 => Kd)).
Making use of the following form of Archimedean axiom:
(k > e > 0 => (z := e) (while z < k do z := z + e od true)),
we obtain, by (2), the following theorem:
((<50 a k > s > 0) => Kd).
Thus the formula (f => Kd) is also provable. □

BIBLIOGRAPHIC REMARKS

The algorithmic languages discussed here were introduced by Sal-

wicki (1970). The role of semantical properties of programs (termi­
nation, partial correctness) and certain formalisms were first presented by
Engeler (1967), Floyd (1967) and Hoare (1969). The origins of the theory
of programs go back to Turing (1949), Yanov (1959) and McCarthy
(1961). The first deductive system for proving equivalence of pro­
78 II LOGIC OF DETERMINISTIC ITERATIVE PROGRAMS

gram schemes was constructed by Yanov (1959). Another system for

a combination of first-order logic and 2-calculus was elaborated by
Thiele (1966).
The program of research into algorithmic logic was first formulated
by Salwicki (1970). The axiomatization and the completeness theorem
of algorithmic logic were given by Mirkowska (1971). Kreczmar (1974)
studied effectivity problems in algorithmic logic. Algorithmic logic
can be also called a logic of the weakest precondition, cf. Dijkstra (1976);
the strongest postcondition was studied by Banachowski (1977).
Many authors have studied algorithmic logic using mathematical
tools in addition to those mentioned above, e.g. Rasiowa (1975), Gra-
bowski (1981), Danko (1980), Perkowska (1972) and many others.
 CHAPTER III

METAMATHEMATICAL INVESTIGATIONS OF ALGORITHMIC

LOGIC

We have seen in the preceding chapter that the axioms of algorithmic

logic (AL) are tautologies, and that the inference rules are sound. We have
proved that for any algorithmic theory the theorems of the theory are
valid in all its models. In this chapter we shall prove the inverse impli­
cation, which will be referred to as the Completeness Theorem. It shows
that semantic and syntactic methods of proving properties of programs
are equivalent. The Completeness Theorem allows us to prove many
properties of algorithmic logic, e.g., inessentiality of definitions which
have a straightforward interpretation in computer science, namely
that subroutines (i.e., non-recursive procedures) can be eliminated.
Another important corollary which follows from the Completeness
Theorem states that axiomatization of AL characterizes the semantics
of program connectives in a unique way.
The chapter contains also another axiomatization of AL, which
is constructed in a way similar to Gentzen’s axiomatization.
Bearing in mind the future use of AL in algorithmic theories of data
structures, we provide various extensions of the main result on com­
pleteness to the cases of data structures with partial operations and
of many-sorted data structures.

1. LINDENBAUM ALGEBRA

Let T denote an algorithmic theory <L, C, A>, where L is an algorithmic

language (cf. Chapter I, § 1), C is the syntactic consequence operation
and A is a set of specific axioms.

D efinition 1.1. By « we shall denote the equivalence relation in the

set o f all formulas o f the language L such that for arbitrary formulas a, /?
a « /? iff A h- (a => /?) and A h- (/? => a). □
80 III METAMATHEMATICAL INVESTIGATIONS

The following lemma is an extension of the classical fact that the

relation ^ is a congruence in the algebra of formulas (cf. Chapter I, § 1).

Lemma 1.1. For every formulas a, /?, a', /?' and every program M ,
i f /? x P' and oc X a' then
(aV|?) ^ (a 'v /?'), (a => jff) a (a' => /S'),
(a a /?) « (a'a /S'), ~a « ~ a ',
Ma s Afa',
I J M a # (J M a ', f j M a ~ f |M a ',
(3x)a(x) # (3x)a'(x), (Vx)a(x) « (Vx)a'(x).
Proof. The first four equivalences follow by classical propositional
calculus.
The equivalence M a « Afa' follows immediately from the assumption
a « a' by the rule of inference r2.
The equivalences p j M ol x p j M ol' and p ) Ma ~ p) Mcx! follow from
the assumption a s; a' by rules (10) and (11) from Chapter II, § 7.
Let a(x) « a'(x) and let x be an individual variable free in a and a'.
Then by r2,
(x := r)a(x) ~ (x := r)a'(x) for every term r.
Hence by Ax 19,
(x := r)a(x) => (3x)a'(x) and
(x := r)a'(x) => (3x)a(x).
Let us take as r an individual variable y such that y $ V ( ol)\j V{ol).
Then by r3
(3x)a(x) => (3x)a'(x) and (3x)a'(x) => (3x)a(x).
From the above and Ax20 it follows that
(Vx)a(x) = (Vx)a'(x). □

Let F I« be the set of all equivalence classes with respect to the re­
lation ^ • By |la|| we shall denote the set of all formulas /S e F such
that a # /?.
As a consequence of Lemma 1.1 we can consider a quotient algebra
1. LINDENBAUM ALGEBRA 81
82 III METAMATHEMATICAL INVESTIGATIONS

where the operations u , n , > , ~ are defined as follows. For every

a, /9 g F,

= ik« v /oii, in i => m \ = ii(« => m

im m i /jii ,

INMI/?|| = H(«A/S)||, ~||a|| = ||~a||.

We shall call this algebra the Lindenbaum algebra of the theory
T = <L, C, A}.
Observe that the relation < such that for every a ,j3 e T ,

(1) ||a|| < ||/f || iff A*- ( *=>P)

defines an ordering relation in the Lindenbaum algebra.
And indeed, for every formula a e f , the formula (a ==> a) is a the­
orem in T, as can be seen from Figure 1.1 (p. 81).
Hence ||a|| < ||a||.
If, for some formulas a, 0 , d eJF, ||a|| < ||0|| and ||0|| < ||<5|| then
A h- (a= > 0) and A h- (0 => 5) and therefore by Axl, ||a|| < ||<5||.
Finally, suppose ||a|| < ||0ll an^ 11011 < l|a||, It is the case that
A h- (a => 0) and A h- (0 => a). Hence a » 0 and as a consequence
Hall = 11011-

Lemma 1.2. The Lindenbaum algebra o f a theory T = C, A )

is a Boolean algebra and for every formula a e F:
(i) || a|| = 1 iff a is a theorem in the theory T,
(ii) 11a|| ^ 0 iff ~ ex. is not a theorem in T,
where 1 is the unit-element and 0 is the zero-element in the Boolean
algebra.
Proof. By axioms Ax2 and Ax3, for arbitrary formulas a, 0, ||a||
< I|(av0)|| and ||0|| < ||(a v 0 )||.
By axiom Ax4, for every formula d, if ||a|| ^ ||<5|| and ||0|| < ||<5||,
then 11(av0)|| < ||3||, cf. Figure 1.2. Hence l.u.b. {||a||, ||0 ||) = ||a ||u
u||0l|.
Analogously, by Ax5 and Ax6, ||(aA 0)|| < ||a|j and ||(aA 0)|| < ||0||.
By the proof indicated in Figure 1.3, for arbitrary formula d such
that ||d|| < ||a|| and ||<5|| < ||0|| we have ||<5|| < ||a ||n ||0 ||. Hence
g.l.b.{||a|l, ||0||} = ||a ||n ||0 ||. Thus we shall prove that the Linden­
baum algebra is a lattice (cf. Appendix A).
 1. LINDENBAUM ALGEBRA 83

Fig. 1.2

Fig. 1.3

Figures 1.4 (p. 84) and 1.5 (p. 85), where

Pi = (( oca 6) => a) {Ax5},fi6 = (0S a <5) =>fi8) ,
P2 = (« => ( « v ^ ) ) {A x 2 }, fin = ( ( a A <5)v (/? a <5)),
£3 = ((aA d) => ( a v /0 ) , /»« = ((« v /3)a <5),
/34 = ((aA d) => 6) {Ax6},fig = ((/?a <5) => <5) {Ax6},
Ps = ((a A <5) => f t ) , p10 = (0? a <5) => (av/J)),
84 III METAMATHEMATICAL INVESTIGATIONS

{Pi =* (Pi => Pi))

(Pi ^ Pi) (Pi 2 ^ (Pi 1 Pi o))

(p4 => Ps)

[Ps => (Pe => (Pi => &)))

(ft* => (Pi => f t) )

Pii = (P=>(*vp)) {Ax3}, f t 3 = (« =>j87),

Pi2 = ((P a 6)=>P) { A x 5 } , ft 4 = ((av 0 ) =>0 13),
are formal proofs, which show that (||a||u||ft|)n||< 5|| == ((||a||n||<5||)
v (||j8 ||n ||3 ||))fo r all a, ft ^ g F.
By Ax9, |false11 = 0 and by A xil, 11true]| = 1. To prove that (i|a ||n
n - ||a ||) u ||f t | = ||f t |a n d ( ||a ||u - ||a ||) n ||f t | = ||ft|, see Figure 1.6.
(p. 86). —||a|| is hence a complement of ||a|| for every oteF.
To prove (i) let us note that if ||a|j = 1, then for every ft e F, \\p\\
< ||a||. In particular, ||(ocv ~oc)|| < ||a||. Hence by A xil, A h-a.
Conversely, if A h- a, then A h- (P => a) as can be seen from Fig­
ure 1.7 (p. 87). Thus for every f} e F, \\P\\ ^ ||a||, i.e. ||a|| = 1.
To prove (ii) observe that if ||a|| = 0, then for every ft ||a|| ^ ||fti, i.e.
A h- (a => P). Conversely, if A h- ~ a , then Figure 1.8 (p. 87) is a proof
 1. LINDENBAUM ALGEBRA 85

of the formula (a =>/9) for every ft e F. Thus ||a|| < \\f}\\ for every
P e F , i.e. ||a|| = 0 . □

Corollary 1.1. I f a theory T is consistent then the Lindenbaum

algebra o f this theory is a non-degenerate Boolean algebra. □

The Lindenbaum algebra can be treated as an algebra with addi­

tional operations induced by programs. More strictly, for every pro­
gram M e l l , M can be treated as a one-argument operation in the
Lindenbaum algebra such that
Afdlail) = ||Afa||
for every formula a e F.
 1. LINDENBAUM ALGEBRA 87

((a a /3) => a) {Ax5} {Ax 8 } (((a v/3) =s> a ) => (a =► => a)))

{Ax 9} {Ax 8}

Fig. 1.8

L emma 1.3. For every formula a and all programs M and M ' the follow­
ing properties hold'.
(i) \\M'\JM<x.\\ = l.u.b.||M '(M 'a)||,
ie N
(ii) IIM 'fW ail = g.l.b.|iM '(M i«)||,
ieN
(iii) \\M'(lx)<x(x)\\ = l.u.b.||M '(* : = r)a(*)ll,
zeT
(iv) ||M '(V*)a(x)|| = g.l.b.||M '(* : = r)a(x)||.
zeT
P ro o f. By properties (5) and (6) from Chapter II, § 7, it follows
that
H (Af'(M*a) => M 'U M a ) and h- (M'f~)Moc => M '(A f'a))
for every natural number /. Hence, as a result of application of rules
r4 and r5 we have
||M 'iM tyW < ||M 'U M a|| and ||M 'fW * ll < ||M ,(M la)||.
88 III METAMATHEMATICAL INVESTIGATIONS

Let us suppose that there are formulas d, d' such that for every natural
number /,
||M '(M ia)|| ^ ||<5|| and \\d'\\ < \\M\M*a)\\.
By inference rules r4 and r5,
I I M 'U ^ H < \\d\\ and ||d'|| ^ \\M 'PiM a\\.
This implies (i) and (ii).
To prove (iii), note that by Ax 19
\\M'(x := r)a(x)|| ^ ||M '(3x)a(x)||
for every term r e T. Suppose for some /9 e F that
||M \x := r)a(x)\\ < ||/?|| for all r e T.
In particular
A |- (M '(x := j)a (x ) => /?)
for an arbitrary individual variable y occurring neither in M ' ol nor in /?.
Thus by rule r3, A h (M '(3 x) oc(x ) => /?), i.e. ||M '(3*)a(*)|| ^ ||/S||.
Hence (iii) holds.
The analogous proof of (iv) is omitted. □

Let Q denote the following set of elements of the Lindenbaum algebra:

l.u.b.||M '(M Ia)||, g.l.b.||M '(M ia)||,
ieN ie N
l.u.b.[|Af(x: := r)a ||, g.l.b.||Af(x := r)a ||.
re T r e T

where M \ M are programs and a is a formula.

The set Q is denumerable since the alphabet of the algorithmic lan­
guage is a denumerable set.
Let us recall that a Q-filter in the Lindenbaum algebra is a non-empty
proper subset F of i7/ ^ with the following properties:
(2) anb e V iff a e V and b e V,
(3) if a e V and a ^ b, then b e V,
(4) if a vb e V, then a e V or b e V,
(5) for every element a = l.u.b aj9 a e Q ,
ye/
if a e V then there exists j e J such that aj e V,
(6) for every element b = g.l.b. bj9 b e Q9
jeJ
if for all j e /, bj e V then b e V.
 2. COMPLETENESS THEOREM 89

L emma 1.4. For every non-zero element a0 o f the Lindenbaum algebra

o f theory T there exists a Q-filter V such that a0 e V.
For the proof see Appendix B. □

2. THE COMPLETENESS THEOREM

The present section is devoted to a comparison of the syntactic and the

semantic consequence operations. It has been proved (cf. Chapter II, § 6)
that every theorem of an algorithmic theory is valid in any model of the
theory. Now we shall prove that every formula valid in any model
of an algorithmic theory is a theorem in this theory.
Let T = <L, C, A ) be a consistent (cf. Chapter II, § 6) algorithmic
theory. According to Corollary 1.1 and Lemma 1.4 there exists a g-filter
in the Lindenbaum algebra of the theory.

D efin itio n 2.1. By a canonical data structure determined by a Q-fil­

ter V we shall mean the relational system

where <7*, is an algebra o f terms (cf. Chapter II., § 1), i.e.

<?%(Ti, ...» r„) = <p(rl9 ..., rn) for cp e 0 ,
and where for every predicate o e P,
e«F(Ti, •••> *n) = 1 iff lle(Ti, •••> rH)\\ e F . □

Let us denote by v v a valuation in a canonical data structure

such that
v r(x) = x f°r every individual variable x e Vt,
v viP) = 1 iff Ilp|| g V,
for every propositional variable
p e V 0.
The following lemma is crucial for further considerations.

L emma 2.1. For every formula a in theory T ,

(1) %v , v v fua iff ||a|| e V.
The proof of Lemma 2.1 will proceed by induction with respect to the
complexity of formulas. The ordering relation we need should be ad­
equate to reflect the evaluation of a value of a formula.
90 III METAMATHEMATICAL INVESTIGATIONS

Let Z denote a set which contains the following pairs:

..., r B), sg(rl9 ..., r„)> for g e P9 e T, i ^ n.
<P, ~£>, <«, (« Vj8)>, <0, (av/J)>, <«, (a => 0)>,
</5, (a => /S)>, <a, (aA/9)>, </?,(« a 0)>,
<Af*a, (JAfa>, <Afl‘a, f|M a > for every / g Ar,
<Af(Af'a), begin Af; Af' end a ),
<(yAAfa), if y then Af else A T f i a),
<(~yA A f'a), if y then Af else Af' f i a),
< (if y then A f f i)1( ~ y a a), while y do Af od a ) for all / eAT,
<(* : = r)a (x ), (3x)a(x)>, <(x : = r)a (x ), (Vx)x(x)>,
and is closed with respect to the following rules:
(1) if <a, /9> g Z, then for every s g S, <sa, s/9> g Z,
(ii) if <a, j8> g Z and </?, <5> e Z, then <a, <5> e Z.
where a, /? are arbitrary formulas, Af, Af' are programs, y is an open
formula and r is a term.

D efinition 2.2. JFe shall say that a formula a is submitted to a for­

mula /?, in short a -< If and only if (a , ft} belongs to Z. □

Lemma 2.2. For every set o f formulas Z there exists a formula a which
is the minimal element in Z with respect to the relation -<.
For the proof see Appendix B. □

P roof of L emma 2.1. Clearly Lemma 2.1 holds for all propositional
variables and for all elementary formulas.
Assume that Lemma 2.1 holds for all formulas which are submitted
to the formula a
(2) 9tr ,*y |=/? iff \\P\ \ e P , for all /? ■< a.
Below we shall consider the different forms of the formula a.
1. Let a be of the form sg(rl9 ..., r„). By Lemma 2.1 in Chapter II
it then follows that

= se(r i> •••> Tn) iff •••> T«)-

Since sg(rl9 ..., rn) ~< sg(rl9 ..., r M
), by the inductive assumption, (1)
holds.
 2. COMPLETENESS THEOREM 91

Let us assume that throughout this proof 5 denotes a sequence of

assignment instructions.
2. Let a be of the form s(flvd). Since both formulas sfi and sd are
submitted to s(j3 v S), and by (2),
% , v F \=sp iff \\sP\\eV9
%v , v v \=ls6 iff \\sd\\eV.
Hence by properties (3) and (4) of g-filters (cf. § 1)
\\s(i\\ v || j 3|| e V iff or %v , v v \nsd.
Thus by the definition of semantics and Lemma 3.4 from Chapter II
WV9V y)p s(p vd ) iff II^O?v(3)|| e P.
The similar proofs for the formulas s(flvd), s(j3 => d) and s~/3
are omitted.
3. Let a be of the form where M is not an assignment instruc­
tion. We shall consider three different forms of the program M.
3a. M = begin M f; M " end.
By Lemma 3.4 from Chapter II and since
s(M '(M "p)) < s(begin M ’ \ M " end p)
% , v F)poc iff \\s(M '(M "p))\\eV .
From axiom Ax21 and the formula just proved (1) follows.
3b. M = if y then M f else M " fi.
As a consequence of the definition of semantics and inductive assumption,
%v , v v \=i(x iff 11(y a M 'a)|| e V or ||( ~ y a M " oc)\\eV.
Hence by properties (3) and (4) of g-filters (cf. § 1)
3lp, v v [=; a iff ||( y A M 'a ) v ( - 7 AM ,'a)|| e V .
Property (1) follows from the above equivalence by Ax22.
3c. M = while y do M ' od.
By Example 5.4, from Chapter II

iff there exists a natural number i such that

31 F, v F\=is (if y then M ' fi)* ( ~ y a a).
From Definition 2.2 it follows that the formula s (if y then Af' fi)* ( ~ y a a)
92 III METAMATHEMATICAL INVESTIGATIONS

is submitted to formula a for every natural number z. Hence by the

inductive assumption,

iff there exists a natural number / such that

\\s(ii y then M ' fi)f(~ yA a)[| g F.
By property (5), § 1, and Lemma 1.3 we obtain
<
HF, v v f= a iff if y then M ' fi ( ~ y A /?)|| e V.
Finally, since the formula
sU 7 ^ e n M ' fi ( ~ y a /?) = s (while y do M ' od /?)
is an algorithmic tautology (cf. Chapter II, Example 5.3), then
9IP, v F jn oc iff H^while y do M ' od /?)|| g F.
4. Let a be of the form s P) M'ft. By the definition of semantics
9IF, v v (= oc iff for every / e N, 9IF, v v f=: s(M fij3).
However, s(M 'l{3) .yQ M'fi for all i e N. Thus by inductive assump­
tion (2)
9If , v v ^ s { M aP) iff \\s(Mfim e F.
From property (6), § 1, and Lemma 1.3 we have
i\s(Mnf})\ \ e V for every i e N iff \\s f ) M 'ft\| g F-

Clearly the previous two equivalences imply (1).

5. Let oc be of the form s((3x)/?). From the definition of semantics
it follows that
9V y }= OC

iff there exists a term r such that

2tp> % F0v) t= (x := r)P(x).
Applying the inductive assumption and by property (5), § 1, and
Lemma 1.3 we obtain
\\s((x := r)P(x))\\ g F for some t g T, iff ||.y(3x)a(x)|| g F.
Hence
9tp,*Vt=a iff ||s((3x)/?(x))|| g F.
In an entirely similar manner we can prove the property (1) for
formulas of the form and s(Vx)fi(x).
This completes the proof of Lemma 2.1. □
 2. COMPLETENESS THEOREM 93

Lemma 2.3. For every valuation v in the data structure and for
every formula a, there exists a program M such that
<**F(*0 = (Moi)nF(Vy).
Proof. Let x l9 . . . 9x n be the sequence of all individual variables
that occur in a and let v be a valuation such that z;(xf) = r i9
for i = 1, n.
Let P i , " - 9pm be the sequence of all propositional variables that
occur in a and let us assume that
_ [true, if v(pj) = 1,
aj (false, if v(pj) = 0 for j = 1, ..., m.
Consider a program M of the form

begin Xj. , ..., xn . xn , pi • oci, •••, pm • end.

Observe that M ^^{vv) is a valuation v' such that
v'(Xi) = r fv f) = %i = v(xi)9 for 1 ^ ^ n,
v '(P j ) = <*/(*V) = 1 iff IN I iff = 1,
for 1 < y < m9
and s;'(z) = v (z) for ah remaining variables. Hence
%v , vv \=.Mol iff 91F9v't=a iff 9Ip,z;|~oc. □

Theorem 2.4 (Model Existence Theorem). Every consistent algorithmic

theory has a model.
Proof. Let T be a consistent theory, T = <L, C, A). Hence (cf.
Chapter II, Definition 6.2) there exists a formula oc0 such that non A f=: a0.
By Lemma 1.2, 11~ a011 ^ 0 and therefore by Lemma 1.4, there exists
a g-filter V such that 11~ oc011 e V.
Let us consider the canonical structure 9IP determined by this filter.
We shall prove that 9IP is a model of the set A .
Consider a formula a and a valuation v in 9IP. By Lemma 2.3 there
exists a program M such that 9IP, v (= a iff 9IP, |n M a and 1- M true.
As a consequence of the auxiliary rule
a, M true , „ ^ , „, .
— — (cf. Example 5.1 in Chapter II)

we have A \-Moc. Hence by Lemma 1.2 ||M a|| = 1 and therefore

\\Moc\\eV.
94 III METAMATHEMATICAL INVESTIGATIONS

From Lemmas 2.1 and 2.3 it follows that

91v ,v\=:oc iff 9IF, v v fn Moc iff \\M ct\\eV.
Hence 9IF,^f= :a for every oc e A and every valuation v in 9IF, i.e.
9IF is a model of theory T. □

Theorem 2.5 (Completeness Theorem). For every formula oc in a con­

sistent theory T the following conditions are equivalent:
(i) oc is a theorem in T,
(ii) oc is valid in every model o f the theory T.
Proof. By Theorem 6.1 (Chapter II) (i) implies (ii).
Suppose oc is not a theorem in T. As a consequence of Lemma 1.2,
||~ a || 7^ 0 and therefore there exists a Q-filter V such that ||~ a || e V
(cf. Lemma 1.4). It follows from Lemma 2.1 that 9IF, v v f=: ~ a . Apply­
ing Theorem 2.4 we obtain the conclusion that oc is not valid in every
model of T. □

Theorem 2.5 asserts that the syntactic consequence operation and

the semantic consequence operation determine the same sets of for­
mulas, i.e., C(Z) = Cn(Z) for every set of formulas Z.

Theorem 2.6. For every formula oc, |— oc iff (=: a, i.e. the algorithmic
logic is complete.
This theorem follows directly from the previous one. □

Theorem 2.5 indicated that the semantic and the syntactic methods
can be used exchangeably. To prove a theorem we can construct a for­
mal proof or discuss its validity. In most examples the second method
is easier than the first.

Example. For every formula oc and every program M, if V(oc) n

n V(M) = 0 , then the formula
(M true => (Moc = a))
is a theorem of algorithmic logic.
Proof. If V(oc)nV(M) = 0 , then for every data structure 91 and
valuation v such that M%{v) is defined
91,^1= a iff 91, M®{v)\=.oc,
 3. COROLLARIES OF COMPLETENESS THEOREM 95

since the value of a formula depends only on the variables that occur
in it.
Hence for every 91 and v
91, v |=i (M true => (a — Afa))
and, as a consequence of the Completeness Theorem, the formula
(M true => (a — M a)) is a theorem of algorithmic logic. □

3. TWO COROLLARIES OF THE COMPLETENESS THEOREM

Let T — <L, C, A ) be an algorithmic theory. In constructing proofs

we frequently make use of the following important fact.

Theorem 3.1 (Deduction Theorem). Let oc be a formula without

free variables. A formula ft is a theorem o f the theory T' = <L, C, A u {a})
iff the formula {oc => p) is a theorem o f the theory T, i.e. A u {a} I- P
iff A h - (oc=> p).
Proof. Assume that Au{oc} |— p. By completeness it follows that
(1) A kj {cc}\n p.
Let us suppose that there is a model 9ft of the set A such that (a => P)
is not valid in it. Thus
(2) 9ft, v |= oc and non 9ft, v\=:i6,
for some valuation v in 9ft. Since the value of the formula oc does not
depend on any valuation, then 9ft is a model of the formula oc. Hence
9ft f= A\j{<x} and, as a consequence of (1), 9ft [=:/?, which contradicts
(2). Hence A f=: (a => /?). By completeness, A I- (a => P).
Conversely, if A h- (a => /?), then A u {a} \- (oc=> P). Since A u {a}
h- a, then by rule rl {modus ponens), A u {oc} \- p. □

The above theorem can be strengthened if the syntactic assumption

is replaced by the semantic one.

D efinition 3.1. We shall say that a formula oc is closed iff the value
o f oc does not depend on any valuation in any data structure. □

For example, every formula which has no free occurrences of any

variable is a closed formula and the expression {q := true) {q => ~q)
is also a closed formula.
96 III METAMATHEMATICAL INVESTIGATIONS

Theorem 3.2. Let oc be a closed formula o f a theory T = <L, C, A).

For every formula /? o f T, A h- (a => /?) iff A u {a} h- f . □

Let us note that the Deduction
required to be closed.
In view of Chapter II, § 4,
Theorem of classical logic fails to
it can be easily proved that the
Theorem does not hold if a is not
the Upward Skolem-Lowenheim
hold in algorithmic logic. However,
downward theorem holds.

Theorem 3.3 (Downward Skolem-Lowenheim Theorem). I f an al­

gorithmic theory has an infinite model, then it has a denumerable model.
Proof. Let T = <L, C, A ) be an algorithmic theory and let; $01 be
its infinite model. From Corollary 6.3 of Chapter II it follows that T
is consistent. As a consequence of Theorem 2.4 we find that T has
a denumerable model in the set of all terms. □

The third theorem of this section is analogous to the Herbrand

theorem in classical logic.

Theorem 3.4. Let K and M be arbitrary programs without a whiie-

operation and let a be an open formula.
A formula M \^JKot is a theorem o f AL iff there exists a natural number
m such that the formula M \ J K'cc is a theorem o f AL.
i m

For a proof see Chapter VI, § 5. □

As a simple generalization of Theorem 3.4 we obtain the following

lemma.

Lemma 3.5. Let oc be a formula o f the form

C \K ! . . . n Km(M 1\ J K l +m{ ...M n\ J K n+m /?)...),
where ft is an open formula and K i9 ..., Kn+m, M x, ..., M n are programs
without a while-operation. The formula a is a theorem o f algorithmic
logic iff there exists a sequence il9 ..., in o f natural numbers such that
the formula
M ! v K U i ( - ( M» V K U J )...)
j^in
is a theorem o f AL. □
 4. AXIOMS OF AL DEFINE SEMANTICS 97

We shall now present a simple application of Theorem 3.4 in the

theory of programs.

Lemma 3.6. Let K be a program o f the form

begin ; while y do M2 od end,
where , M 2 are programs without a while operation. Let |= K true.
Then there exists a natural number n such that the length o f every com­
putation o f K is less than n.
Proof. By Example 5.3 of Chapter II the formula
M i U i f 7 t*ieI1 fi ( ~ y A a )
is a theorem of algorithmic logic. Thus by the Completeness Theorem
and Theorem 3.4 there exists a natural number m such that
j \ J (if y then M2 fi)l( ~ y a a).
i^m
We shall prove that the length of any computation of K is proportional
to m9 i.e. that the number of iterations of M 2 in any computation is
bounded by m.
Suppose 31 is a data structure and v is a valuation such that
K&(v) = M iniM iyfp)') and j > m.
Hence by the definition of semantics
31, - M i (if y then M 2 f i f y for all i < j .
Thus
non 31, v |= V M t (if y then M 2 fi)1’( ^ y A a),
i^m
contrary to the assumption. □

4. THE STANDARD EXECUTION METHOD IS IMPLICITLY DEFINED BY

THE AXIOMATIZATION OF ALGORITHMIC LOGIC

It has been shown in the preceding sections that our knowledge of

the semantics of a chosen programming language is sufficiently com­
plete since there exists a proof of every algorithmic property which
is semantically valid. Here we give a deeper insight into this.
The semantics of an algorithmic language L consists of three elements:
(i) an interpretation of functors and predicates,
98 III METAMATHEMATICAL INVESTIGATIONS

(ii) an execution method for programs,

(iii) a satisfiability relation.
The execution method defined in Chapter II, § 2 is based on the
notion of computation. We shall call this the standard execution method.
This definition of execution method is by no means a unique one:
there are other possible definitions. In general, by the execution method
we shall mean a function which to every program of the language L
assigns a binary relation in the set of all valuations in a given data
structure.

D efinition 4.1. We shall say that the execution method for programs
is proper for AL iff the satisfiability relation which is based on it allows
the soundness o f AL axiomatization to be proved. □

Obviously the standard execution method is proper for AL. The ques­
tion naturally arises as to whether there are other different execution
methods proper for AL.
The program execution method is strictly connected to the problem
of implementation. Can we treat our axiomatic system as a criterion
for the correctness of implementation?
The main conclusion of this section is that all conceivable proper
execution methods of programs are similar in the sense that they induce
the same input-output relations.
The completeness theorem can be then interpreted in a way which
shows that the notion of computation is the one natural execution
method for programs.
Now we shall formulate the thesis of this section more strictly.

D efin itio n 4 .2 . By a semantic structure for L we shall mean the triple

<51, /, jz: ) where 51 is a data structure for L, I is an execution method,
and (= is a satisfiability relation. □
In what follows we shall restrict our considerations to the class
of semantic structures <51,/, such that
(1) a data structure 51 is normalized, i.e. for arbitrary valuations
v l9 v 2 in 51,
v2 iff (3/?) (51, v L f= and non 51, v 2 f= ft)
(different valuations can be distinguished by means of a formula in the
language L) and
 4. AXIOMS OF AL DEFINE SEMANTICS 99

(2) the satisfiability relation |= is such that

91, »t=(aVj5) iff 91, ^ |=i a or 9I,^t=/?>
91, ^ 1=: (a A /?) iff 91, and 91,^)=/?,
9 I ,^ |= :~ a iff non 91, v\=: a,
91, ^ (=: M a iff (3v') (v, v') e I(M ) and 91, v ’ a
for arbitrary formulas a, program M and arbitrary valuation
Let <91, /, (=> be a fixed semantic structure of the above defined class.

Lemma 4.1. For every program M, if property (3) holds for. arbitrary
formulas a, ft, where
(3) 911= M(oc A P ) = {M ol a Af/3),
then J{M) is a partial function.
Proof. Suppose 0v, v x) 6 1(M) and (?;, v 2) e I(M ) and v x # v 2.
It follows from assumption (1) that there exists a formula a such that
9 I,^ 1 (=:a and 91, v 2 (zz ~ a . Hence, 9I,^t= A fa and 91,^1—M ~ ol.
However, non 91, v \h M{ ol a ~ a), contrary to (3). □

Lemma 4.2. Let K, M be arbitrary programs. I f properties (3), (4) hold

for K and M 9 where
(4) 91 (= begin K\ M end a = K(M ol) for every oc e F,
then /(begin K; M end) = I(K) ° I{M).
Proof. Let (ivl , v2) e /(begin K; M end) and let a be a formula such
that 91, t= a - Hence by (2)
91, v x (= begin K ; M end a.
It follows from (4) that 91, v x \=lK{M ol). A s a consequence of (2),
there exists a valuation v f and a valuation v" such that (vl9v') e I{K)9
(v', v") e I{M) and 91, v" |=z a. Since there exists at most one valuation v'
and one valuation v" with the above property, we have obtained for
every formula a, if 91, v 2 (=: a, then 91, v" (=: a. Thus from (1), v 2 — v ”,
and therefore
(vu v') e I(K) and (v',v2) e I{M) for some v \
Hence (pt , v 2) e I(K) ° I(M).
Let us suppose conversely that {vx, v2) e I(K) ° I{M). By the definition
of the composition of relations, there exists a valuation v' such that
(vx, v') e I(K) and (v\ v 2) e I{M).
100 III METAMATHEMATICAL INVESTIGATIONS

Let us suppose that 31, v 2 a for an arbitrary fixed formula a. It

follows that 31, v' fn M ql and, moreover by (4), that 31, v t (=: K(Moc) and
31, |n begin K\ M end a. Hence there exists a valuation v" such that
( ^ , v") e /(begin K ; M end) and 31, v" (=: a.
The valuation v" is unique since we have assumed property (3). Hence
for every formula a,
31, v 2 |= a implies 31,^" f= a.
It follows by (1) that v 2 = v '\ i.e.
(vx, ^2) e /(begin K; M end). □

For any open formula y, let id(y) denote the set {(v , z;):3I, v |= y).

Lemma 4.3. Let K, M be arbitrary programs. I f properties (3) and (5)

hold for K, M and for the arbitrary formulas oc e F, y e F0 where,
(5) 31 [= if y then K else M fi a = ((yA Koc) v ( ~ y a Ma)),
then
/(if y then/:else M il) = (id(y) o /(J Q )u (id (~ y ) o /(M )).
The proof is similar to the proof of Lemma 4.2 and is therefore omitted.
□
Lemma 4.4. I f for every formula a and every open formula y properties
(3)-(6) hold, where
(6) 31 (=: while y do M od a
— ((~yA a) v (yA M while y do M od a)),
then
/(while y do M od) => (J / (if y then M fi)* °i d (~ y ) .
ieN
Proof. Suppose (v1, v 2) e ^ J f (if y then M fi)1 o id (~ y ). Hence
ieN
there exists a natural number m such that
f a i, ^2) e / (if y then M fi)w and 31, v 2 t= ~ y ,
by Lemma 4.2.
Let us assume that for some formula oc,SH,v2 \=:oc. It follows from
the above properties that
31, v t fn (if y then M fi)w(~ yA a).
 4. AXIOMS OF AL DEFINE SEMANTICS 101

As a consequence of property (6) we find that for every valuation v 9

if 91, v f=: (if y then M fi)w ( ~ y a a)
then 91, v Awhile y do M od a.
Hence 91, v x |= while y do M od a and there exists a valuation v' such that
(v x 9v') e I (while y do M od) and 91, v' |= a.
Thus v' = v 2 by (1), since for every formula a,
9l , ^ 2 f=:a implies 9I ,^ 'f = a .
Therefore (v l 9 v 2) e/(while y do M od). □

Let us assume that the algorithmic language L contains the binary

predicate = . Moreover, let us assume that the semantic structure
<91, /, (=) is such that = is interpreted as identity relation in 91 and for
every element a of the data structure 91 there exists a term r a such that
for an arbitrary valuation v 9 a = ra%{v). We shall call such semantic
structure a Herbrand structure.
L emma 4.5. I f 91 is a Herbrand structure and properties (3)-(7) hold
for program M , every open formula y and arbitrary formulas a, /?, where
91 [= ((if y then M fi)l( ~ y a a) => /?) for all i e N implies
^ 91 1= (while y do M od a => /?),
then
/(while y do M od) = (J /(if y then M fi)1 o id(~y).
16 N

P ro o f . Suppose , v2) e /(while y do M od) and 9 t,^ 2 |= :a i«

Let us assume that j3x is a formula which describes the valuation v x
with respect to all variables occurring in while y do M od ocx, i.e.
(8) {31 = (X j ... A X n — — Ci A ...

... a — Cffif
where x i 9 ...9x n are all individual variables and ql 9 ...9qm are all
propositional variables occurring in while y do M od a1 and
jtrue iff (qj) = i,
Cj (false iff = 0.
Hence
91, v x (=: while y do M od ax and 91, v 1 ]pPl9 i.e.
non 91 l=i (while y do M od ax => ^jffi).
102 TII METAMATHEMATICAL INVESTIGATIONS

By property (7) there exists a natural number m such that

non 3lf=((if y then M fl)w,( ^ y A a 1) =>
As a consequence there exists a valuation v' such that
31, v r |=i (if y then M fi)m( ~ /A a x) and 31, v^\=z .
By the last property and assumption (8) we have
(9) 31, v t |= (if y then M fi)m(~ yA a j .
Assume that m is the minimal natural number with such property.
By (9) there exists a valuation v 2 such that
(vl , v'2) e /(if y then M fi)m and 31, v 2 f= ( ~ y a a x).
Let us consider an arbitrary formula a2 and let 31, v 2 |= a2. We shall
prove that 31, v 2 |= (~ yA a2).
Following considerations presented above we have
31, |= (if y then M fi)J(~ yA a2)
for some natural number j. Suppose j < m. By property (5)
31 f= (if y then M fi)w(~ y A a x) = (if y then M ii)j( ~ y a a j ,
and by (9)
31, |=(if y then M fi)J(~ yA o^),
contrary to the assumption that m is the smallest natural number with
such property. Thus j > m and therefore
31, |= (if y then M fi)m(~ yA a2).
Hence by property (3) 31, v 2 |= (~ yA a2). Thus, there exists a natural
number m and a valuation v 2 such that for an arbitrary formula a ,
31, v 2 |= a implies , v2) e /(if y then M fi)w and 31, v 2 \=: ( a a ~y).
Hence v 2 = v 2 and consequently
(vt ?v 2) G/(if y then A/ fi)m o id(~y). □

L emma 4.6. I f 31 is a Herbrand structure and property (10) holds for

an assignment instruction s = (x : = w) and every open formula y, where
(10) 311= ^?y = sy,
then
I(x : = w) = { ( v i,v 2): v f z ) = v 2(z) for z ^ x and v 2(x)
= w a ^ )} .
 5. GENTZEN TYPE AXIOMATIZATION 103

P ro o f . Let us assume that x is an individual variable and w is a term.

Let (v x, v 2) e I{x := w). Suppose ^2(x) = Thus 31, v 2 |= (x = r fl).
Hence 31, f=r (x : = w)(x = r fl) and therefore by (10), = ra(^i)
= v 2(x). Let y be an individual variable and y ^ x. Suppose v 2(y) = b,
then 31, v2 |= (y = rb). It follows that 31, f= (x := w)(y = rh) and
therefore a 2(y) = v i(y)- Let q be a propositional variable. If 31, v 2 |= q9
then 31, v x |= (x := w)# and by (10) 31, ^ |~ q.
Hence v 2(z) = v x(z) for z ^ x and v 2(x) = w^(vx).
The discussion is similar in the case where ^ = (q := y ),q is a prop­
ositional variable and y is an open formula. □

As a straightforward consequence of the above lemmas we obtain

the main result of this section.

T heorem 4.7. Algorithmic logic determines the unique execution

method for programs. More strictly, for every semantic Herbrand struc­
ture <31, /, if all axioms o f algorithmic logic are valid and all infer­
ence rules are sound, then the execution method I satisfies the following
equalities:
/(begin K\ M end) = I(K) o /(M ),
/(if y then M else K fi) = id(y) o I(M ) u id (~ y ) o I(K \
/(while y do M od) = ( J /(if y then M fi)1 ©id(~ y),
ie N
I(x := w) = {(vl9 v2): v t (z) = v 2(z) for z ^ x and v2(x)
= w^Oh)}
for arbitrary programs K, M, every open formula y and an arbitrary
assignment instruction (x w). □

5. GENTZEN TYPE AXIOMATIZATION

In the preceding sections an axiomatic system for reasoning about

algorithmic formulas has been presented and studied. There have
been many examples of formal proofs, but no algorithm has been given
for their mechanical construction.
In this section we shall discuss a deductive system in which proof
of a formula is determined by the formula itself. Informally, the process
of deduction will consists of decomposition of a formula into parts.
Each step of decomposition will be determined univocally. This kind
104 III METAMATHEMATICAL INVESTIGATIONS

of deductive system seems appropriate for the automatization, of the

process of proving and is called Gentzen type axiomatization.
Let L be an algorithmic language.
Throughout this section JT and A (with indices if necessary) will
denote finite sequences of formulas. Any expression of the form
r A will be called a sequent.

D efinition 5.1. A sequent F A is called indecomposable iff every

formula that occurs in F u A is either a propositional variable or is an
elementary formula. We shall call such formulas indecomposable. □

fe □
D efinition 5.2. A sequent A -> F is said to be axiom-sequent
f n A ¥=0.

Let r = {oc1, ..., an} and A = {Pi9---9Pm} f°r some n ,m e N .

We shall use {/\r =>\JA)
as the shortened form of the formula
(A a; V Pj)- If r = 0 , then / \ F = true; if zl = 0 , then \J A = false.
i^ n j ^ m

L emma 5.1. For every axiom-sequent F A and every data struc­

ture 31 for L, 31 f = ( A r ^ \ j A ) . □

The rules of decomposition are listed below.

1D r - + A 1, A 2, s i ...s iy
1A IB
A , ^ ... sky , r 2 r -> A ly S! ... sky , A 2
r ltr 2 ^ A ,s y r , sy -* A k, A 2
2A 2B
r l t s~y,r2 -* A r ->■ A 1}s ~ y , A 2
3A A
, r 2, soc, s(3 -+ A
3B ■ A , 41\2, sa; r -+ A l9 A 29 sfl
A, s ( x a f t) ,r 2 -* a ’ Zlj, j(aA /?), Zl2
r 2,soc -+ A ; A . r 2, -»■ zl 7^ -►A l , A 2y SCCy sj$
4A A , ? 4B
A ,- f ( a V 0 ) ,A - A F —►A i , s(ocv , z42
r 2 —> A 9s<x;rl9 r 29 -y zl r , 50C —►z41, A 25<5’/^
5A A , 5B
/ ’i, ,v(a ->/?), A -> A T* -* A ? s(a => /?), A 2 ’
r 1, r 2,s (K (M x ))-^ a
6A
A . s begin K; M end a, A -»• zl’
r -*■ A A 2, s{K(M a))
6B
A lt s begin K; M end a , Zl2’
A , A , s(y AKoc) -> A ; A , r 2, s (~ y /\M a )
7A
A , s if y then K else M fi oc, f 2 -> A
 5. GENTZEN TYPE AXIOMATIZATION 105

7B r Au A 2 i s(yAK<x), s{~yA M a)
r - + A l9 s i t y then K else M fi a, A 2 ?
«A {^ 9^2 > y then a) -> A }ieN
A , s while y d o M o d a , f 2 -> /I
r -+ A l9 A 29 s { ~ y a a), s(y a M while y do M od a)
r -+ A l9 s while y do M od a, A 2 ’
OA ( A , r 2,s (M i(x) -» zl }/e TV r A 1, A 2, soc, s \J M ( M oc)
r l9 s \ j M * , r 2 -* a ’ r ^ A , * U ^ a >A ’
1(K A , A , - , , n M ( M a ) - ^ 10R { r -* A l9 A 29s(M i<x)}ieN
r l9 s f \ M * 9r 2 -* a 5 ’
11A ^ 1? A> :== T) a (*)> ^CV-yja -» /I
A , .s(Vx)a(x), A “* A
r ~ * Al 9 A2,s(x := y )«
11B
jT -» Zl j , 5(Vx) a (x ), A2
where j is an individual variable which does not appear in s and a,
A »A A s(Vx) ~ a A *s(Vx)~a -» A , A
12A 12B
A >*s(3x )a, A “* A .T -> A , 5(3x)a? A
In all the above schemes A and A denote sequences of indecom­
posable formulas and A ? A > A ^ are arbitrary sequents of formulas;
5 denotes a sequence of assignment instructions; a, /? arbitrary formulas;
y denotes an open formula; M 9M ’ denote arbitrary programs; r is a term.
Observe that the rules of decomposition reflect the axioms and
rules of Hilbert style axiomatization (cf. Chapter II, § 5). Rule rl
(imodus ponens) has no counterpart among decomposition rules.

D ef in itio n 5.3. By a diagram o f a formula a we shall understand

an ordered pair <Z>, d }9 where D is a tree {cf Definition 5.1 from Chap­
ter II) and d is a mapping which assigns a certain non-empty sequent to
every element o f the tree. The mapping d and the tree D are defined by
induction on level l o f D as follows:
1. For / = 0, the only vertex on this level is the empty sequence de­
noted by 0 , the root o f the tree, and d{0) is o f the form -> a.
2. Suppose we have defined the elements o f the tree D and the function d
on them up to level l not higher than n.
Let c = (il9 ..., in) be a vertex on the level n. I f d{c) is indecomposable
or d{c) is an axiom then c is a leaf o f the tree and d{c) is called a leaf-
106 III METAMATHEMATICAL INVESTIGATIONS

sequent. In the opposite case let us assume d(c) is o f the form JT -* A.

CASE A. n is an odd number. The unique son o f vertex c is o f the form
(4 , •••, 4 , 0) and d(ix, .... in9 0) = d(c)
only if the sequence A contains indecomposable formulas.
In the opposite case, i f the sequent d(c) is the conclusion in the rule
o f decomposition o f group A ,
[rj Aj}jeJ
r-^ A ’
then (/j. ..., 4 ,7 ) e D and d(il9 ...,4 ,7 ) = A -> A jfo r all j e J.
CASE B. n is an even number. The unique son o f vertex c is
tii, •••, in, 0) and d(il9 ..., 4 , 0) = d(c),
only if r is a sequence which consists o f indecomposable formulas.
In the opposite case, if the sequent d(c) is the conclusion in a rule o f
decomposition o f group B,
{Ej -
T -+ A 9
then ( /j, ..., 4,7) e D and d(ix, ..., inJ ) = r d -» zlj /o r all j e /. □

Remark. Let <Z), J ) be a diagram of a formula. If a is an indecom­

posable formula such that a e d(c) for some c = (4 , ..., 4) e A then
for every c' = (4 , ..., in9 4 + i, ..., 4,) if c' e D, then a g J( c'). In other
words, if a appears in a vertex, then it also appears in all successors
of this vertex. □

Lemma 5.2. For every data structure 31 for the language L , for every
valuation v in 31 and for every rule o f decomposition o f the form
{Ej Aj}jeJ
r-> a
the following condition holds
i /\ r = > \ / A ) %(v) = g .ib .( A r j => V ^ M v ) .
jej
The proof follows immediately from Lemma 5.1 of Chapter II. □

As a consequence of Lemma 5.2 and Lemma 5.1 we obtain the fol­

lowing fact:
 5. GENTZEN TYPE AXIOMATIZATION 107

Lemma 5.3. I f the diagram o f a formula a is a finite path tree and all
leaf-sequents are axioms, then a is a tautology. □

Lemma 5.4. I f a is a tautology and the diagram o f the formula a is

a finite-path tree, then all leaf-sequents are axioms.
Proof. Let <D, d ) be a diagram of a tautology a, where D is a finite-
-path tree.
Suppose that there exists a leaf c e D such that the leaf-sequent d(c)
is not an axiom. From the definition of a diagram it follows that d(c)
is indecomposable. Let d(c) be of the form T1-* A.
We shall define a data structure 31 for the language L such that
31 = ( T , {<Pw}<p<=®, {(?2l}eep),
where T is the set of all terms in the language L and for arbitrary terms
Ti, ..., rn
<p*(ji, •••> O = t„), for any functor <p9
Quit! , ..., rn) = 1 iff , ..., rn) e r , for any predicate q.
Observe that the last definition is proper since we have assumed
rnA = 0 .
Let v 0 be a valuation in 31 such that a 0(X) = x for all individual
variables and v Q(p) = 1 iff p e r for all propositional variables p.
By the definition of a data structure 31 we immediately have 319v0 \=i
|=: ~ ( / \ jT=> \JA ). Suppose that for some c' e D, d(c') = T f -» A f
and non 31, v 0 |= {J\r* => \JA '). By Lemma 5.2 there exists c" such that
cr is a son of c", d(c") = P ! -> A " and non 31, v0 |= (/\jT " => V ^ ”)-
Hence there exists a finite path c0, ..., cn, such that c0 = 0 , cn = c
and such that for every vertex from this path, if rffo) — A j, then
non % ,v 0 \= :(f\rj =>\JAj). In particular, for j — 0 we have
3I,^o 1= ^ (true => a), i.e. 31, v 0 \=z~oc.
As a consequence, a is not a tautology, contrary to the assumption. □

Lemma 5.5. I f the diagram o f the formula oc0 has an infinite path,
then a0 is not a tautology.
Proof. Let <D, d ) be the diagram of the formula a 0 and let Path
= {Ci}ieN he an infinite path in D. Assume that d{ct) — r t A i9
for i g N.
108 III METAMATHEMATICAL INVESTIGATIONS

To prove the lemma we shall construct a data structure 21 in the set

of all terms T and a valuation v 0 such that
31, ~ a 0.
Denote Fs = [J A t and FP = U ^ i-
ie N ieN
Note that if y is an indecomposable formula such that y e d(cio)
for some i09 then y e d(ct) for every i ^ i0.
Since for every i e N , T,/nzli = 0 , then y e FS —FP or y e FP—FS.
Let us consider a data structure 21
31 = (T , {cpyAifpe®-, felJeep),
such that for arbitrary terms r l9 ..., xn
<M ti > .... rn) = <p(rl9 ..., rn) for all cp e 0 ,
..., Tn) = 1 iff e ( r 1? ..., r B) g F p f o r p e P ,
and let
^o(p) = 1 iff p £ FP for every propositional variable
P eP ,
v 0(x) = x for every individual variable x.
We shall prove by induction with respect to the relation -< (cf. De­
finition 2.2) that for every formula a
if oceFs , then 31, v 0 |n ~ a ,
(1) if aeFp, then 31, v 0 |=: a.
By the definition of the structure 21, property (1) holds for all in­
decomposable formulas.
Suppose that property (1) holds for all formulas that are submitted
to the formula a and let a e P su P P.
If a is a decomposable formula then it appears also as a first formula
in a certain sequent of the infinite path and therefore it will be decom­
posed. In particular, if s\<J M (M i^ ) e F s , then the formulas M (M l +1j3)
and sM'fi are in Fs as a consequence of rule (9B). Thus, if s\JM /3 e Fs
then all formulas of the form s(M */?) for / e N are in Fs . By the inductive
assumption 21, v 0 |=: s(M l/?) for all i e N since s(M lj3) -< a and therefore
non 21, v0 (=: a.
By Definition 5.3, if the formula a is of the form ~ and oceFs
then ft e FP. By the inductive assumption 21, v 0 |=:/3 since < oc and
therefore non 21, v 0 (=: a.
 6. NORMAL FORM OF PROGRAMS 109

If the formula a is of the form (d v /?), (d a /?), sy, s begin K\ M end

^ if y then K else M fif},s while y do M od /?,s U Mj3,sp | Mj3 or s(Vx)/?(x)
and if oc e Fs , then by the definition of the diagram there exists a set
of formulas for some set J c= N such that e Fs , fo -< oc
and l.u.b. Ptm(v) = oc^i{v) for arbitrary data structure 31 and an arbi-
ieJ
trary valuation v. By the inductive assumption non 31, v 0 |= for i e /,
hence non 31, v 0 |n oc.
The case oc e FP can be discussed in an analogous way. As a result
we obtain % , v 0 \=loc.
From the above considerations we have non 3 I,^ 0 t=^o» since
oc0 e Fs , i.e. oc0 is not a tautology. □

Theorem 5.1. The diagram o f the formula oc is a finite-path tree with

all leaf-sequents being axioms iff oc is a tautology. □

6. THE NORMAL FORM OF PROGRAMS

The aim of this section is to prove that every program can be trans­
formed into a form which contains the single occurrence of the
while-operation.
We shall start with the auxiliary definitions. Let v ,v ' be the two
valuations and let X be a set of variables. We shall say that v = v f off X
if and only if for every z $ X ,v '(z ) = v(z).

D efinition 6.1. We shall say that the variable x is inessential for

the program M iff the following conditions are valid for arbitrary data
structure 31 and for arbitrary valuations v, v' such that v — v' off ({*})
(i) M%(v) is defined iff is defined and
(ii) if M%(v) and M%(v’) are defined then n

Let us consider an example.

M: begin u := x + y ; x := u -z end.
The variable u is then inessential for program M.

D efinition 6.2. Two programs M, M ' are equivalent up to a set o f

variables VAR in symbols M ~ M r off VAR iff for every data structure
31 and every valuation v
110 III METAMATHEMATICAL INVESTIGATIONS

(i) M%(v) is defined iff M%(v) is defined and

(ii) if both mappings M % and are defined at v, then
M n(v) = M i(v) off VAR.
In the case where VAR — 0 we shall write M ~ M '. □

This definition formalizes our intuitive idea of two programs being

equivalent iff their results are identical up to the auxiliary variables.
Let TI0 be a class of programs and VAR a set of variables which are
inessential for any M from TI0. The following properties are then valid
for all M , M \ M " from i70 :
M ~ M off VAR,
if M ~ M ' off VAR, then M ’ ~ M off VAR,
if M ~ M ' off VAR and M ' ~ M " off VAR,
then M ~ M " off VAR.
Hence ~ off VAR is an equivalence relation in i70.

Example 6.1. Let y be an open formula, M, M ' programs and q

a propositional variable such that q $ V (y)vV (M )vV (M '). The following
two programs are equivalent up to the set {q}:
M i : begin
while 7 do M od;
M’
end,
M 2 : begin
q := true;
while q do
if7 then M else M '; q := false fi
od
end. □

As a consequence of the definition we obtain the following useful

lemma:
Lemma 6.1. For arbitrary programs M, M ' and arbitrary set o f vari­
ables VAR, if M ~ M ' off VAR, then for every formula a such that
F(a)nVAR = 0 , for every data structure 31 and every valuation v in 31,
31, v \h M ol iff 3 l,^ |—M'oc.
 6. NORMAL FORM OF PROGRAMS 111

The proof follows immediately from the fact that the value of every
formula depends solely on variables which occur in it. □

Lemma 6.2. For arbitrary programs K, M, K \ M ' and arbitrary sets

o f variables VARl9 VAR2, VAR = VAR1uV A R2, the following con­
ditions hold:
(i) if K ~ M off VARj and M ~ M ' off VAR2, then K ~ M ' off VAR;
(ii) i f K ~ K f off VARj and M ~ M ' off VAR2 and W AR± is ines­
sential for M and M ' then
begin K ; M end ~ begin K'; M ' end off VAR;
(iii) if K ~ K' off VAR, and M ~ M ' off VAR2, then for every
formula y ,
if y then K else M fi ~ if y then K' else M ' fi off VAR;
(iv) i f K ~ K' off VARX and y is an open formula such that V(y)n
nVA Ri = 0 , and VARj is inessential for K and K \ then
while y do K od ~ while y do K f od off VAR^
Proof. Let 31 be a data structure and v a valuation.
For the proof of (i) let us assume that
K ~ M off VARj and M ~ M ’ off VAR2.
Suppose Kyi is defined at v. Hence by the assumption M% is defined
at v and finally M y is defined at v. Analogously, if My(v) is defined,
then Ky(v) is defined.
Suppose v = K(v) and v' — My(v). Hence by the assumption
Msy(v) is also defined and for v = My(v) we have
v (z) = v(z) for every z $ \ A R 1,
v'(z) = v(z) for every z $ VAR2.
Thus v(z) = v'(z) for every z£ VAR j u VAR2, which completes the
proof of (i).
For the proof of (ii) let us assume that
K - K f off VAR, and M ~ M ’ off VAR2.
Suppose begin K ; M end^ is defined at v. Then Ky is defined at v and
for v = K y(v\ My{v) is defined. Let My{v) = 3. By the assumption
My(v) and Ky(v) are defined.
112 III METAMATHEMATICAL INVESTIGATIONS

Let v = Kw(v) and v — Thus by the assumptions

(1) v(z) = v'{z) for every z ^ V A R j,
(2) v'(z) = v(z) for every z ^ V A R 2.
Since VAR a is the set of variables inessential for M and for M ', M%(v')
is defined and for v" = M ^(v ) we have by (1),
(3) S"(z) = v'(z) for every z ^ VARa.
Hence begin K' ; M ' e n d ^ ) is defined.
Conversely, if begin K M ' end<H (y) is defined, then by the definition
of semantics K%(v) is defined and is defined. By the assump­
tion we have K%(y) is defined and M%(K%(v)) is defined. Since K k(v)
and Kssi(v) differs at most on variables VARi then is also
defined.
Moreover by (2) and (3) we have
v(z) = v"(z) for every z ^ V A R 1uV A R2.
As a consequence we obtain
begin K ; M end ^ begin K M ' end off VAR,
which completes the proof of (ii).
The similar proofs of (iii) and (iv) are omitted. □

D efin itio n 6.2. A program M is in the normal form iff

M = begin M x ; while y do M 2 od end,
where M 2 and M x are programs without a while-operation. □

T heorem 6.3. Composition, branching and iteration o f programs in the

normal form are equivalent to a program in the normal form .
P roof . Let K and M be two programs in the normal form
K = begin K x ; while y x do K2 od end,
M — begin M x; while y 2 do M 2 od end,
and suppose that q does not belong to V(K) and V(M). The theorem
follows from equivalences (4), (5), (6).
(4) begin K; M end ~ M ' off ({#}).
M f: begin
q := true; K x ;
while (q a y x) v ( ~ q a y 2) do
 6. NORMAL FORM OF PROGRAMS 113

if (yt a q) then K2 else

if ( ~ y a q) then
M 1 ; q : = false else M 2
fi
fi
0(1

end
(5) if y then K else M fi ~ M " off ({#}).
M ": begin
q := y\
if q then K x else M t fi;
while (q a y x) v ( ~ q a y2) do
begin begin
j i
Kt q : = true

Fig. 6.1
Fig. 6.2
 7. EQUALITY 115

if q then K2 else M 2 fi
od
end
(6) while y do K od - M "' off ({#}).
M " r: begin
q true;
while ((q A y ) v ~ q ) do
if (q a y) then ; q := false else
if y t then K2 else q := true fi
fi
od
end.

The lengthy proofs of (4), (5) and (6) are omitted.

We shall illustrate equivalences (4)—(6) by the diagrams shown in
Figures 6.1 (p. 113) and 6.2 (p. 114). □

Theorem 6.4. For every program M there exists a program M ' in the
normal form such that V{Mf) 3 V(M) and M ~ M ' off (V (M ')—V(M )).
Moreover, all variables from the set V(M ’) —V(M) are inessential for
the program M '. □

7. EQUALITY

In this and the next few sections we shall discuss some extensions of the
algorithmic language introduced in Chapter II. The character of these
extensions will differ. In this section we extend the alphabet by admitting
equality, in § 8 we extend the set of well-formed expressions by gener­
alized terms and parallel substitutions, and in § 9 we extend the notion
of data structure in order to discuss partial functions.
In all these extensions the corresponding notion of tautology can
be axiomatized and the Completeness Theorem can be proved.
Let us assume that the alphabet of algorithmic language L contains
the binary predicate of equality = .

D efinition 7.1. We shall say that a data structure 21 for algorithmic

language L is proper for equality iff the interpretation o f = in the struc­
ture 21 is the identity relation. □
116 III METAMATHEMATICAL INVESTIGATIONS

By algorithmic logic with identity we shall understand an extension

of the axiomatic system described in Chapter II, § 5, by additional
axioms characterizing predicate = .
(el) x = x,
(e2) (x = y => y = x),
(e3) ((x = y A y = z) => x = z),
(e4) for every n-argument functor <p e 0 ,
((Xi = J i A ... AX„ = y„)=>9>(xi, ...,x „) = <p(ylt
(e5) for every ^-argument predicate £ e P,
((xx = a ... ax„ = j„) => e(xl 9 ..., x„) s ..., j„ » .
In all the above formulas x , y , z , x lf x „ ,y l .......y„ are individual
variables.
The first three axioms state that = is an equivalence relation, and
the last two concern the extensionality of = .
As an immediate consequence of the above axioms we have the
following corollary:

Corollary. For every term r and every formula oc in the algorithmic

language with equality
(- (x = y => r(z/x) - r(z/'y))9
b- (x = y => ot(z/x) = oc(z/y)). □

Algorithmic logic with identity is obviously consistent. Moreover

the following Completeness Theorem is a straightforward consequence
of Theorem 2.5 from Chapter III.

Theorem 7.1. For every formula a and every set o f formulas A

(i) a is a theorem in a theory <L, C, A ) based on algorithmic logic
with identity if and only if
(ii) a is valid in all models for A which are proper structures for identity.
The proof is analogous to that of Theorem 2.5 and is therefore
omitted. □

In Chapter II, § 3, we have seen properties (e.g. the strongest postcon­

dition) that are expressible in the language with identity. Now we shall
mention some others.
 7. EQUALITY 117

Lemma 7.2. Let M be a program and let oc be a formula. Thus the

formula
(1) p) Moc = (Vy) (while ~ ( x = y) do M od true
=> (pc(xly)A M (x/y) true))

is a theorem o f algorithmic logic with identity, where x is a sequence

x l9 ..., x n o f all variables which appear in Moc and y is a copy o f x.
Proof. Let 21 be a data structure proper for identity and let v be
a valuation in 21.
Suppose
(2) a , « | = W ) (while ~ (x = y) do M od true
=> (a(x/y) a M(x/y) true))
and
21, v \n~C\M oc.

Hence there exists a natural number i such that

(3) 21,^ |— ~ M loc and 219v\=zMJoc for j < i.

By (2)
(4) 21, v\ (=: (while ~ (x = y) do M od true
=> (oc(xjy)A M {x/y) true))
for an arbitrary vector a of elements in 21 which corresponds to j>,
where vi is a natural extension of the denotation vya (cf. Chapter II, § 2).
Let us take as a a sequence ai9 ..., an such that
aj = M k~1(v)( xj ) for j < n.
Thus
21, vt (=: — y)
and therefore 21, v} (=: while ~ (x = do M od true. As a consequence
of (4) we obtain
2I,^| |~M(xly) true, i.e. 21, v juA/1’ true.
Let us take as a a sequence al9 such that
aj = M^{v)(Xj) for all 1 ^ j ^ n.
118 III METAMATHEMATICAL INVESTIGATIONS

Thus
91, v t fn M '(x = y)
and therefore
91, vt |= while ~ (x = y) do M od true.
By (4) we obtain
91, v ia \=zoc(xly), i.e. 91,^ \=zMloc,
a contradiction.
The converse implication can be proved analogously. Hence for­
mula (1) is valid for every data structure and every valuation. It fol­
lows from the Completeness Theorem that formula (1) is a theorem
of algorithmic logic with identity. □

Note, that Lemma 7.2 allows us to eliminate the iteration quantifier

from formulas of algorithmic logic.
The next property we shall discuss is the equivalence of programs.
It appears that in the language with identity, equivalence of programs
is expressible by a formula.

Lemma 7.3. For all programs M, M ' and every set o f variables VAR
M ~ M ' off VAR iff for every formula a, such that F(a)nVAR = 0 ,
Moc == M'oc is a theorem o f algorithmic logic with identity.
Proof. Assume Moc = M'oc is a theorem of algorithmic logic with
identity for every oc such that F(a)nV AR = 0 . Let 91 be a data struc­
ture proper for identity and v a valuation in 91. By the Completeness
Theorem and by the assumption M%(v) is defined iff M%(v) is defined.
Suppose that for some v,M^(v), M^{v) are defined but that there
exists an individual variable x such that x £ VAR and
M%\(v)(x) ^ Mk(v) (x).
Let us consider the formula x = y, where y $ F(M )uF(A f), and let
a = Mn(v)(x). *
It follows from the above that

91, vya |= M (x = y) and non 91, vya (=: M'(x - y).

Hence Moc = M'oc is not valid in 91, a contradiction.
The converse implication has already been proved in Lemma 6.1. □
 8. GENERALIZED TERMS 119

Lemma 7.4. Programs K and M are equivalent up to the set o f variables

VAR if and only if the following formula is a theorem o f algorithmic
logic with identity.
(5) ( ~ {K true v M true) v (K true a M true) a / \ (Kqj = Mq}) a
j^m
a A K f x j f ) M ( x i = y d ) ,
i^n
where
x 1, x n are individual variables such that
A i, = F;n (F(AT)uF(A/))—VAR,
q i, ..., are propositional variables such that
iqu = V0n ( V ( K ) u V ( M ) y V A R ,
y l9 y„ are individual variables such that for 1 ^ j ^ n
yj $ F(M )u F(X)uVAR. □

8. GENERALIZED TERMS

Every term defines a total function in a data structure. However an

important role is played by partial functions in some situations. How
are they to be described in algorithmic language? The solution is based
on the notion of generalized term.

D efinition 8.1. By the set o f generalized terms we shall understand

an extension o f the set T by the following rule: if r is a term and M is
a program, then M r is a term. □

Let 21 be a data structure for the language L. The semantics of gen­

eralized terms is as follows: For every r, is a partial function in the
set of all valuations in 21 such that
xu(v) = v(x)\
m (v)9 ..., rnyi(v))9 if
< p (* 1 , •••> * n M * 0 = r m (v)9 ..., rnm(v) are defined,
undefined otherwise;
if K%(v) is defined and v' = Kyfv),
undefined otherwise,
where x is an individual variable; q>is an /^-argument functor; r x,..., r„,
r are generalized terms and K is a program.
120 III METAMATHEMATfCAL INVESTIGATIONS

Example 8.1. Let M be the following program:

begin x := 0; while x + 1 ^ y do x := x+ 1 od end.
The generalized term M x in the data structure 9t of natural numbers
is defined if and only if the value of y is not equal to zero. Moreover,
for every valuation v in
(Mx)<n(V) = n iff n+ 1 = v(y). □

One of the most important properties of generalized terms is the

existence of the normal form. Our considerations are based on the fol­
lowing lemma which is an immediate consequence of the definition
of semantics. In this section we shall read equality rm(v) = Ts%(v) in the
following way: r^{v) is defined iff r^{v) is defined and if values of both
sides are defined then they are identical.

Lemma 8.1. For every data structure and every valuation v

(K<p( t s , r„))%(v) = ?'((A't i)31(®),
where K is an arbitrary program, r l9 ..., rn are arbitrary generalized
terms and <pis an n-argument functor. □

D efinition 8.2. We shall say that a generalized term r is in the normal

form iff r = Mr), where M is a program and r\ is a term (classical not
generalized!). □

Lemma 8.2. For every generalized term r there exists a generalized

term in the normal form Mr) such that for every data structure % and
every valuation v in
tk(v) = (Mr))n(v).
P roof. The proof is by induction on the length of the generalized term.
Lemma 8.2 obviously holds for all classical terms. Let us consider
a generalized term (p(rL, ..., rn) and by the inductive assumption, let
M tr)i for i ^ n be the generalized terms in the normal form such that

(Mir)i)n(v) = Tw(v), 1^ ^ «,
for every data structure 51 and every valuation v. Hence
•••, r«h(v) = i»?)a(®)> •••>
 8. GENERALIZED TERMS 121

Let x t = (xii9 . . . , x im) be the sequence of all variables that occur

in Mirji for i ^ n, and let yt = (yii9 be a copy of x t such that
pi c: V—( jV ( M irji) and y tn y j = 0 for i ^ j.
Let st denote the program
begin y ti:= x i t ; ...; y im: = x im end
and M t(Xilpi)9 be copies of the program M t and the term tp.
The generalized term
t = s1M 1CVi) ... s n M n ( y n) < p ( ? h O 'i) > f l „ { y n) )

is in the normal form and for every data structure 21 and valuation v9
r a (z>) = <pu(rm (v), ..., T„a (©)).
It remains to consider a generalized term of the form M r. By the
inductive assumption there exists a normalized term Kr\ for r such that
(Krj)u(v) = r%(v)
for all 21 and v.
Thus begin M; K end rj is a generalized term in the normal form
such that for all 21 and v 9
(begin M \ K end rj)%(v) = (Mr)%(v). □

Let L' be an extension of an algorithmic language L by generalized

terms such that if q is an ^-argument predicate and r l5 rn are ar­
bitrary generalized terms then the expression
(1) e ( r x, .... T„)
is a formula.
We shall assume the following interpretation. For every data struc­
ture 21 and every valuation v
'e(*ia(»), •••, T„a(©)) if r m(v) is
g(ti, . . . , t^C © ) defined for all / ^ n,
0 otherwise.

R emark. The formula of form (1) should be not considered as an

elementary one. □

Lemma 8.3. For every formula o f the form (1) there exists a program
K and terms rjl9 ...9rjn such that
f=eOi> •••> r») = K q ( tji,

The proof is similar to the proof of Lemma 8.2. □

122 III METAMATHEMATICAL INVESTIGATIONS

The result of Lemma 8.3 can be generalized to the set of all formulas.
L emma 8.4. For every formula a o f the language L' there exists a for­
mula %(cc) o f the language L such that
t= a = *(«)•
The details of mapping % can be found in Mirkowska, 1975. □

Lemma 8.4 states that the extension L' of an algorithmic language

is not essential.
Let us now consider the problem of axiomatization of algorithmic
logic with generalized terms. Obviously, all the axioms and rules men­
tioned in Chapter II, § 5, are still valid. However, to obtain a. complete
characterization of the set of tautologies of the language L' it is necessary
to characterize the behaviour of generalized terms.
The following theorem gives a solution to the problem.

T heorem 8.5. For every set o f formulas A and every formula a o f the
language L f the following conditions are equivalent:
(i) a is valid in every model o f the set A;
(ii) a has a formal proof from the set A extended by the formulas
o f the form
Mo{ t 1# . . . , r„) = q ( M r l9 . . . , M r„ ),
e ( r £, r j == •••> *„)),

where q is an n-argument predicate, M is a program and r L, ..., rn are

arbitrary generalized terms. □

9. PARTIAL FUNCTIONS

We have so far discussed data structures for the algorithmic language

in which functors have been interpreted as total functions. In this section
we shall extend the notion of data structure to the class of relational
systems with partial operations.
Let L be an algorithmic language of the type
By a partial data structure for L we shall understand a relational system

such that
(i) for every me-argument predicate q of L, ^ is an /^-argument
relation in A,
 9. PARTIAL FUNCTIONS 123

(ii) for every ^-argum ent functor ip of L, ip# is an ^-argum ent

partial operation in A,
(iii) for every ^-argum ent functor y e & there exists an /^-argument
relation Qv e P such that for arbitrary elements ax, ..., an%p9 ip%(ax,..., aWy)
is defined iff (al9 ..., atty) e
For a given data structure 91 and valuation v we shall define the
semantics of terms and open formulas as in Chapter II, § 2, with some
exceptions:
t „k (v )) if r m(v) is
vOi> defined for all i ^ n,
undefined otherwise,

' ^ M ® ) ....... W » ) ) if Tm(v) is

e O i, •♦> defined for all i ^ n,
0 otherwise.
Let r be a term and let E(r) be an open formula of L such that
jF(x) = true for x e Vi9
E(y>(rl9 ..., O ) = qv ( t 19 ..., rn) for r t e T and ipe& .
Analogously, for an arbitrary open formula y we shall define an
open formula E(y) of the language L such that
E{q) = true for q e V09
E { q{t 1, , T„)) = / \ £ ( t,) for r ; e T, q e P ,
i^n
E(yAj3) = E (y vj8) = E{y)AE(fi) for p e F 09
E (~ y ) = E(y).
The sense of the formula E{w)9 where w is a term or an open formula,
is given by the following equivalence: for arbitrary data structure 91
and valuation v 9
%9v jzrpf E(w) iff for every subterm (p{rl9 ..., r„) of the
expression w the sequence ( r ^ ( a ) , ...
..., T„<a(V)) belongs to the domain of
the function cp%.
We shall write j=rpf to underline the fact that the satisfiability relation
concerns the class of partial data structures.
The formulas E(r) and E(y) play an important role in the definition
of the semantics of programs:
124 III METAMATHEMATICAL INVESTIGATIONS

vf if 51, ^ f=pf E(w) and v'(x) = i%(^)

(* := w)*(v) = v \ z ) = z;(z) for all z ^ x,
undefined otherwise,
M^{v) if 31, v 1=: E(y) A y
and Mw(v) is defined
(if y then M else = M ^{v) if 51, | = £ ( y ) a
and M^(v) is defined,
undefined otherwise,
if K sr(v ) is defined and
i(vf) is defined for
(begin K\ M end)w(v)
v' = Kn{v\
undefined otherwise,
| M%{v) if Mi{(v) is defined for
I all j ^ /,
% v ^ piMi(E(y) -.y)
(while y do M od)<a(zO
for j ^ i,
9l,t;|=pfA fi(£ (y )v ~ y ),
undefined otherwise.

In all the above expressions r is a term, y is an open formula, and K,

M are arbitrary programs.
Let us note that the result of a program is not defined whenever
we find an operation whose arguments do not belong to the domain
of the operation. This implies the existence of computations which are
finite sequences but which have no results. We shall call such computa­
tions unsuccessful to distinguish them from those finite computations
which do possess results and which are termed successful computations.
The meaning of the formula Koc is now as follows: for every data
structure 51 and every valuation v
51, v |=pf K ol iff there exists a successful computation of
K from the initial valuation v in 51
whose result satisfies the formula a.

In particular 51, v (=pf K true means the program K has a successful

computation from the valuation v in 51. Let us consider the negation
of the formula K true. 51, v |npf ~ K true if and only if program K does
 9. PARTIAL FUNCTIONS 125

not possesses a successful computation from the valuation v in 91.

The last sentence implies that the computation of K is either infinite or
unsuccessful. The property “program K has an infinite computation”
is expressible in the language L by the formula loop(Af) (see Chap­
ter II, § 3). Is it possible to express the other property by a formula?
The following lemma provides a positive answer to this question.

Lemma 9.1. For every program K o f the language L there exists a for­
mula fail(AT) o f L such that for every data structure 91 and every valuation v
91, v |=pf fail (A) iff there exists an unsuccessful computa­
tion o f K from v in 91.
P roof. Let us consider the following recursive definition
fail(x := w) ^ ~ E ( w) ,
fail (begin X ; M end) = fail (K) v K fail(M),
fail(if y then M else K fi)
= (E(y)=> ( y A f a i l ( M ) v a fail(A)))
fail (while y do M od)
= ( J i f 7 then M fi (E(y) => (yAfail(M ))).
The lemma follows immediately from the definition of semantics and the
construction of the formula fail(Af). □

To summarize our considerations let us note two tautologies

(1) |=:pf A^true= (~loop(AT) A ~ fa il(A ))
(2) *=pf (loop(tf)=> - f a il(*)),
We now turn to the problem of axiomatization. It is easy to observe
that the set of all formulas valid in any data structure is closed with
respect to all the inference rules mentioned in Chapter II, § 5. More­
over, if a formula a is valid in every data structure with partial oper­
ations then it is valid in every data structure with total operations,
(3) |=pf a implies |= a.
The converse is not true. In particular axioms Axl2, Axl3, Ax22 and
Ax23 of AL (cf. Chapter II, § 5) are no longer valid.
Let Axpf be the set of formulas which contains all the axioms of the
system AL except for Axl2, Axl3, Ax22, Ax23 and the following schemes
126 III METAMATHEMATICAL INVESTIGATIONS

(s true => (sy = sy )), E(r) = (x : = r) true,

(s true => ( s ~ a = ~ (s a ))), E(y) = (q := y) true,
if y then M else M ' fi a = E(y) a (y a Ma v ~ y a M'a),
while y do M od a
= ^(y) a ( ~ y a a v y a M (E(y) a while y do M od a)),
where s is an assignment instruction, M, M ' are programs, y is an
open formula and a is an arbitrary formula.
Let Cpf be a syntactical consequence operation such that for every
set of formulas Z, Cpf(Z) is the smallest set containing Z u A x pf and
which is closed with respect to the rules of inference rl-r6 (cf. Chap­
ter II, § 5). To denote that a e CPI(Z) we shall write Z |—Pf oc for short.

L emma 9.2. For an arbitrary formula a and arbitrary set o f formu­

las Z,
Z |—Pf a implies Z |=pf a.
The proof is by verification of all axioms and rules of inference. □

By the Completeness Theorem for AL and property (3) we obtain

(4) |—Pf oc implies |- a
for every formula a of the language L.
The logic introduced here is consistent. Furthermore, if a data
structure 91 with total operations is a model of a theory <L, C ,A ),
then 91 is a model of <L, Cpf, A). This implies the following lemma:

L emma 9.3. I f <L, C, A ) is a consistent algorithmic theory, then the

theory <L, Cpf, A ) is also consistent. □

The model existence theorem and the Completeness Theorems are

also valid. The method of proof is in both cases similar to that presented
in Chapter III, § 2.

T heorem 9.4.
(i) I f a theory <L, Cpf, A) is consistent, then it has a model.
(ii) For every consistent theory T = <L, CPf, A ) and for every for­
mula oc o f L
A 1—Pfa iff 9t (=Pf oc fo r the arbitrary partial data struc­
ture 91 which is a model o f A. □
 10. MANY SORTED STRUCTURES 127

10. MANY SORTED STRUCTURES

Many-sorted data structures frequently appear in programming, e.g.

stacks, dictionaries, etc. (cf. Chapter IV). These structures have func­
tions and relations whose arguments are of different sorts, e.g. the
relation “e is a member of stack 5” has two arguments: which is
a stack, and e, which is an element of the stack.
In this section we shall examine an algorithmic language which
is convenient for discussing many-sorted data structures. In a way
this extends what we did in the previous sections.
Let V be a set of propositional and individual variables, P a set of
predicates and 0 a set of functors of a certain algorithmic language. Let
SR be a set, its elements will be called sorts or types. We shall make the
following assumptions:
(1) The set of all individual variables consists of disjoint sets Vj
for every j e SR ; if x e Vj9 then j is called the type of x.
(2) For every ^-argument predicate q e P we define a type of pre­
dicate 0 as a sequence ( j\ x ... x j n) of sorts.
(3) For every ^-argument functor (p e 0 we define a type of functor cp
as a sequence (j\ x ... xj„ -+ j) of sorts and a predicate q^ of type
(A * ••• xy„).
A many sorted algorithmic language L m is defined like an algorithmic
language but there are some natural differences in the definitions of
terms, elementary formulas and assignment instructions (which results
from assumptions 0 ), (2) and (3)). In all these expressions we shall
take care of the types of variables and the types of functors and
predicates.

D efinition 10.1. The set o f all terms Tm is the least set o f expressions
such that:
(i) i f x e Vj for j e SR , then x is a term o f type j 9
(ii) i f <p is an n-argument functor o f type (j^ x ... x j n -> j ) and
is a term o f type j ( for i ^ n9 then cp(r1, ..., rn) is a term o f type j. □

D efinition 10.2. The set o f all elementary formulas is the least set
o f expressions such that i f q is an n-argument predicate o f type (j\ x ... x j n)
and r L, ..., r„ are terms whose types are j i9 respectively, then the
expression q{xx, ..., r„) is an elementary formula. □
128 III METAMATHEMATICAL INVESTIGATIONS

D efinition 10.3. The set o f all assignment instructions consists o f all

expressions o f the form (q := y), where q is a propositional variable
and y is an open formula, together with all expressions o f the form (x : = r),
where x is an individual variable and r is a term such that if x e Vj9 then
the type o f r is also j. □

For the rest of this section let L m be a fixed many sorted algorithmic
language and let Lpf be a fixed partial function language based on the
same alphabet (cf. Chapter III, § 9). It may be easily observed that Lpf
is an extension of Lm.

D efinition 10.4. By a data structure for the language L m we shall

understand a heterogeneous structure
31 ^ ^A 9
such that
(i) A = ( J Aj for some non-empty, disjoint sets Aj9
j e SR

(ii) for every n-argument predicate q o f type (j\ x ... x j„),

(?$i c- A jt x ... x Ajn,
(iii) for every n-argument functor ip o f type ( j x x ... x/„ -> j), ip%
is a partial function such that
W AJl x ••• x A Jn AJ
and for arbitrary al 9 ...,a„, ip^(a1, ..., an) is defined iff at e Aj. for
i ^ n and (ax, ..., an) e
The structure defined above will be called a many-sorted data structure. □

It follows from the last definition that every partial data structure
for the language Lpf can be considered as a many sorted data structure
for the corresponding many sorted language L m (cf. Chapter III, § 9).
If 9tpf = <>l, {v%f} We<P, teaPf W > is a data structure for Lpf,
then the following structure
(4) = <U
j e SR
A J> (W }y>e<P, {Q % } q e p }

where As = A x {j } for j e S R and for every functor ip of the type

0 ’i x ... x j n) - + j

if ip%p{(au ..., a„) is defined,

undefined otherwise
 10. MANY SORTED STRUCTURES 129

and for every predicate of the type ( jLx ... x j m)

0 a ( ( t f l J l ) > •••> ~ £?2Ipf(#l> •••?#«)
is a many sorted data structure for the language L m which corresponds
to 51pf.
Conversely, if 5Im = < U a j > K ^ r ) is a many sorted
j e SR

data structure for the language Lm, then we can define a corresponding
partial data structure
(5)
such that:
(a) A = U ^
j e SR

(b) for every /z-argument predicate £ of the type (y t x ... xyw),

(al 9 ...,a n) e q* iff at e Ah for i n and , ..., am) e Q%m,
(c) for every zz-argument functor yi of the type ( j l x ... xj„ ->y),
> •••,«») is defined iff (at , ..., an) e @v\a and if , ..., an)
is defined, then an) = ^ m{al9 ..., a„) for arbitrary elements
j •••? @ n•
The semantics of a many sorted algorithmic language is defined in
exactly the same way as for the language of algorithmic logic with
partial functors. However we shall consider only those valuations of
individual variables which are compatible with types. A strict defi­
nition follows.
By a valuation in a many sorted data structure for L m we shall un­
derstand a mapping
v: F - A kj {1 , 0 } ,
such that v(q) e {1,0} for all q e F0 and for j e SR
(6) v(x) e Aj iff x e V j.
Let us denote by |=m a satisfiability relation for the language Lm.
Let 5Ipf be a partial structure for Lpf and let 51 be a corresponding
structure for the language Lm, defined by (4).
L emma 10.1. For every formula a o f L mand for every valuation v in 51,
5Ipf, v f^pf oc
iff 51, v {mm a.
The proof follows directly from the assumed definitions. □

C o r o lla r y . For every formula a e L,

5Xpt f=Pf a iff 51 |=ma. □
130 III METAMATHEMATICAL INVESTIGATIONS

Let 2Imbe a many sorted data structure for L mand 21 the corresponding
data structure for the language Lpf as defined in (5).

L emma 10.2. For every formula a o f L rn and for every valuation v which
satisfies condition (6) the following equivalence holds
<
%m,v\=zmoc iff 21, v j=pf a.
P roof. It suffices to determine whether the lemma holds for ele­
mentary formulas.
Let ip be an ^-argument functor of the type ( jt x ... x j n -» j) and let
Xi e Vj. for i ^ n. y (x l9 ..., x n)vm(v) is then defined iff V%m(al9 ...,a n)
is defined for at = v(xt), where i ^ n. Hence by assumption (3) and
Definition 10.4, (ax, ..., an) e gm and v ( x i) e A Jr This is equivalent
by (5) to (al9 ...,a „ )e g m and therefore y>(xi9 is defined.
Thus by induction on the length of term r we can prove that r%m{v)
is defined if and only if is defined and, moreover
(7) r * jv ) = tk(v).
Let q be a predicate of type ( j\ x ... x /„) and let r l9 ..., r„ be terms
whose types of results are j \ , ... 9j„9 respectively. 2lm, v \=mq (r t , ..., rn)
if (al9 ...,a„) for r /9T (v) defined and equal to ai9 i < n, where
at e A j.. Hence by (7) and the definition of the structure 21 we obtain
rm(v) is defined, at = r^fv ) e AJt and (at ,..., an) e q<&.
This last property is equivalent to 2t, v |=pf q( t x, ..., r„). Hence
W m , V \ = m Q ( r i 9 — 9 *n) iff 2 1 , ^ ^=pf o ( r t , . . . , T„). □

C orollary. For every formula a o f the language L m,

(8) 21 f=pf a implies 2IW a. □

As a consequence of Lemmas 10.1 and 10.2 we have for every for­

mula a of the language L m
|=wa iff |=pfa,
and additionally tor arbitrary set of formulas A of L m
(9) A |=m a implies A f=pf a.
We can now easily verify that all instances of axioms of algorithmic
logic with partial functors which are formulas of L m are valid in every
many sorted data structure. Furthermore, the set of valid formulas
 11. DEFINABILITY AND PROGRAMMABILITY 131

of L m is closed with respect to the inference rules of algorithmic logic

with partial functors (see Chapter III, § 9).
This justifies the following definition:
For every set o f formulas A o f the language L m
a e Cm(A) if and only i f oc is a formula o f L m and a e CPf(A).
It is clear that for an arbitrary set A of formulas of the language L m,
(10) A | - m oc implies A \=zm oc
and
(11) A \r~ Pf oc iff A j—m oc.
Let T = <Lm, Cm, A ) be a many sorted algorithmic theory. It follows
immediately from (11) that if a corresponding theory with partial
functors <Lpf, Cpf, A ) is consistent then T is also consistent.
We now show that the Completeness Theorem is also valid for many
sorted algorithmic theories.

T heorem 10.3. For the arbitrary many sorted algorithmic theory

T = <Lm, Cm, A ), A jpm a iff A b-m oc.
P roof. Suppose A (=:ma, by (9) we then have A jn pf a. Hence by
the Completeness Theorem for algorithmic theories with partial func­
tors we have A b-pf oc and by (11) A b-w
This completes the proof by (10). □

11. DEFINABILITY AND PROGRAMMABILITY

Let L be an algorithmic language and let 31 be a data structure for L.
Denote by A the universe of the structure 31.

D efinition 11.1. A relation r c A n is algorithmically definable in

a data structure 31 iff there exists a formula oc o f the language L with
at least n variables x l9 ..., x n such that for every valuation v
...,v { x n) ) e r iff 21, v |= x (x t , x„).
We shall also say that the formula oc defines the relation r in the
structure 31. □

E xample 11.1. Let 31 be the data structure of natural numbers with

zero-argument operation 0, the two-argument operation 4- of addition
and the two-argument binary relation = of identity.
132 III METAMATHEMATICAL INVESTIGATIONS

For arbitrary natural numbers m, n we have

m < n iff 91, v fn (z := 0) {J (z := z+ l)x + z = y,
where v(y) — n and v(x) = m.
Hence the relation ^ is definable in the data structure 51. □

D efinition 11.2. A relation r c A n is programmable in the data struc­

ture 51 iff it is definable by a formula o f the form Koc, where K is a program
and oc is an open formula.
We shall say that the relation r is strongly programmable in 51 iff it
is programmable by the formula Koc and 51 j—K true. □

Example 11.2.
A. The formula
begin y := x; while y ^ z do y := y • x od end true
defines the relation r in the data structure of real numbers such that
(x, z) e r iff (3ft e N )xn — z.
B. Every recursive relation is strongly programmable in the data
structure of natural numbers. □

Lemma 11.1. I f a relation r c An is strongly programmable in 51 by the

formula Koc, then the relation An—r is programmable by the formula K~oc.

P roof. The above follows immediately from the tautology

(AT true => (~Koc = K~ocf). □

R emark. A relation r is strongly programmable in 51 iff its comple­

ment is strongly programmable in 51. □

The following theorem is an analogue of the Post Theorem in the

theory of recursive functions (cf. Rogers 1967).

T heorem 11.2. A relation r a A n is strongly programmable in the

structure 51 iff both relation r and its complement A n—r are programm­
able in 51.
 11 DEFINABILITY AND PROGRAMMABILITY 133

P roof. Let us suppose the relations r and A n— are programmable

r

in 31. Making use of the normal form theorem for programs (cf. The­
orem 6.4) we can assume that the relations are definable by formulas
Koc and Mfi of the form:
begin K 1 ; while yt do K2 od end a,
begin M t ; while y 2 do M 2 od end /?,

where K l9 K29 M l9 M 2 are while-free programs and y l 9y 2 are open

formulas.
Let x = (xx, ..., x m)9 be a vector of all variables that occur in Koc
and let z be a copy of x such that {zl5 ..., zm}nF(M/?) — 0 . Let
K(z)oc(z) be a copy of the formula Koc obtained by the simultaneous
replacement of all occurrences of x l 9 ...9x m by the corresponding
variables z l9 ..., zm. Finally let s denote a program begin z t := x t ; ...
...;z m := xm end and let q be a propositional variable such that
q $ V(Koc)uV(Mp).
The program M*
begin s ;
K t(z); M t ; q := true;
while ((^(2) a q) v ( y 2 a ~ q)) do
if q then K2(£) else M 2 fi
q := ~q
od
end;
simulates the behaviour of both K and M. The programs K and M
are executed interchangeably at even and odd passes throughout the
loop of M '. The program M f terminates if the formula y 1(%) or the
formula y 2 holds after a finite number of steps. Note that for every val­
uation v in 31 either ...9v(xn)) e r or ..., v(xn)) e An—r.
Hence after a finite number of iterations either y x( z ) or y 2 will be falsi­
fied. The latter implies that for every valuation v in 31, the program
M r terminates, i.e. 31 \=z M' true and
(^(xO, , ^(x„)) e r iff 31, v [= a(z))v
V ( ? A ~ /?(* ))).

This completes the proof by Lemma 11.1. □

134 III METAMATHEMATICAL INVESTIGATIONS

D efinition 11.3. The function f: A n -> A is algorithmically definable

in 51 iff there exists a term r with at least n individual variables x L, ...
..., x„ such that for every valuation v in 51
T'm(w) = a iff f(v (x y ), ...,v ( x n)) = a. □

Let L be an algorithmic language which allows generalized terms

(see Section 7 of this chapter).

D efinition 11.4. The function f: A n A is programmable in 51 iff f

is algorithmically definable in 51 by a generalized term Ky, where y is
an individual variable and K is a program with at least n individual vari­
ables x l9 ..., x n. □

Remark. If a function/ (total) is programmable in 51 by the term Ky,

then 51 (~ K true. □

Example 11.3.
A. Let K be the following program
K: begin
y : — 0; z := 0;
while z ^ x 2 do
u 0;
while u ^ do
y := y + 1;
u := u + 1
od;
z := z + 1
od
end.
The term Ky defines, in the data structure of natural numbers 51, the
function f ( x l9 x 2) = x x *x2, since for every valuation v in 5i we have

(£»*(*;) = a iff v(xj) • v(x 2) = a.

B. Every recursive function is programmable in the data structure
of natural numbers with zero and successor. □

The definition of programmability can be generalized to the class

of partial functions.
 12. INESSENTIALITY OF DEFINITIONS 135

D efinition 11.5. A partial function f : A n A is programmable in 51

iff there exists a term Ky with free individual variables x l9 ..., x„9 y such
that for every al9 ..., an, a e A and for valuation v satisfying v{xt) = at :
(i) if f( a x. ..., an) is defined and/ ( a l5 ..., an) = a, then (Ky)%(v) = a,
(ii) iff( a 1, ..., an) is not defined, then K%(v) is not defined either. □

Example 11.4. Every partial recursive function is programmable

in the structure of natural numbers with zero and successor. n

12. INESSENTIALITY OF DEFINITIONS

The problem of definitions will be now discussed in the formalized

theory T = <L, C, A).
The general idea is quite typical in mathematics: to form a new notion
by admission of a suitable definition. The aim of such a procedure
is twofold. It emphasizes and facilitates the investigation of an important
notion and clarifies our thinking by replacing several long statements
with a short one.
In what follows we shall see many examples of the formation of new
theories by assuming definitions of new functions and new relations
which are created by means of programs.
We shall mention here two characteristic forms of definitions in a for­
malized theory. Our considerations are based on the fact, familiar
from Chapter II, that every term describes a function in a given data
structure and that every formula describes a relation.
Let T = <L, C, A} be an algorithmic theory.
Suppose oc(xl9 ...,x n) is a formula in the language L with n free-
-variables. Let £a be a new n-ary predicate which appears neither in a
nor in any formula from A.
We shall call the formula

( 1) X n) = x (x t , x„)
a definition o f the predicate £>a.
In algorithmic theories formula (1) usually has the form
ga(xl9 ...9x„) = Kocf
where K is a program, a' is an open formula and a = Kor! .
136 III METAMATHEMATICAL INVESTIGATIONS

Assume additionally that L contains a binary predicate of equality.

Suppose r is a term in L with n free individual variables x l9 ..., x n.
Let y)Tbe a new ^-argument functor which appears neither in r nor in any
formula from the set of specific axioms of T.
We shall call the formula
(2) ipT(x1, ..., x„) = T(xt , ..., x„)
a definition o f the functor \pT.
In algorithmic theories formula (2) usually has the form
f T(Xi, ...,X„) = K r'iX i, ...,x„),
where r = Kr' and K is a program and r ' is a term.
We form an extension U of L by adding to L a set of predicates £a
and a set of functors \pr for some formulas a and terms r of language L.
Let T' = <Z/, C, A ') be an extension of T = <L, C, A ) such that A'
is obtained from A by simultaneous assuming definitions of form (1)
and (2) for all predicates £a and functors \pt .

Lemma 12.1. The theory T is consistent if and only if the theory T

is consistent.
P roof . One implication is obvious, i.e. if T' is consistent then T is
also consistent.
To prove the converse, let us assume that SCRis a model of T. We shall
construct an extension SCR' of the data structure SCRwhich will be a model
of T . The universe of SCR' is just the one of SCRand for every ^-argument
predicate q and every ^-argument functor y from the language L we put

gar = and ^ar = V>wi-

For every ^-argument predicate £a and ^-argument functor from
the language V if ga == a(xt , ..., x n) and \px = r{xl , ..., xn) are specific
axioms from the set A' —A, then for every j l9 ...,/„ from 9JI
^a9JT C /l > *** >Jn) ~

V r m 0* 1 , Jn) = T anfa),

where v(xt) = j t for i ^ n.

It follows from the above definition that SCR' is a model of T . Hence,
by the Model Existence Theorem, if the theory T is consistent then T
is consistent. C
 BIBLIOGRAPHIC REMARKS 137

T heorem 12.2 (on inessentiality o f definitions). The theory

T' — <Z/, C, A ') obtained from T = <L, C, A ), by assuming definitions
(1), (2) is an inessential extension o f T, i.e. for every a o f the language
L, A f- a iff A' f- a.

P roof. Let us note that every theorem of T is a theorem of T since

A a A' (cf. Chapter II, § 5).
If a formula /? of the language L is not a theorem of T, then
non A f- The latter implies that there exists a model 9Jt of A which
is not a model of /?. Hence, by the previous lemma, there exists an
extension 9JI' of a model 9Jt such that 9Ji' |~A and non StR' f= ft.
This implies by the Completeness Theorem that non A' b- /?. □

Theorem 12.2 states that by admitting definitions of new predicates

or new functors we cannot prove anything new about the predicates
and functors of the old language.

BIBLIOGRAPHIC REMARKS

The Completeness Theorem for algorithmic logic was first proved

by Mirkowska (1971). The proof is based on the lemma on the existence
of Q-filters (cf. Rasiowa and Sikorski, 1968, p. 89). Another variant
of the Completeness Theorem with axioms for classical quantifiers
can be found in Banachowski (1977). That the Completeness Theorem
implies the definability of operational semantics by means of axioms
of algorithmic logic was observed by Salwicki (1980). The Gentzen-style
axiomatization for algorithmic logic was proposed by Mirkowska (1971)
and modified by Kreczmar (1974). The theorem on the normal form
of programs has a long history (cf. Harel, 1980); for algorithmic logic
it appeared in Mirkowska (1971) and Kreczmar (1974). Algorithmic
logic with partial functions was proposed by Petermann (1983); the
approach presented here is different.
 CHAPTER IV

ALGORITHMIC PROPERTIES OF DATA STRUCTURES

1. DATA STRUCTURES IN PROGRAMMING

It is generally recognized in computer science that data structures are

of vital importance in programming. The number of papers devoted
to data structures is rapidly increasing. Nevertheless, no consensus
of opinion has been reached. In programming practice, data structures
are not treated in the right way. The languages currently in use have
no tools for dealing with data structures. Among theoreticians there
have been many attempts to define the semantics of programming
constructions such as program connectives, procedures, coroutines,
parallel processes and other constructs. There are numerous program
logics. Almost all of them assume that there exists a predefined first-
-order theory of the data structure in question (cf. the theorems on rela­
tive completeness in Floyd-Hoare logic (cf. Cook, 1978), and the arith­
metical completeness of dynamic logic (cf. Harel, 1979). In this way the
problem of providing a logical theory for reasoning concerning data
structures and the program properties has been overlooked. There
are other theories which allow to identify (or specify) a data struc­
ture; as a rule they lack the tools for proving program properties.
The same observation applies to theories presenting the constructions
used in implementing data structures.
Here we propose a point of view which involves:
(1) conceiving data structures as heterogeneous algebraic systems,
(2) developing theories of data structures based on algorithmic
logic and
(3) studying not only algorithmic theories in themselves but also
the connections between them. We propose namely, to study inter­
pretations as the formal counterpart of the software notion of imple­
mentation.
Many authors share the opinion that data structures are algebraic
systems.
We shall present below the expressive power of algorithmic formulas
 1. DATA STRUCTURES IN PROGRAMMING 139

and we shall apply these formulas in specifications of data structures.

Among theorems of algorithmic theories there are statements about
program properties as well as first-order sentences. The logical tools
of AL allow us to deduce new properties from those asserted earlier.
In the structure of interpretations mentioned in (3) we find some
interesting chains which start from “abstract” data structures and ap­
proach “real” data structures, i.e. those which have already been imple­
mented in a computer, a virtual machine of a programming language
or in the library of software. An example of such chains will be pre­
sented below where dictionaries are implemented in hash tables and
hash tables are implemented in arrays and queues.
In this way our approach reflects the natural influence process which
takes place when new algorithms require new data structures, and knowl­
edge of new data structures (or new properties of structures) enables
us to invent new algorithms.
One can view this connection from the point of view of a “theorist” :
(a) the fact that an algorithms is correct is a new theorem of a data
structure theory and
(b) a theory augmented by new facts increases our chances of im­
proving algorithms and the proofs of their properties.
The two main problems concerning data structures are, first, what
are the properties of a data structure and second, the structure, is it
implemented?
The first question is concerned with verification of programs. We wish
to examine program properties with respect to the axioms of a data
structure, separating this goal from the implementation problems.
It turns out that the first question provides a natural impetus for
developing theories (more or less formalized) which need algorithmic
language as an extension of first-order language, since the properties
they deal with are algorithmic (e.g. termination, correctness, equiv­
alence of programs, etc.).
It is astonishing to realize how many structure properties which cannot
be expressed in the first-order language are of an algorithmic nature.
To list a few: the property “y is a natural number” is expressed by the
formula
(x : = 0) (while x ^ y do x := s(x) od x = y)
similarly, “s is a stack”
(while ~ empty (s) do s : = pop (5) od true),
140 IV a l g o r i t h m i c p r o p e r t ie s o f d a t a s t r u c t u r e s

“pq is a priority queue”

while ~ empty(/?</) do pq : = delete (min(/?c/), pq) od true,
the axiom of Archimedes
(y x ,y ) ( x > Oa j > 0) => (z := j)(while z < x do z :== z + y
od true),
the axiom of fields of characteristic zero
~ (x := 1)(while x ^ 0 do i : = x+ 1 od true),
the axiom of torsion groups
(Vx)(z := x ) (while 1 do z : = z x od true),
the axiom of cyclic groups
(3y) (yfx) (z : = y) (while x ^ z do z : = z - v od true).
The second question can be approached in the following way. Suppose
we are considering two data structures 21 and 23 and their algorithmic
theories F %and We shall say that a data structure 21 is implemented
in a data structure SB whenever there is an interpretation of the algo­
rithmic theory % in the algorithmic theory This in turn requires
an answer to the question “what is an interpretation relation among
algorithmic theories?” We shall not develop a theory of interpretation.
Instead we shall relate the examples of interpretations given below to
software units called classes. Examples of software are written in
LOGLAN. An acquaintance with prefixing, i.e. with the technique of
concatenable class declarations (cf. § 12 of this chapter) is desirable.
We hope the reader will see the connections. We call the reader’s attention
to the concatenation rule which is applied several times in the chapter
to type declarations. This device was introduced in SIMULA-67 and
still awaits recognition. Its properties are very interesting and worthy
of study. The technique is also called prefixing. Making use of prefix­
ing blocks by the names of units which introduce data structures
we can profit from the distinction made earlier between programming
in abstract data structures and implementations of data structures.
In this way one implementation of a data structure can serve different
programs. The advantages of such an approach are obvious.
Here we should mention another role of specification, namely that
it allows one to check the correctness of an implementation of a data
structure.
 2. DICTIONARIES 141

2. DICTIONARIES

A dictionary is a data structure for finite sets with the operations: insert,
delete, member. Dictionaries are important, being one of the most
frequently found data structures. They are used whenever we are
going to:
—ask whether an element of the universe is in a given finite set,
—increase a given finite set by insertion of an element, or
—delete an element from a finite set.
There are numerous examples of applications of dictionaries, e.g. in
library systems, control of contents of stores, etc. Later we shall also
see other examples of structures which are extensions of dictionaries.
Dictionaries form an abstract data type since they can be implemented
in various ways. Here we shall describe the algebraic structure of diction­
aries. In the next section we shall develop the algorithmic formalized
theory of the structure.

D efin itio n 2.1. An algebraic structure is called a dictionary when­

ever its carrier consists o f the two disjoint subsets E, S called sorts, and
has the following operations:
empty: S B0,
member: E x S - * B 0,
insert: E x S -+ S,
delete: E x S S
amember: S E
where amember is a partial operation defined iff its argument is not
empty and the structure satisfies the following postulates:
(PI) ( ~empty(s) => membe^amember^s), s)),
(P2) empty(.s) iff there exists no element e such that member(e, s),
(P3) for every s the instruction s := delete (amember (s), can
be repeated only finitely many times until s becomes empty, i.e. the fol­
lowing program always terminates:
while ~empty(s) do s : = delete (amember (s)9 s) od,
(P4) for every e e E, for every s e S
member (e, insert^, s)),
~ member(e, delete^, s)),
142 IV ALGORITHMIC PROPERTIES OF DATA STRUCTURES

(P5) for every e, e \ s

(V e => (mem ber^', s) = member(e', insert(<?, s)))),
(P6) for every e, e \ s
(V ^ e => (mem ber^', s) = member(e', delete^, s)))). □

3. THEORY OF DICTIONARIES

In this section we present and study the formalized theory of diction­

aries, ATD, which is based on many-sorted algorithmic logic. In order
to specify ATD theory we must define its language L and the set of
specific axioms A.
L : The language o f ATD
Three sets of variables are in the alphabet of the language:
VE—the set of individual variables of the sort E,
Vs—the set of individual variables of the sort S,
V0—the set of propositional variables.
The set of functors contains:
in—the binary functor, in : E x S -> S,
del—the binary functor, del: E x S - + S ,
amb—the unary functor, am b: S E.
The set of predicates contains:
em—the unary predicate, em : S -> B0,
mb—the binary predicate, m b: E x S -> B0.
A —the set of specific, non-logical axioms of ATD:
A1 while ~em(s) do s : = del(amb(s), s) od true,
A2 mb(e, s) = begin
si := s; bool := false;
while ~em (sl)A —bool do
el := amb(sl);
bool := (el — e);
si := del(el, si)
od
end bool,
A3 (s : = in(e, s))(m b(e, s) A (e ^ e' => mb(e', s) = mb(e', s'))),
A4 (s := del(e, s)) ( —mb(e, s) a (V ^ e' => mb(e', s)
= m b ( e ',/) ) ) ,
A5 (~em(.s) => (e := amb(.s))triie ).
 3. THEORY OF DICTIONARIES 143

We shall prove below a few propositions in the ATD theory, they

are not difficult, and the proofs are given as examples of algorithmic
reasoning. The results of this section are used in the proof of the Repre­
sentation Theorem in the next section.

Proposition 3.1. The program M appearing in axiom A2 does not

loop, or more formally, the stopping formula M true is a theorem o f
ATD theory.
Proof. First, observe that the formula
while ~em (sl) do
el := amb(sl);
bool := (el = e);
si := del(el, si)
od true
is an easy consequence of axiom A l. Next, we can apply the rule
_____ ____________ ( « => ft)__________________
(while do K od true => while a do K od true)
obtaining
while ~em (sl) a ~bool do
el := amb(sl);
bool := (el = e);
si : = del ( e l, si)
od true.

Now, making use of the rule -- - - - -Ue we can precede the last for*
M
mula by the assignments
si := s; bool := false;
and applying the logical axiom
begin K\ M end a = K(Moc)
we obtain the desired result:
begin
si : = s; bool := false;
while ~em (sl) a ~ bool do
el := amb(sl);
144 IV ALGORITHMIC PROPERTIES OF DATA STRUCTURES

bool :== (el = e);

si := del (e l , si)
od
end true. □

P ro po sitio n 3.2.
ATD h- (~em(V) => (3e)(e = amb(y))),
This is an immediate consequence of axiom A5. □

P ropo sitio n 3.3.

ATD h- (~em (s) => mb(amb(Y), s)).

P ro o f . By axiom A5 and the axioms of algorithmic logic with partial

functors
ATD h- (~em(V) => (^em (s)A (£l : = amb(s))
(el — am b (j)))).
Making use of the axiom for assignment instruction
(51true => sy = sy), where y is an open formula,
we obtain
ATD h~ (^em (j) => (^em (j)A
begin
si : = s; bool := false;
el := amb(s);
bool := (el = amb(y));
si := del(el, si)
end bool)).
From the axiom
while y do M od a = ((~ y a a) v (y a Afwhile y do M od a ))
we have
ATD h- (begin ^1 := s; bool := false end (~em (sl)A
a ~bool a Mbool) => mb (amb(s), s)),

where M is the following program:

begin
el := amb(s);
 3. THEORY OF DICTIONARIES 145

bool := (el = amb(V));

si := d d ( s l, el)
end.
Thus
ATD h- (~ em (j) => mb(amb(s), j)). □

Proposition 3.4.
ATD h- (em(j) => (\fe) ~m b(e, .?)).
The proof is by easy verification. Observe that the precondition
em(s) causes the formula m b(e9s) to be equivalent to
begin si := s; bool := false end bool,
i.e. to false, independently of the choice of e. □

We define below the equality relation in the set S . We shall prove

the usual properties of the equality relation (reflexivity, symmetry,
transitivity and extensionality) making use of this definition. Observe
that the definition is algorithmic and assures us that it is possible to
check the equality of s and s' mechanically. This is not always possible,
cf. the Banach and Mazur theory of recursive real numbers (cf. Mazur,
1963) where we can prove that all operations in the field of recursive
real numbers are effective but the equality of recursive real numbers
is not a computable relation.

D ef in itio n 3.1. For arbitrary s, s'

eq(s, s') — begin

s i : = s; s2 : = s';
boo := true;
while boo A~em(.sl) A~em(s2) do
e l := amb(.sl);
boo := boo a m b(el, s l ) \
if boo then
si del ( e l , jl);
s2 : = del ( e l 9 s2)
fi
od
end (boo a em (s 1) a em (?2)). □
146 IV ALGORITHMIC PROPERTIES OF DATA STRUCTURES

P ro position 3.5. Let K denote the program in the preceding defi­

nition. We then have ATD h~ K true.
The proof is similar to that of Proposition 3.1. □

The following proposition is crucial in our proof of the representation

theorem for dictionaries. For this reason we give a detailed, almost
formal proof.

P ro po sitio n 3.6.
ATD {- eq(s, s') = (V<?)(mb(e, s) = mb(e, j ;))-
P roof . We shall prove the implication from left to right. It will
suffice to prove
(1) ATD h- eqO, s') => (Ve)(mb(>, s) = mb(e, s')).
Let us assume the following abbreviations:
y: (boo A~em (sl) A~em(s2)),
a: (booAem(sl)Aem(s2)),
M: begin
el := amb(sl); boo := boo a m b(el, s2);
if boo then
si := del(el, s \ );
s i := del(el, s2)
fi
end,
/: begin si := s; s2 := s'; boo := true end.
With these abbreviations we can rewrite Definition 3.1 as
eq(s, s') = /(while y do M od a).
Observe that
h- ( ~ 7 A a) = a.
We shall prove the following claim: for every i e N
(2) ATD h- (/(if 7 then M fi)*(~7 a a) => (Ve) mb(e, s)
= m b(e,s')).
The implication (1) follows from claim (2) by the co-rule.
The proof of (2) will proceed by induction on /. For / = 0 we have
for every s,
ATD h- (em(s) => (mb(e, s) == false))
 3. THEORY OF DICTIONARIES 147

and
ATD h- (/(em(sl)Aem(>2)) = (mb(e, s) = mb(e, s')))
hence
ATD h- (foe => (Ve)(mb(c, s) = mb(e, s'))).
Now assume that (2) holds for all j < i and consider the formula
(3) /(if y then M fi)1+1( ~ y a a ).

By the axiom of algorithmic logic

if y then M fi j3 = (yAMf i v ~ y A ( i)
it is equivalent to
I(y a M(if y then M fi)la v ~ y A (if y then M fi)la).
Applying axioms
v ? ) = (AjS v K ?) and K(fi a 0') = (Kfi a K ?)
we obtain another equivalent of (3)
('vem (j) A ^em (/)A l( M {if y then M fi)la )v
v (em(s) v e m (/))A /(if y then M fi)la).
Let us denote the first part of the above alternative by (4) and the second
part by (5).
Observe that (4) is equivalent to the disjunction of (6) and (7)
(6) (~em (s) a ~em (y) a 7 (boo a mb(amb(s), s2) a
a begin s 1 : = del(amb(s), si) ; s 2 : = del(amb(.y), $2) end

(if y then M fi)‘oc)),

(7) (~em (j) a - em(s') a /( ~ (boo a mb (amb(s), j 2)) a
a begin el : = amb(sl); boo := boo a m b(el, s2) end (if y

then M fi)'a)).
Formula (6) can be transformed to
(8) (~em(y) a ~em (s') a m b(am b(j), s') a
a begin s 1 := del(amb(.y), .y);s2 := (del(amb(s), j ');
boo true end (if y then M fi)la).
Making use of the induction assumption we obtain that (8) implies
the following formula:
(9) (^ e m (s) A ^em (ly ')A m b(am b(4 s') a
a (Ve) (mb(e, del(ambCs), s)) = mb (c, del(amb(s), s '))))-
148 IV ALGORITHMIC PROPERTIES OF DATA STRUCTURES

Let us now consider formula (7). If / = 0 then (7) is equivalent to

false. Assume that / > 1 then (7) is equivalent to the following formula:
(10) (~em (j) A ^ e m (/) a ^m b(am b(j), s ' ) a

aN(yA M(\f y then M f i) l - 1 a v ~ y / \ (if y then M f i) l - 1 a )).

where
N = begin si : = s; s2 : = s'; bool := true; el : = amb(H);
boo := boo a m b(el, s2) end.
Observe that
j- Ny = (mb(amb(s), / ) a ^em (j) a ^ e m ( /) )
and
h- ( ~ y a (if y then M f i) I - 1 a ) = (~yAoc).
From this we conclude that (10) is equivalent to
(~mb(ambOs’) , s') a em(s) a em(s') a ~ em (s) a ^ e m ( /) ) ,
i.e. (10) is equivalent to false.
Hence we have proved that (4) implies the following formula
(~em (j) a ~ em(j') a m b(am b(s), s') a
a (Me) m b(c, del(amb(j), s )) = m b(e, del(amb(j), / ) ) ) .

By axiom A4 we have
(y e amb(j))mb(e, del(amb(j), j ) ) = mb(e, s) and
(y e 7^ am b(j))m b(e, del(amb(.s), s ') ) = mb(e, s')
and therefore (4) implies
(11) (em(j) a ~ e m (/) a (Ve)mb(e, s) = mb(s,s')).
Now consider (5), the second part of the disjunction (3). By the
inductive assumption it follows that (5) implies
(12) ((em(,y)vem(/))A (Ve)mb(e, s) = mb(e, s')).
Finally, from (11) and (12) we have that (3) implies
(\fe)m b(e9s) == m b(e9s').
This ends the inductive proof of claim (2). □

P r o po sitio n 3.7. The following formulas are theorems o f ATD theory

(a) (V.?)eq(.r, s),
(b) (Vs, s')(eq(s, s') => eq(«',.?)),
(c) (Vs, s', s")(eq(s, s')Aeq(s, s") => eqfa, 5")). □
 4. REPRESENTATION THEOREM FOR MODELS OF ATD 149

As a consequence of Definition 3.1 we can prove following results:

P ro po sitio n 3.8. For every e, e' e E and for every s, s' e S :

ATD h~ ((e = e'A zq(s9 s')) => eq(in(e, s )9 in(e'9s ')) ),
ATD {- (eqO, s') => em(^) == em (/)),
ATD h- (e = e'A eq(s9 s') => eq(del(e, s )9 del(e', / ) ) ) ,
ATD h- eq(in(e, d d (e ,s), .y),
ATD h- (em(V) => amb(in(e, s)) = e),
ATD h- ~ em (in (e9s))9
ATD h- eq(del(e, in(<?, .y)), .y),
ATD h~ (~ eqO , s') a ~ m b (e 9s) a ~m b(c, s')
=> ~eq(in(e, s )9 in(£, s ') ) ) 9
ATD b- (mb(e, s) ^ eq(.y, in(e, *y))). □

4. REPRESENTATION THEOREM FOR MODELS OF ATD

Making use of the facts observed earlier we shall prove that every
model of ATD is isomorphic with another standard, set-theoretical
model. In this way we show that our choice of specific axioms of ATD
was right.

D ef in itio n 4.1. We shall say that a model B o f ATD

B = <.E\j S 9 inB, delB, amb*, mbB, em5 , = E}
is an ST model (the abbreviation standing for set-theoretical or standard)
iff it has the following properties:
1° the set S consists o f all finite subsets o f E
S = Fin(£),
2° the operations in the model B are set-theoretical, i.e. fo r every
e g E9 for every s e S
inB(e, s) = s u {<?},
d d B(e9s) = s - [e}9
mbB(e9s) = e e s9
emB(V) = s = 0 . □
150 IV ALGORITHMIC PROPERTIES OF DATA STRUCTURES

T heorem 4.1. For every model A = ( E v S , in, del, amb, mb, em,
= £> o f ATD, proper for identity, there exists an ST model B o f ATD
with the same set E o f elements. The systems A and B are isomorphic
modulo amb operation, i.e. the reducts A f and B f
A' = (E\ j S, in, del, mb, em, = £>,
B' = <£uFin(iT), inB, del*, mb*, emB, = £>
are isomorphic.
P roof. We shall first construct the system B' and prove its properties.
Next, we shall discuss the possibility of extension of B by a proper
operation amb to a model of ATD.
With every j e S we associate the set h(s)
h(s) = {e e E: m b(e9.9)}.
The set h(s) is finite by the axioms A1 and A4, since the sequence {£*}
defined below contains all elements of h(s) without repetition.
The sequence is defined by the following algorithm:
Initialization: Put / = 0 and seq = empty sequence.
WHILE the set s is not empty REPEAT the following
instructions
PUT ei+1 = amb(V),
ADJOIN the element ei+l to the sequence seq,
REPLACE s by del (amb(s), s).
The mapping
h: S -> Fin(is)
is onto, since for a given set {el9 ..., en} we can consider the element
defined by the following term:
begin while ~em(s) do s := del(amb(tf), od;
S := in(e1(5); ... ; 5 := info.s')
end s.
The mapping h is a one-to-one mapping. For th eproof use Proposition
3.6. Suppose ~ e q (s9s') then (3^)mb(e 9s) a ~m b(e, s') or, symmetric­
ally, (3 e)(~ mb(e, j)A m b(e, / ) ) .
It is easy to verify that
h(in(e95)) = h(s)u {e} by axiom A3 and Proposition 3.6,
h del(e, s) = h(s)~ {e} by axiom A4 and Proposition 3.6,
 5. COMPLEXITY OF ATD 151

m b ^ ,^ ) = e e h(s) by the definition of h(s),

em(s) = h(s) = 0 by Proposition 3.4.
This ends the first part of the proof. We have constructed a system B
isomorphic to the reduct A.
Now, we have to extend B by an appropriate operation amb. This
can be done if we accept the axiom of choice. The statement asserting
the existence of a selector from the family Fin (£) is the formulation
of the axiom of choice AC. □

Note that in frequently occurring cases there is no need for the appli­
cation of AC, e.g. in the situation where the set E is linearly ordered,
or if there exists an enumeration of the elements of E.
The assumption that a model of ATD is proper for identity is im­
portant. Without it one can construct a counter example such that
the set h{s) is infinite.
On the other hand, it is not difficult to prove that for every model 9ft
of ATD one can construct an equivalent model 9ft' = 9ft/(= , eq) proper
for identity.

5. ON COMPLEXITY OF ATD

Here we shall consider some problems related to the complexity of the

set of theorems of ATD and its extensions. We shall show that ATD
is an undecidable theory. Later two various extensions of the theory
will be presented. The theory of dictionaries over finite universes FATD
can be axiomatized and we shall remark that FATD is the complement
of a recursively enumerable set. The theory of dictionaries over the
infinite set of natural numbers is of very high degree of undecidability,
namely I I \ .
We begin with the criterion of undecidability of algorithmic theories.
Let L be a fixed algorithmic language. For every program M of the
form while y do K od we define the sequence of formulas
such that
= ~y,
a™ = (if y then K fi)‘-1(y a K ~ y ) for i > 0.
152 IV ALGORITHMIC PROPERTIES OF DATA STRUCTURES

It is easy to observe that for every natural number i > 0

h- oci* = (yA K yA ... a K l~1y A T ^ y ),
Hence, for every data structure 31, for every valuation v and for arbit­
rary natural number w, formula cc™is satisfied in 31 by the valuation v
iff the computation of the program M in the structure 31 at the valua­
tion v ends after exactly n iterations of program K. Let x = {xx, ..., x m}
be the set of all variables occuring in M.

T heorem 5.1. Let T = <L, C, A} be an algorithmic theory and let M

be a program o f the form while y do K od. I f for every natural number n
the theory Tn = <L, C, A } kj {(3x)a^(x)} is consistent then T is unde-
cidable.
For the proof see Danko (1980). □

The above criterion can be applied to ATD theory. Let M be the

program
while ~ empty(j) do s : = del(amb(s), s) od.
For every set consisting of the set of axioms of ATD and of the formula
there exists a model. It suffices to consider an ^-element
set E. Therefore the theory of dictionaries is undecidable.
Let us mention that the following formula
(3j)(Ve)eq(j, in(e, s))
is valid in those models of ATD only for which the set E is finite. Denote
by FATD the theory which have as specific axioms all axioms of ATD
and the above formula.

P roposition 5.2. The theory FATD is the complement o f a recur­

sively enumerable set.
P roof. It is not difficult to observe that the set of theorems of FATD
is at most 77? set. Making use of the Completeness Theorem for algo­
rithmic logic we observe that the following conditions are equivalent:
(i) a is a theorem of FATD,
(ii) a is valid in every model of ATD which is finite.
All finite models can be enumerated and there exists a decision method
for testing the validity of an algorithmic formula in a finite universe
 5. COMPLEXITY OF ATD 153

(cf. Grabowski, 1972). Hence, if a is not a theorem then in finitely

many steps we shall find a counterexample. The set of theorems is an
at most/7? set—the complement of a recursively enumerable set. By appli­
cation of Theorem 5.1 it is anundecidable set, hence it is a 77? —Z? set. □

On the other hand there exists an extension of ATD which does

not belong to any arithmetical class, the set of the theorems in this
case lies inTJi1, i.e. it is an analytical set. Consider the extension of ATD
which results by adding two additional non-logical functors. We admit
a constant 0 (zero) of sort E and one argument functor succ (successor)
succ: E -> E.
The axioms of the extended theory NATD will be axioms of dictionaries
and the following:
~succ(e) =£ 0,
succ(e) = E succ(<?') => e = E e \
(ef : = 0) while ~ e = E ef do e' : = succ(e') od true.
Making use of standard techniques of recursion theory (cf. Rogers,
1967) one can prove:

T heorem 5.3. The set o f theorems o f the above-mentioned theory

NATD is a n \ set.

S ketch of the proof. Every model of NATD is isomorphic to the

standard model of arithmetic of natural numbers with operations
insert, delete, member fixed as corresponding set-theoretical operations
(cf. § 4 of this chapter). Any two models of NATD can differ only in
the interpretation of amember operation. Let us denote a model of
NATD by Nf , for N is the set of elements and amember operation /
distinguishes it from other models. The following remark suffices:
for every formula a, a is a theorem of NATD iff for every function
/ such that N f is a model of NATD Nf oc.
The relation “a is valid in the structure N f is not in any arithmetical
class. In fact it is a hyperarithmetical relation R ( f, a), it includes the
hyperarithmetical relation “a is valid in the standard model of natural
numbers”. Therefore a is a theorem of NATD if and only if the formula
oc) holds, i.e. the set of theorems of NATD is a TI[ set. □
154 IV ALHORITHMIC PROPERTIES OF DATA STRUCTURES

6. THE THEORY OF PRIORITY QUEUES

Priority queues are similar to dictionaries. We assume additionally

that elements of sort E are linearly ordered. Instead of the operator
of non-deterministic choice amember for dictionaries, the structure
of priority queues admits the operation min which for any priority
queue gives the least element contained in it. There are many imple­
mentations of priority queues. Hence we shall think of a class of priority
queues, much as one thinks of classes of groups, of rings, etc.

D efinition 6.1. A data structure is called a priority queue whenever

its universe consists o f the two disjoint subsets
E and S
called sort E and sort S, and has the following operations:
insert: E x S - > S ,
delete: E x S -> S,
m in: 5 -> E,
member: E x S -> B0,
empty: S B0,
^ : E x E -> B0,
and is such that the following axioms are valid in the structure:
PQ1 the set E is linearly ordered by the relation ^ ,
PQ2 while ~ empty (V) do s : = delete (min(s), s) od true,
PQ3 ( ~ empty(s) => ((Ve) member(e, s) => min(V) ^ e )),
PQ4 member(e, insert(e, s)),
PQ5 (e # e' => (member(V, s) = member (e', insert(e, s)))) ,
PQ6 ~member (e, delete(c, s)),
PQ7 (e 7^ e' => (member (>', s) = member(e\ delete^, s)))),
PQ8 member (e, s) = begin s\ := s; bool := false;
while ~empty(U) a ~ bool do
el := min(sl);
bool : = (el = e);
si := delete(el, si);
od
end bool.
We assume also the usual axioms o f identity =. □
 7. THEORY OF NATURAL NUMBERS 155

Repeating the arguments of the preceding sections with the necessary

alterations we can prove the following theorem:

Theorem 6.1 (Representation Theorem). Every model 501 o f the

algorithmic theory o f priority queues proper for identity is isomorphic
to a standard one, that is
( E v V m (E ),fl , f 2, f 2, r l ,r 2, = , =0
where Fin(E) is the family o f all finite subsets o f E.
fi( e , 5) = i u {e}, rt (e, s) = e e s ,
/ 2(e, s) = s - {e}, r2(s) = s = 0 ,
f ( s ) = the least element o f s.
The proof is a mutation of the proof of the Representation Theorem
for Dictionaries. As we remarked before, the proof does not make use
of the axiom of choice due to the assumption that the set E is linearly
ordered. □

7. THE THEORY OF NATURAL NUMBERS

The structure
= <A, 0, s, =>
of natural numbers with C—a ze 0-argument operation, s—a one-
-argument operation and identity is axiomatized by the following
axioms AxAr:
(Vx) ~ s(x) = 0,
(V x, y) (s(x) = s ( » => x = y ),
(Vy)(x := 0)(while = y do x := od (x = >'))•

Theorem 7.1. Every model 9JZ o f AxAr is isomorphic with the stan­
dard model o f Peano axioms, i.e. the algorithmic theory o f natural num­
bers is categorical {cf Chapter II, Theorem 4.2). □

We are now going to prove that every instance of the scheme of

induction is a theorem of an algorithmic theory of natural numbers.
First, let us remark that classical quantifiers can be replaced by
formulas with programs and iteration quantifiers
156 IV ALGORITHMIC PROPERTIES OF DATA STRUCTURES

(Vx)a(x) = (x := 0 ) P ( x := ^(x))a(x),
(3x)a(x) = (x := 0 )(J (x := j(x))a(x),
assuming that x is free in a and never occurs on the left-hand side of
an assignment in a .
In the case where a is an open formula we can prove that
(3x)a(x) = (x :== 0) (while a( x) do x : = s ( x) od true).
All three equivalences can be proved formally from AxAr axioms.
Indeed, all the equivalences are valid in the standard model of AxAr
axioms. By categoricity they are valid in every model of AxAr hence
they are provable from AxAr (by completeness of AL).
Now, let us recall that every formula of the following scheme

(OfAnK(P=>w)=>nw)
is a theorem of algorithmic logic (cf. Chapter II, § 7).
By the rule
a , K true
Koc
we have
(x := 0)((a(x)A Q ( x := s(x))(a(x) => (x := j(x ))a (x )))
=> P l( x := s(x))x(x)).
Distributing the assignment x := 0 over implication and conjunction
we obtain
((x := 0)a(x)A (x := 0) P | (x := •s,(x))(a(x)
=> (x := 1y (x))a(x)) => (x := 0 ) P ( x := j(x))a(x))
which is equivalent to the scheme of induction
(a(x/0)A (Vx)(a(x) => a(x/.S'(x))) => (Vx)a(x)).
Hence we have proved the following proposition:

P roposition 7.2. Every instance of the scheme of induction is a theorem

of the algorithmic theory of natural numbers. □

Observe that in the algorithmic theory of natural numbers the oper­

ations of addition and multiplication are definable by explicit defini­
 7. THEORY OF NATURAL NUMBERS 157

tion. In any first-order arithmetic these operations are defined implicitly

by the recursive equations:
x + 0 = 0,
x+sOO = •*(*+;>')>
x • 0 = 0,
x • ^Cv) = x • y + x .
We shall give an algorithmic definition of the + operation below:
(add)(Vx, y )x + y = (u := 0) ((f := x) (while ~ u = y
do u := s(u)\ t := s(t) od ^)).
We shall now prove that this definition correctly defines addition.

T heorem 7.3. The operation o f addition is well defined by the above

algorithmic definition, i.e. :
(a) AxAr f- (u := 0)((* := x ) (while ~ u = y do u : = s(u); t : = s(t)
od true)),
(b) AxAru {add} I— x + 0 = x,
(c) AxAru {add} h- x + ^Cr) = ^(x + j).
P roof. The proof o f (a), i.e., that the program occurring in the defi­
nition (add) always terminates is easy, and resembles the proof of
Proposition 3.1.
(b) The proof of x + 0 = 0 makes use of the logical axiom
while y do ATod a = ( ^ y A a ) v (y a AT(while y do ATod a)),
hence
x + 0 = (u := 0)((/ : = x)(if ~ u = Othenw := s(u);
t := s(t) fi (while ~ u — 0 do u := s(w); t :— s(t)
od t ))).
Applying the axiom
s(ii y then AT else M fi a) = 5((yAATa) v (~ y A Moc))
and observing that
(u : = 0) ((7 : = x) ~ u = 0) = ~ 0 = 0,
we obtain
AxAru {add} \- x + 0 = (u := 0)((/ := x )t),
AxAru {add} b- x + 0 = x.
(c) In the proof we shall use the following lemma:
158 TV ALGORITHMIC PROPERTIES OF DATA STRUCTURES

L emma 7.4. Let K and M be programs written in the language o f arith­

metic. Let the variables y, w not appear in the program M and let
AxAru {add} b- K(u = 0),
AxAru {add} f— (u = w) => M (u = 5(w)),
i . e t h e program K zeroes the variable w, and the program M increase
the value o f u by 1.
The following programs are then equivalent:
Mi : begin K ; while ~ (w = 5r(y)) do M od end
and
M 2 : begin K; while ~ (u = y) do M od; M end,
i.e. for every formula a the equivalence M 1a = M 2oc holds in 9L □

Making use of the definition (add) we have

x+ — begin t : = x; u := 0; while ~ u — 5(3') do
t : = 5(0; u : = s{u) od end t.
By the Lemma 7.4, x + s(y) is equal to
begin t : = x; u := 0; while ~ u = y do t := 5(0; w := 5(w)
od; t := 5(0; w := 5(w ) end t.
Applying the axiom of assignment (z := r)a(z) = a(z/r) we obtain
x-b5(y) = begin t \ — x \u 0; while = vdof := 5(0;
u := 5(m) od end 5(f).
By the fact
K cp it) = 'KA't)
we have
.v+ s(y) = 5 (begin t : = x ; w : = 0; while —w = y do
t := 5(0; u := 5(w ) od end f)
and finally
-Y+ 5QO = s(x+ y).

Similarly, one proves that the multiplication operation can be defined

by an algorithm in an explicit way. Hence the algorithmic arithmetic
 8. STACKS 159

of addition and multiplication is a conservative extension of the algo­

rithmic theory of natural numbers. All proofs of Peano arithmetic
can be reproduced in this theory.
Let us conclude with two observations.

L em m a 7.5. The sets o f partial recursive functions and o f programmable

functions are equal. □

L emma 7.6. Weak second-order arithmetic and the algorithmic theory

o f natural numbers are equivalent, i.e. there are translations enabling
one to replace every formula o f one theory by an equivalent from the
other. □

8. STACKS

The universe of a data structure of stacks consists of the two disjoint

sets E and S. Elements of S will be called stacks, while elements of the
set E will simply be called elements. The primary relations and oper­
ations of a system of stacks are as follows:
= identity in £,
empty, a distinguished subset of S, empty cz S,
push: E x S -> 5,
pop: S —empty -> S\
top: S —empty -> E.
Any relational system with a similar signature will be called a data
system o f stacks provided that it satisfies the following postulates:
(PI) For every stack s there exists an iteration of pop operation
such that the result is empty
(\fs e S) (3/ e N ) empty (pop1’(s)).
(P2) For every non-empty stack s
s is equal to push (top(s), pop(s)),
for every element e and for every stack s.
(P3) e = top(push(<?, s)).
(P4) s is equal to pop (push(e, s)).
(P5) ~ empty (push(e, s)).
160 IV ALGORITHMIC PROPERTIES OF DATA STRUCTURES

Below we shall present a formalized theory of relational systems

of stacks. In order to express properties (P1)-(P5) we shall use the
language of algorithmic logic, and the phrase the stack s is equal to the
stack s' will be replaced by s = s', making use of its algorithmic definition.
Let us note that the postulate (PI) may be informally stated:

(PU) (Vs) (s 0 v (3e)s push(e, 0 ) v ( 3 e , e')s = s push(V,

push(e, 0 ) ) . . . ) ,
where 0 denotes a stack such that empty(0).
Let E be an arbitrary set. By the standard system £> o f stacks over E
we shall mean the system
(E \jF S eq (E ), precede, delete-first, first, = ,0 >
in which stacks are the finite sequences of elements of the set E. The
operation precede^, s) gives as a result the one-element sequence {e}
concatenated with the sequence s. The delete-first operation and first
operation are self-explaining. A stack s is empty iff s is the empty
sequence.
We shall prove below that every system of stacks © is isomorphic
to the standard system of stacks over the set E of elements of the
system ©.
The complexity of the ATS theory is not less than the complexity
of algorithmic arithmetics of natural numbers since the latter theory
may be interpreted in ATS.

9. THE THEORY OF STACKS

In the algorithmic theory of stacks, ATS, the properties of operations

on stacks are considered from an axiomatic point of view. We assume
certain axioms about push, pop and top operations knowing nothing
about the elements to be placed in the stacks or the implementation
of operations. Accordingly, the ATS theory has many different models.
Two examples will illustrate the difference in approach. For a math­
ematician, stacks are nothing more than finite sequences of elements;
operations on them are always performed at one end of the sequence
in question, say on the left. For a computer scientist a stack denotes
the chain of objects depicted in Figure 8.1.
 9. THEORY OF STACKS 161

Fig. 8.1

An execution of the s' := push(e,j) instruction leads to a new con­

figuration of objects, as shown in Figure 8.2.

Fig. 8.2

The alphabet of the theory of stacks contains:

(a) variables:
the set VE of individual variables of type E,
the set Vs of individual variables of type S,
the set of propositional variables V0 ;
(b) predicates:
empty one-argument predicate of type (*S),
—-E two-argument predicate of type (E x E),
=s two-argument predicate of type (S x S ) ;
(c) functors:
push two-argument functor of type (E x S S)9
pop one-argument functor of type (S *S),
top one-argument functor of type (S -> E ) ;
(d) logical and program connectives and auxiliary signs.
162 IV ALGORITHMIC PROPERTIES OF DATA STRUCTURES

Variables of the set VE will be denoted by e, e ', ex, etc.

Variables of the set Vs will be denoted by s, s', sx, etc.
The set of well-formed expressions consists of terms, open formulas
programs, generalized terms and formulas (cf. Chapter III, § 10).
The specific axioms of ATS are:
A1 while ~ empty(V) do s := pop(5) od true,
A2 (~em pty (.9) => s = s push(top(s), pop(s))).
A3 e = E top(push(p, s)),
A4 s = s pop (push(e, s)),
A5 ~ empty (push(<?, 5-)),
A6 s = s s' = begin s, := s; s2 := s’; bool := true;
while bool a ^ e m p ty ^ ) a ~ empty ( s 2 ) do
bool := bool a (top(si) = E top(s2));
si := pop(sx); s2 := pop(s2);
od
end (bool a empty (si) a empty (s2)),
A7, A8, A9 axioms of reflexivity, symmetry and transitivity of = £.

L emma 9.1. The program in axiom A6 always halts, i.e. the rela­
tion = s is strongly programmable in terms o f the remaining relations
and notions. □

L emma 9.2. For every s, s', s" e S and for every e, e' e E
(a) s = s s,
(b) (s = s s' => s' = a s),
(c) (s = s s ' a s ' = s s" => s = s s"),
(d) (e —E e' a s —As') = push(^, s) ~ s push(^', s')
(c) ( s = s s' a ~empty(s)) = (pop(s) = s pop(s') a top(s) = E top(s')),
(0 (s = s s ' => (empty (s) = empty (s'))).
(g) (empty(V) a empty(V) => s = s s').
P roof .
(a) The reflexivity of = s follows immediately from A6.
(d) The formula
push(e, s) = s push(e', s')
is equivalent to
begin sx := push(<?, s); s2 : = push(e', s'); bool : = true,
while bool a ~ empty ( s x) a ~ empty ( s 2) do
 9. THEORY OF STACKS 163

bool := bool a top^x) = Etop(A2);

a'i := pop(Ji); s2 := pop(j2)
od
end (bool a empty(sL) a empty(s2));
Next, we obtain by Ax23 from Chapter II, § 5, another equivalent
begin := push(<?,s); s2 := push(e',s'); bool := true;
if bool a ~ empty(sx) a ~ empty(s2) then
begin bool := bool a t o p ^ ) = £ top(s2);
ii := pop(jj); s2 := pop(s2);
while bool a ~ empty (jx) a ~ empty (.s2) do
bool := bool a top^x) = £ top(s2);
:= popCs,);s2 := pop(^);
od
end
fi
end (bool a empty a empty (s2));
Now by A5 and Ax22 from Chapter II, § 5, the last formula is equi­
valent to:
begins : = push(e, s); s2 : = push(<?', s'); bool : = true;
bool : = boolA top^x) = £ top(,y2);
si := pop(Ji); := pop(j2);
while bool a —emptyfo) a —empty(s2) do
bool := bool a top(^x) = £ top(s2);
s i := pop(Ji); *s2 := pop(>2)
od
end (bool a empty(^j) a empty (s2)).
Making use of A3, A4 and the simple facts from the semigroup
of assignment instructions, we transform the last formula into
begin bool : = (e = £ e') ;
s { := s; s2 := s';
while bool a ~ empty (<4) a ~ empty fv2) do
bool := top(jj) = £ top(j2) a bool;
si := pop(^i); := pop(s2);
od
end (bool a empty(sx) a empty (s2)).
This is equivalent to
e = E e' a s = s s'.
164 IV ALGORITHMIC PROPERTIES OF DATA STRUCTURES

(e, f) This easily follows from (d) by A2, A3, A4.

(g) Obvious.
(b) The symmetry of the = s relation follows from the fact that
the instructions
s* := s; s2 := s'
in A6 can be permuted, and that the same can be done with
Si := popC^); s2 := pop(s2),
and also from the commutativity of v and the symetry of = E.
(c) Proof is by induction with respect to the depth of stack s'. We pro­
ceed in an informal way, passing to an extension of ATS by arithmetic.
Define the mapping depth: S -+ N by
depth (V) = (/ := 0) (while ~ empty (V) do
i : = i + 1; s : = pop(s) od /).

Observe that depth(s) — 0 ~ empty(s). From this and (f) we have

the base of induction. Assume for all s' of depth not greater than n
that statement (c) is true. Consider a stack s' of depth («+1). Stack
s' may be presented in the form
s' = S push (top(V ), p o p ( 0 ) .

From s = s s' a s' —s s " we have

top(s) = top (s') A pop(s) = pop (s') A top (s') = top(s") A
A pop(s') = pOp(s").
Making use of the inductive assumption for stacks of depth not greater
than n together with the transitivity of = £, we obtain
top(s) =: e top(s") a pop(s) = s pop(s")
and by (e)
s = s s". □

10. THE REPRESENTATION THEOREM FOR STACKS ,

As a simple corollary of Lemma 9.2 we observe that in every model 2R

of ATS the relation denoted by = s is a congruence and, consequently
we have the following theorem:
 10. REPRESENTATION THEOREM FOR STACKS 165

T heorem 10.1. I f a system 9Jt is a model o f ATS, then the quotient

system 501' = SXR/( = = s) Is a model o f ATS proper for identity. n

T heorem 10.2 (Representation Theorem). Every model 9JI o f ATS

which is proper for identity is isomorphic with a standard model o f it:
S = (E vF Seq(E ), precede, delete-first, first, = E, 0>.
P ro o f. For every natural number i we define a partial mapping
ith from top: S E,
ith from topC?) = (if ~ empty(s) then s : = popfy) fi)* top(s)
and another mapping
card: S -» N,
card(s) = the least natural number i such that empty(pop*(s)).
There is exactly one element s such that the formula empty(s) holds
(by Lemma 9.2 and the assumption of the theorem). We shall denote
this element by sempty.
With every stack s e S we associate the finite sequence seq(s)
seq: S -> FSeq(jE'),
seq(.v) = {e0, e l9 ..., en_ l }, where n = card(ky) and
et = ith from top(s) for
0 ^ i < n,
Se q C ^ e m p ty) = : 0 *

It is easy to observe that for every finite sequence e19 the

following equality holds;
seq (push (et , push(e2, push(e„, .vempty) . . . ) ) )
= {el >e2> •••,£„},
hence the mapping seq is onto FSeq(is).
Let s and s' be two different stacks, s # s'. From A6 we see that
either after the execution of the program in A6 the formula (bool a
a - (empty (s) a empty (s'))) holds and then card (s) ^ card (s') or
there exists a natural number i such that
ith from top(s) # ith from to p ^')
166 IV ALGORITHMIC PROPERTIES OF DATA STRUCTURES

when after the execution of the program ~bool holds. In both cases
seq(s) / seq(s'), i.e. the mapping seq is one-to-one.
It is easy to verify that
seq (p o p (s)) — delete-first (seq(s)),
top(s) = first (seq(5 )),
se q (p u sh (e, s )) = p reced e(e, seq(s)),
em pty (s) = seq(s) = 0 .

Hence seq is an isomorphism. □

11. IMPLEMENTATIONS OF ARITHMETIC A N D DICTIONARIES

Arithmetic o f natural numbers

If we extend the language by a constant e0 of sort E then putting

s = A s' ” begin si := s; s2 := s';

while ~ empty (si) a ~empty(s2) do
si := pop(sl); s2 := pop(s2)
od
end (empty(sl) a empty(s2)),
succ(s) = push(^0, s) where e0 denotes a fixed element of E,
0 = while ^ empty(s) do s : = pop(s) od s,
we can prove the axioms of natural numbers:
~succx = A 0,
(succ(x) = A succ(j) => x = A y ) 9
(x := 0) (while x = Ay do x : = succ(x) od true),
which shows that ATS contains all theorems of the algorithmic arithme­
tic of natural numbers.

Dictionaries
In this case we implement the following “vocabulary” of notions:

amember(s) == top(s),
insert(e, s) = if ~ member(e, s) then s : = push(e, s) fi s,
 12. THEORY OF LINKS AND STACKS—ATSL 167

delete (<?, s) ^ begin

si : = s;
while ^ empty(^2) do s2 := popfs2) od;
while ~ empty (.?1) do
if ~ e —E to p ^ l)
then s2 := push(top(sl), s2);
fi;
si := pop(^l)
od
end s2,
member (e, s) = begin si := s; bool := false;
while ~ bool a ~ empty (si) do
if e ~ E top (si) then bool := true
else .sT := pop (si)
fi
od
end bool.
Observe that the axioms of the algorithmic theory of dictionaries
may be proved from axioms of ATS and the above definitions showing
that stacks can be used in order to implement insert, delete and
member instructions. If this is not done in practice, the reason is
to be found in the high cost of such implementation.

12. THEORY OF LINKS A N D STACKS—ATSL

The aim of this section is to construct a bridge between such an abstract

theory like ATS and the computer implementation of stacks to be
found in § 13. We shall do this by (i) formalization of operations on
attributes of stacks and links of stacks in ATSL theory, (ii) construction
of a model for ATSL, (iii) interpretation of ATS theory within ATSL
theory.
In ATS theory we have studied the properties of operations on stacks
knowing nothing about how to perform them. Now we shall try to
construct a model for ATS out of objects that can be handled by a com­
puter. We assume that the objects of a set E of elements are com­
putable, i.e. that there is an effective method of constructing them.
168 IV ALGORITHMIC PROPERTIES OF DATA STRUCTURES

How do we construct stacks and how do we perform operations on

them? An auxiliary set of links will take us nearer to a solution.
Any link object has two attributes:
prey—pointing to a previous link—object in a stack,
elem—pointing to an element of a set E.
The operations allowed on attributes are those of programming:
read—to be denoted by /.(name of attribute),
assign—to be denoted by /.(name of attribute) : = .
In this way we reach the point where all operations are either from
programming language (cf. axioms Asl, As2, As3, As7, As8) below,
or are defined explicitly (e.g. As9, As 10).
The crucial fact about stacks of links is that walking along ‘prev’
path we shall always reach ‘none’, i.e. the bottom of the stack. This
will be stated as axiom As4.
Jt will be observed that total freedom in assigning new values to the
‘prev’ attribute would eventually destroy property As4, and our
theory could turn out to be inconsistent. In order to solve this problem
we introduce the predicate ap, a guard of operation prevap, checking
whether assigning a new value to the ‘prev’ attribute is safe.
Here we are assuming some properties of objects of classes (notion
used in SIMULA, LOGLAN). We do not pretend that our understanding
of their properties is complete. For example, we are not explaining the
difficult question of identification of objects nor differences between
copies of the same object. These questions will be studied more system­
atically elsewhere.
The alphabet of the language of ATSL contains the individual vari­
ables, predicates, functors, and other signs.
The set of individual variables is split into three disjoint subsets:
VE—set of variables of type E,
VL—set of variables of type L,
Vs—set of variables of type S.
In the following description of sets of predicates and functors we
shall use the letters E, L and S to denote the sorts of arguments and
results.
The predicates of the language are:
= E: E x E ^ B0 where B0 is the two-element Boolean
algebra,
 12. THEORY OF LINKS AND STACKS—ATSL 169

isnone: L -> B0,

a p : L x L -» B0.
The functors of the language are:
tops: S -> L, topsa: S x L -> S,
new S e S, none e L,
new L: E -» L,
elem: L -> E, elema: L x E - ± L ,
prev: L -> L, prevap: ap -> L.
The notation elema: L x E -+ L should be read: the first argument
of elema is of the sort L, the second argument is of the sort E, the result
of elema operation is of the sort L.
The sets of formulas and of programs are constructed as usual.

Notation
1. We shall use a postfix notation for tops, elem, and prev functors,
i.e. instead of prev(/) we shall write /.prev.
2. Without loss of generality we can assume that functors topsa,
elema and prevap will appear in the following context only:
s := topsa^s, r L), where L is the type of r L,
/ := elema(/, rE), where E is the type of rE,
l : = prevap(/, r L).
This allows us to use the following shortened forms below:
s.tops := r L,
/.elem rE,
/.prev := rL.
Axioms
Asl isnone(none),
As2 isnone(newL(e).prev),
As3 e = £ newL(e).elem,
As4 while ~isnone(/) do / := /.prev od true,
As5 (sTops := l)(sXops —L /),
As6 ap(/, /') = (3/")/" = L prevap(/, /'),
As7 (ap(/, /') a e —E /.elem)
=> (/.prev := l')(e = E /.elem a /.prev = L l' a ~isnone(/)),
170 IV ALGORITHMIC PROPERTIES OF DATA STRUCTURES

As8 (/' = L /.prev => (/.elem := e))(e = E /.elem a /' —L /.prev),

As9 (/ = L /' = begin /l := /; /2 := /'; bool := true;
while bool a ~isnone(/l) a ~isnone(/2) do
bool : = bool a (/l.elem = £ /2.elem);
/ 1 : = / l.prev; 12 := /2.prev;
od
end (bool a isnone(/l) a isnone(/2)),
As 10 ap(/, /') == begin /I := /'; bool := true;
while bool a ~isnone(/l) do
i f /l = L I then bool : = false; else
/l := /l.prev fi
od
end bool.
It is not obvious that ATSL is a consistent theory. In order to prove
this we shall construct a model of ATSL starting from system = E}.
An object / from the set L will have the structure of a valuation of
elem and prev variables shown in Figure 12.1

elem prev
e

Fig. 12.1

and a similar, even simpler structure will have objects from S, as shown
in Figure 12.2.

•v: tops

Fig. 12.2

In order to draw the model SL shown in Figure 12.3 we shall limit

ourselves to the case where E = {ex, el9 e3}; the reader will see that
this limitation is inessential.
The tree SL contains diagrams of the operations: tops, elem, prev,
newS, newL and none. For the remaining operations we assume the
following definitions:
elema(/, e)—for a given / find its brother /' such that /'.elem = E e,
this V will be the value of elema(/, e),
 12. THEORY OF LINKS AND STACKS—ATSL 171

Fig. 12.3
new S : | tops
172 IV ALGORITHMIC PROPERTIES OF DATA STRUCTURES

topsafs ,l) —find s' such that /.to p s = L /,

ap(/, /') = there is no path from /' to /,
prevap(/, /')—among the sons of /' find /" such that /".elem = E /.elem
(remember that prevap(/, /') is defined only when ap(/, /') holds),
isnone = {none}.
It is not difficult then to prove the following theorem:

T heorem 12.1. The SL tree described above is a model for ATSL. □

We can now show that ATS theory is interpretable within ATSL.

Let us assume the following definitions:
empty(s) = isnone(s, tops).
push(e,s) = begin si := newS; ll : = newL(e);
/l.prev := s.tops; sl.tops : = /1
end si.
pop(s) = begin if empty(s) then ERROR fi;
si : = newS; sl.tops : = s.tops.prev
end si.
top(s) = s.tops.elem.
s = s s' = s.tops = Ls'.tops.

T heorem 12.2. The theory ATS is interpretable within ATSL theory,

i.e. axioms A1-A6 o f ATS theory are theorems in ATSL theory augmented
by the above definitions.
P ro o f .
Ad A1 From T we have
(s := ^1)0 =s*sl)-
From As5 we have
(sl.tops := s.tops.prev)(sl.tops = s.tops.prev);
Combining these facts we have
(s.tops = L l => (begin si : = newS; sl.tops := s.tops.prev;
s := si end)(s.tops = /.prev)).
Making use of definitions of empty and pop, and As4 we obtain
while ~empty(s) do s := pop(s) od true.
 13. IMPLEMENTATION OF STACKS IN LOGLAN 173

Ad A2 Proof follows directly from the definitions of push and top.

Ad A3 By the definitions and As5 and As3.
Ad A4 By the definitions.
Ad A5 From As7 and the definitions.
Ad A6 Compare with As9. □

Let SJli and 9CR2 be two models of ATSL theory.

Sfti = (^EkjL ^ S x, tops, topsa, elem, elema, newS, newL,
none, ap, ...>,
9Jt2 = (E\ j L 2\j S 2, tops, topsa, elem, elema, newS, newL,
none, ap, ...>
with the same set of elements E. With this we have the following result.

T heorem 12.3. Models SRi and 9Jl2 are isomorphic. □

Consider the system described by the tree SL and observe the following.

T heorem 12.4. The least subsystem o f SL containing E u {noneju

u {newS'} and closed with respect to the operations push, pop and top
is the system SL itself i.e. the SL is generated from E kj {none}u {new S'}
by the push, pop and top operations.
The proof is straightforward. It is easy to see that every element
in the SL tree can be obtained by a finite number of push operations,
either explicitly if it is an S-element or implicitly if it belongs to L. □

The meaning of the last theorem may be explained and utilized

in the following way. It is possible to implement stacks in terms of ATSL
in such a way that the operations of ATSL are internal and hidden,
but the operations of ATS are external—the only ones accessible to
the user.

13. IMPLEMENTATION OF STACKS IN LOGLAN PROGRAMMING

LANGUAGE

The results of the previous section justify the introduction of the fol­
lowing program constituent. Its orthography is taken from the LOGLAN
programming language designed at the University of Warsaw.
174 IV ALGORITHMIC PROPERTIES OF DATA STRUCTURES

unit STACKS: class

begin virtual: function eq(tf, b : element): Boolean;
{we assume that eq is an equivalence relation}
hidden protected link;
unit element: class begin end element;
unit link: class (elem: element); begin
variable prev: link end link;
unit stack: class begin variable tops: link end stack;
function empty(s: stack): Boolean:
begin result : = (tops = none) end empty;
function top(s: stack): element:
begin result :== s.tops.elem; end top;
function push (<e: element, s : stack): stack:
variable / I : link, s i : stack;
begin
/l := new link(e); si := new S ;
/l.prev := s.tops; si.tops : = /1;
result := si
end push;
function pop(s: stack): stack:
variable s i : stack;
begin
if empty(s) then ERROR fi;
si := new S ; si .tops := s.tops.prev;
result := si
end pop;
function eqs(sl, s2: stack): Boolean:
variable /1, 12: link, bool: Boolean;
begin
11 :== si.tops; 12 := s2.tops; bool := true;
while bool 11 ^ none 12 ^ none do
a

bool := bool a eq(Zl.elem, /2.elem);

ll := /l.prev; 12 := /2.prev
od
result : = (bool a /I = none a /2 = none)
end eqs:
end STACKS.
 13. IMPLEMENTATION OF STACKS IN LOGLAN 175

STACKS may be viewed as an algebraic system of three sorts el­

ements, links and stacks with three predicates—eq, empty and eqs,
and three operations—top, push, pop. Let us denote the set of all objects
that belong to a type t by |f|.
STACKS = <|element|u!link|u|stack|, empty, eq, eqs, top,
pop, push).
About element-objects we assume nothing except that there is a bi­
nary predicate eq.
The structure of a link-object agrees with the earlier picture (see
Figure 13.1) where e ejelement|, / e|link| and none is also a link-object.

elem prev
e /
Fig. 13.1

The structure of a stack-object is as shown in Figure 13.2.

tops
/
Fig. 13.2

From Theorem 12.4 we know that if we limit ourselves only to those

objects which are generated by the push operation, then the resulting
subsystem will be a model for ATS (neglecting links since they play
only an auxiliary role). The line
hidden protected link;
serves the purpose of showing that the link is accesible only in func­
tions declared in the STACKS type.
We should now like to show that the STACKS declaration serves
as a definition of a family of similar algebraic systems.
Let a set E possess a definition in the form of type declaration
unit E : class...end E\
and let eq be a Boolean function determining the equality of two given
elements of the set E :
function (eq e, ef : E): Boolean:...result := ...
176 IV ALGORITHMIC PROPERTIES OF DATA STRUCTURES

We are able to form a definition of the system of stacks over E con­

catenating the previous definition of STACKS with the one above.
This is done by prefixing (a notion familiar from SIMULA 67 and
LOGLAN).
unit STACKS OVER E : STACKS class
unit E: element class ... end E\
function eq(e, e E ) : Boolean: ... result := ...
end STACKS OVER E.
Since STACKS prefixes STACKS OVER E and element prefixes E,
every object prefixed by such a type behaves as if it possessed all the
attributes of the prefixing type.
This last definition may be used as a prefix in front of a program
written in the language of the defined system.
pref STACKS OVER E block
variable e, el, e2: E, /, /': link, s, s\, s': stack;

{Objects of the types E, link, stack may be created

only by new stack, new link, new E, pop, push oper­
ations. No change of attributes of link objects is
possible. The program written here can use top, pop,
push, empty, eqs, eq operations on stacks}

end.

14. QUEUES
We are now going to interpret dictionaries within queues, so we must
introduce the algorithmic theory of queues ATQ. ATQ is a two-sorted
theory. Let E and Q denote its two sorts.
Variables of sort E will be denoted by e , e', etc.; variables of sort Q
will be denoted by q, q', q \, etc. The specific signs of the theory are
listed below;
em: Q -> B0,
put: E x Q - * Q ,
out: Q -> Q,
fr: Q - E,
—e : E x E —> B0,
=<*: 2 x 2 -> B0.
 14. QUEUES 177

Axioms of queues.
Aql while ~em (q) do q := out(q) od true,
Aq2 (em(tf) => (q = Q out (put (e, q )))),
Aq3 ( ~ e m (q) => put (e, out(q)) = Q out (put(<?, c/))),
Aq4 (em(#) => (e = E fr(put(e, # )))),
Aq5 (~em (g) => fr(put(e, q)) = £ fr(g)),
Aq6 ~em(put(<?, q)),
Aq7 q = Qq' = begin q\ := q\ q2 := q'\ bool := true;
while ~ em(gl) a ~ em(#2) a bool do
if fr(gl) ^ fr{ql) then bool := false fi;
ql := out(gl); q2 := out(#2);
od
end (boolAem(^l) Aem(^r2)).

T heorem 14.1 (Representation Theorem for ATQ Theory). Every

model o f ATQ is isomorphic to the structure o f finite sequences over
the set E o f elements o f the given model with obvious operations on the
sequences
put(e, s), adjoin the element e to the sequence s at its end,
frOs), first element o f the sequence s, if it is not empty,
out(.?), delete the first element o f s,
em(s), the sequence s is empty. □

After this brief presentation of the theory of queues we shall define

an interpretation of dictionaries in the algorithmic theory of queues.
It will consist of four definitions, which can be conceived as an exten­
sion of the theory ATQ introducing new primitive notions and four
axioms.
The following vocabulary defines an interpretation of ATD theory
in ATQ theory

D efinition 14.1.
mb(e, q) = begin ql := q; bool := false;
while ~em (#l) a ~bool do
el := fr(ql);
if e = E el then bool := true fi;
ql := out(gl)
od
end bool. □
178 IV ALGORITHMIC PROPERTIES OF DATA STRUCTURES

D efinition 14.2.
in(>, q) = Qbegin q\ : = q;
if ~ m b (e ,q l) then ql := put(V, #l)fi
end ql. □

D efinition 14.3.
del(>, q) = Qbegin ql := q\
if mb(e, ql) then
while ^em(^2) do q l := o\xt(ql) od;
while r s j em(gl) do
el := fr(^l);
if e ^ el then q l := put(el, ql) fi;
ql out(gl)
od;
ql := q l
fi
end ql. □

D efinition 14.4.
stmb(q) = fr(^) □

We need not redefine the predicate em.

In order to prove that the vocabulary presented above is the correct
implementation of dictionaries in queues we need to prove that for­
mulas A1-A6 from Chapter 3, § 3, are theorems in the extension
of the theory ATQ obtained by adding definitions 14.1-14.4 as extra
axioms.
We shall limit ourselves to the proof of
A1 while ~em(g) do q : = del (amb(g), q) od true.
In the proof we shall use the Representation Theorem for ATQ Theory,
amb(q) is the first element in the sequence q, and del(e, q) denotes
the sequence obtained from the sequence q by deleting all occurrences
of the element e. Hence, formula A1 is valid in every model of ATQ,
and by the Completeness Theorem it is a theorem of extended ATQ.
In this way we have defined an implementation of dictionaries and
proved its correctness. One can define other implementations, e.g. in
arrays or in arrays of queues, i.e. hashtables.
 15. BINARY TREES 179

15. BINARY TREES

Let A be a set whose elements will be called atoms. We shall give a spec­
ification of the structure of binary trees with atoms associated to leaves.
The structure has two sorts:
A—the sort of atoms,
T—the sort of trees.
The sorts A and T are not disjoint; we assume A a T.
The operations of the structure are as follows:
c: T xT ~ > T,
e: T -* B0,
a: T B0,
!: T -* T,
r: T-+ T,
/, r are partial operations, not defined if the argument is an atom.
The axioms of binary trees are:
TR1 { \!te T ){ a ( t) v e { t) \/t = c (/(*), r(/)));
TR2 ( y t1}t2 e T )l(c(tl , t2)) = t t ;
TR3 (V ti, t2 e T )r(c (tl , t2)) =t 2 ;
TR4 (Vf1; t2 e T) ~ e {c (tl y t2) ) a ~ a ( c ( /1; t2));
TR5 ( y t e T ) while ~ e {t)A ~ a (t) do
if e(l(t)) v a(1(f)') then t: = r(t)
else r: = c (/(/(0 ), c(r(l(t)),r{t)))
fi
od true;
TR6 (V7,/, 6 r)((e (/j)A e fe ))= > = t2).
A standard model for these axioms is the set of ^-expressions, ^-ex­
pressions constitute the semantic basis for “pure” LTSP programming
language.

D efinition 15.1. The set o f S-expressions over the set A is the least
set o f expressions such that:
1° it contains the set ^u {n il};
2° for every two S-expressions r l and t 2 the expression (r t *r 2)
is also in the set o f S-expressions. □

T heorem 15.1. Every model o f the axioms listed above proper for
identity is isomorphic with a model in the set o f S-expressions.
180 IV ALGORITHMIC PROPERTIES OF DATA STRUCTURES

P ro o f . It may easily be observed that the set of ^-expressions with

an obvious interpretation of the functors c, l, r and predicates a and e
is a model of axioms TR1—TR6. Observe that the axiom TR5 excludes
elements outside S . It is obvious that TR5 rejects infinite trees. Let
us note that axiom TR5 excludes elements like that shown in Figure
15.1.

The program in TR5 will not terminate on this input. Our axioms
do accept directed acyclic graphs (dags). One can say that dags appear
when we identify the subtrees of a given tree which have the same
structure. In this way we have touched on the problem of identification
of objects in a data structure. Our axiomatic theory deals with an ab­
straction of the notion of binary tree. For a more realistic treatment,
the notion of reference should be included. This allows us to explain
why two objects of the same structure are treated as though they are
different although they are in fact basically the same. □

These problems will be studied later (cf. Chapter VII).

Let us recall another specification of trees (cf. Kuratowski and
Mostowski, 1967). A data structure 31 of the signature

where a0 e A, f:A A, is called a tree iff it satisfies the axiom:

(V a 6 A) while a ^ a0 do a : —f(a) od true.

The axiom given above rejects dags and other graphs. One does not
meet this specification on its own very frequently in computer science
literature. In practical applications it should be combined with the
previous definition of binary trees.
 16. BINARY SEARCH TREES 181

16. BINARY SEARCH TREES

Let E be a set linearly ordered by the relation ^ . A binary search tree

is a labelled binary tree in which each vertex w is labelled by an el­
ement e(w) e E and where:
(a) for every vertex q in the left subtree of w: e(q) < e(w),
(b) for every vertex q in the right subtree of w: e(w) < e(q).
Binary search trees are usually implemented with the help of the
following declaration of type:
unit A : class (v:E); variable /, r : A; end A;
which is related to the following signature:
u A, v, /, r, new A', ul, ur, isnone,
where
newA: E -> A,
v :N -+ E , /: A -* A, r :A - ^ A ,
ul: A x A - > A, u r : A x A -> A,
isnone: A -> B0,
= E and ^ E are relations of identity and of linear order in E.
For programming languages the type declaration of A is to be in­
terpreted as a description of a class of objects of the structure shown
in Figure 16.1. _ _
V e
■
/

r n2
Fig. 16.1

The class A also contains an empty object denoted none.

The operations listed above have the obvious meaning v(ri)—read
the value of v in the object ny /(«), r(n)—and indicate the objects asso­
ciated with n as the roots of its left and right subtrees respectively.
The operations ul and ur update the values of / and r. In a programming
language the instructions n := ul(n', n) and n := ur(n',n) are written
n.l := n' and n.r := n \ and we shall keep to the same convention
here. We shall also write n.v instead of v(n), and similarly n.l and n.r
instead of /(«) and r(n).
182 IV ALGORITHMIC PROPERTIES OF DATA STRUCTURES

An algebraic structure of the above signature will be called a bi­

nary search tree if it satisfies the following axioms B1-B9:
B1 newA(<?).^ = e
{the value of the attribute v of the newly created object is e}.
B2 isnone (newA(e)./),
B3 isnone (newA(e).r)
{in a newly created object the attributes / and r have the value none, hence
any object obtained by jiew A(e) should be interpreted as a leaf}.
The following definition will be used in axioms B4 and B5:
mb(e,n) — begin nl := n; bool := false;
while ~ isnone(rtl) a ~ bool do
if nl -v = e then bool : = true else
if e < nl 'V then n\ : — n l.l else
nl : = nl.r f i
fi
od
end bool
{the mb relation defined above is the relation of membership}.
B4 (mb(e, n.l)=> e < n.v).
B5 (mb(e, n.l) => n.v < e)
{for every non-empty tree with a root n, every member of its left subtree
is less than the value associated with the root n and every member of its
right subtree is greater than the value associated with the root n}.
B6 (isnone(w) v
begin
n’ n;
while ~ isnone(«') do
if isnone(n'.Z) then nl := n'.r else
nl := newN(n'.Lv);
n l . l : = ri L I ; n2 : = newN(n'. v);
n l.l := n'.l.r; nl.r n'.r;
nl.r := n l
f i;
n' := nl
od
end true)
 16. BINARY SEARCH TREES 183

{for every element n, n is the root of the finite binary tree (cf. Defi­
nition 15.1)).
B7 ((n.r = n” a n.v — e a
(begin
n2 := r i ;
while ~ isnone(«2.r) do n l := nl.r od;
if nl.v < n.v then bool := true else
bool := false fi
end bool) v isnone(rc'))
=> (n.l := n')(n.r — n" a n.v = e a n.l — «'))
{if the greatest element in the tree n' is less than n.v or isnone (nr)
then the assignment associating n' as the left son of n is well defined
and the remaining attributes of n are untouched}.
B8 {(n.l — nn a n.v — e a
begin
n l := n while ~isnone(n.2/) do n l := n l.l od;
if nl.v > n.v then bool := true else bool := false fi
end bool v isnone(w'))
=>(n.r :== n’){n.l = n,r a n.v = eA n.r = n'))
{if the least element in the tree n is greater than n.v or isnone fra') then
the assignment associating n as the left son of n is well defined and the
remaining attributes of n are untouched }
B9 The set E is linearly ordered by the relation ^ .
The set of axioms B1-B9 is consistent due to the following theorem:

T heorem 16.1. The algorithmic theory o f binary search trees ATBST

has a model.
P roof. Let us consider the set S of expressions over the set E which
includes the expression ( ) representing none and where for every e e E
1° the expression (( ) e ( )) is in S ;
2° if two expressions v and r are in S and if for every element /
occurring in v, f < e, for every element / occurring in r, / > e, then
the expression (ver) is in S;
3° S is the least set of expressions closed with respect to 1° and 2°.
The interpretation of functors is as follows
isnone(y) = v = ( ),
newiV(e) = (( )e( )),
184 IV ALGORITHMIC PROPERTIES OF DATA STRUCTURES

and for every v ), if it is of the form (vex), we put

v(v) = e, — v, r{v) = r,
The operations ul and ur are partial operations defined in the fol­
lowing way. Let n denote an expression (vex) and let n' be another express­
ion. The operation ul(?z, nf) is defined iff all elements of E occurring
in n are less than e and ul(«, n') = (n'er), i.e. we replace the left subtree
of n by n provided that tree n contains only elements less than e.
The definition of ur is dual.
It is easy to verify that all axioms are valid in this structure. □

We shall now formulate the following theorem:

T heorem 16.2. Every model o f axioms B1-B9 is isomorphic with

a standard model defined above.

The axiom B6 ensures that every tree can be traversed in a finite

time. The problem of directed acyclic graphs will not appear since
axioms B4 and B5 assures that no two subtrees of a tree have the
same structure. □

J 7. AN INTERPRETATION OF THE THEORY OF PRIORITY QUEUES

We aim to prove that there exist an interpretation of the theory of prior­

ity queues in the theory of binary search trees ATBST. The interpre­
tation retains the structure of the universe and extends the set of oper­
ations. The definitions of member, insert, delete, min operations are
algorithmic. One can prove the axioms of priority queues in the theory,
which results from joining new axioms to ATBST. In this way we
approach our goal of verification of implementation. Implementation
in this case consists of a set of definitions. This is a correct implementa­
tion since one can prove.
Let us consider the following definitions:

D e f in it io n 17.1.
min(w) = if isnone(fl) then ALARM else n\ := n fi
(while ~isnone(«l./)do?zl := n \J od nl.v). □
 17. PRIORITY QUEUES INTERPRETATION 185

L emma 17.1. For every n ^ none the value o f min(Ai) is defined.

For the proof it suffices to observe that every computation of the
instruction while ~isnone (nl.l) do nl : = n l.l od is finite. This
follows from the Representation Theorem 16.2. □

D efin itio n 17.2.

memher(<?, n) ee begin nl :— n; result : = false;
while ~ result a ~isnone(/2l) do
if e = nl.v then result := true else
< nl.v then n\ := nl.l
i f e

else n 1 := n\.r fi
fi
od
end result. □

L emma 17.2. The program in Definition 17.2 always terminates. □

L emma 17.3. I f the value o f min(/z) is defined then

(ye) (member (e, n) => min(«) ^ e). □

D efin itio n 17.3.

insert(<?, n) = begin n\ := n\ bool := false; n3 := nl;
while ~isnoneOzl) a ~ bool do n l := nl;
i f e — nl.v then bool := true else
if e < nl.v then nl n l.l
else nl := nl.r fi
fi
od;
if ^ bool then
if isnone(«2) then n3 : = newN(e) else
if e < nl.v then nl.l := newA(V)
else nl.r newN(e) fi
fi
fi
end n3. □

L emma 17.4. Let M denote the program in Definition 17.3. For every
e e E, for every n e N :
186 IV ALGORITHMIC PROPERTIES OF DATA STRUCTURES

(i) M member (e, n3),

(ii) for every er ^ e,
member (e, nl) = M m em ber^, n3). □

In order to save space we shall informally indicate the structure

of a deleting procedure. The reader will find it, in a modified version
in the following section.

D efin itio n 17.4.

df
delete^, n) — begin
{search n}
{suppose e is found at n 1a father of
n\ = n l)
{if /?] is a leaf—delete n l }
{if nl has exactly one son—make the
father n l of nl father of the son}
{if nl has two sons—find the least el­
ement min(wl./) in the right subtree
of nl. Delete min(wl.r) from the tree
with the root(wl.r). Make this element
the root of the subtree n l }
n3 := tree constructed above,
end n3. □

L emma 17.5. Let K denote the program sketched above. For every
e e E and for every n e N:
(i) K ~ member(e, «3),
(ii) for every er ^ e, m em ber^', n) = K m e m b e r n3). □

Making use of Lemmas 17.1-17.5 we can formulate the next theorem.

T heorem 17.6 (on the interpretation of the theory of priority queues).

A ll axioms of priority queues are provable from the axioms of binary
search trees and definitions of the operations insert, delete, member
min, empty. □

This means that given a model of the theory of binary search trees
we can define a model of the theory of priority queues. Moreover,
since all definitions are algorithmic we can construct such a model
 18. IMPLEMENTATION OF PRIORITY QUEUES 187

in an effective way. The theorem on the interpretation of the theory

of priority queues in the theory of binary search trees justifies the imple­
mentation of priority queues given below.

18. AN IMPLEMENTATION OF PRIORITY QUEUES

In this section we shall give a declaration of an encapsulated data type

priority queue in binary search trees.
unit BST: class (type E ; function less(e, e :E ) : Boolean);
unit node: class (v:E);
variable /, r:node;
end node;
unit min: function («:node):is;
begin
while n. 1 ^ none do n : — n l od;
result := n.v
end min;
unit member: function (e:E, «:node): Boolean;
variable «l:node, bool: Boolean;
begin
nl : = n\ bool : = false;
while none ^ «1 a ~ b o o l do
if nl.v — e then bool : = true else
if e < n\.v then n\ := n \J else
n l n \ . r fi
fi
od;
result :== bool
end member;
unit empty: function (a :node): Boolean;
begin
if ?z = none then result := true else
result := false f i
end empty;
unit insert: function {e :E ,n : node): node;
variable nl, nl, «3:node, bool: Boolean;
begin
188 IV ALGORITHMIC PROPERTIES OF DATA STRUCTURES

nl n\ n3 :== n\ bool := false;

while ~ none = n\ a ~ bool do

n2 :— n 1;
if e = nl.v then bool : = true else
if e < nl.v then nl := n l.l else
nl : = n 1 .r fi
fi
od;
if ^ b o o l then
if none = n3 then n3 : = newN(e) else
if e < nl.v then n2A newN(e) else
n2,r := newA^(^) f i
fi
f i;
result := n3
end insert;
unit delete: function (e:E, «:node): node;
variable n\, n2, n3, n4, n5: node, bool, leftson:
Boolean;
begin
n\ := n; ri3 := n\ bool := false;
while ~none = n\ a ^ bool do
n2 : — n\ ;
if e = nl.v then bool := true else
if e < nl.v then nl n l.l else nl := nl.r f i
fi

if bool then {e found in n\ and n2 is the father

of n l}
if e < n2.v then leftson := true else
leftson := false
f i; {leftson iff nl is the leftson of n2)
if n l.l = none fsnl.r — none then {nl is a leaf}
if leftson then n2.l := none else
n2.r : — none fi
else {nl is not a leaf}
if n l.l — none then {nl has no leftson}
 18. IMPLEMENTATION OF PRIORITY QUEUES 189

if n\ = n then n3 nl.r else

if left son then n l.l := w l.relse
nl.r\ — nl.r fi
fi
else
if nl.r = none then {n\ has no right son}
if n\ = n then n3 : = n l.l else
if leftson then n l.l := nl.l else
nl.r := nl.r f i
fi
else {nl has two sons}
n4 : = nl.r;
while n4.l ^ none do n5 := n4;
n4 := n4.l od;
nS.l := nA.r;
nl.v := n4.v
fi
fi
fi
f i {if bool};
result := n3
end delete
end B S T .
There exists another possibility where one can avoid making E
a formal parameter of type BST. In order to do this, we apply a con­
catenation of type declaration and virtual procedure
unit BST' : class;
unit E : class; end E;
unit less : virtual function ( e ,e :E ): Boolean; end less;
unit node : class(z; : E) ;
variable /, r : node
end node;
unit min ...
unit member ...
unit insert...
unit empty ...
unit delete ...
end B S T '.
190 IV ALGORITHMIC PROPERTIES OF DATA STRUCTURES

Units BST and BST' are two different implementations of a problem-

oriented language. Different environments are required in order to
apply BST and BST'. LOGLAN allows parametrized-type declarations
like BST. Notice that concatenation of type declarations is another
solution of generic-type declarations. BST' can be conceived of as a de­
scription of a whole family of data structures. It represents a pattern
which is to be completed by a user.
That is to say, the declaration
unit my BST : BST' class;
unit Elem : E class ... end Elem;
unit less : function (<?, e’ : Elem): Boolean ... end less;
end myBST
represents an extension of BST' by one concrete set Elem and the corre­
sponding relation less.
In order to apply such a problem-oriented language we write
pref myBST block
{declarations e.g. n, n: node, e, e': Elem}
begin
{instructions e.g. n : = delete (e, ri)}
end.

19. ARRAYS

This frequently used structure allows us to treat finite sequences of

elements of a given sort E together with the operations: access z-th
component of a sequence and update z-th component of a sequence.
The idea seems simple but there are some hidden traps, however. The li­
terature on arrays quotes the instructions and various interpretations
of their meaning (cf. van Emde Boas and Janssen, 1977).
By a data structure o f one-dimensional arrays we shall understand
any system
<£ u Ar u N, put, det, lower, upper, newar, succ, emptyc,
emptyar, 0, = , ^> ,
where E, Ar, N are sets of data structure. N is the set of natural num­
bers, E—a non-empty set of elements, AR—a non-empty set of arrays.
The operations of the data structure are as follows:
 19. ARRAYS 191

put: A r x N x E -> Ar, g e t:A rx N -+ E,

lower :Ar N, upper:Ar N,
newar:Vx N -* ^4r, empty g E,
empty ar e succ: N V,
O g TV.
= is the identity relation, ^ is the ordering in the set of natural
numbers. Instead of succ(x) we shall write * + l .
Variables of sort E will be denoted by e, e', el , etc, variables of sort
Ar will be denoted by a, a etc., variables of sort N will be denoted
by i, A /, w.
Specific axioms of arrays.
(1) = emptyar => lower(tf) ^ upper(^));
(2) (( = emptyar a lower (a) ^ ^ upper(tf))
=> get(put(fl, /, e), /) = <?);
(3) a = emptyar a lower (a) ^ ^ upper (#)) =>
(lower (put (a, i, e)) = lower(a) a
a upper (put(tf, z, £>)) = upper(a)));

(4) (/ ^ a => (lower (newar(/, w) = / a

a upper(newar(/, w)) = w));

(5) (/ < zz => begin a := newar(/, u); I l ; bool := true;

while / ^ u a bool do
bool := (get (a, /) = emptyar); / i-H
od
end bool);
(6) ((~ £ = emptyar a lower (a) ^ i ^ upper(«))=>
begin a := put(a, /, e); j : = lower(a); bool := true;
while j ^ upper(tf) a bool do
if i ^ j then bool := (get (a,j) = get (a ',j));j := y+1 f i
od
end bool).
To the above axioms we add axioms of natural numbers (cf. § 7)
and axioms asserting that operations are undefined in certain circum­
stances. We shall give one example of an axiom of this type
(7) ((a = emptyar v / < lower(a)v/ > upper(tf)) =>
get(a, i) = ERROR a ),
192 IV ALGORITHMIC PROPERTIES OF DATA STRUCTURES

where ERROR denotes the never-terminating program while true

do od.
One can verify that this set of axioms is consistent since there exists
a standard model of it. In the model arrays are conceived as triples,
each triple consisting of a finite sequence of elements of sort E and a pair
of natural numbers /, u. The length of the sequence is equal to (u —/+1).
The appropriateness of the specification given above is verified
by the following theorem:

T heorem 19.1 (Representation Theorem). Every model of the theory

of arrays is isomorphic with a standard model. □

In this example we can already observe the modularity of our approach.

The theory of arrays includes the theory of natural numbers. The spec­
ifications are joined in order to define the more complicated objects
of arrays. In the following section we shall see another example of this
technique. The specification given above is sufficient to explain the
computational phenomena of arrays if the programming language
satisfies certain assumptions: 1° every array is identified by only one
name—variable of array type, 2° every array is created at declaration
time and is accessible as long as its name is accessible, 3° the only oper­
ations admissible are those of the indexed variables: read or update
a value of an indexed variable.
There is a class of programming languages which admits arrays
richer in operating possibilities, 4° an array can possess more than one
name, i.e., many variables can point to the same array, 5° it is possible
to make an assignment on an array variable and compare their values,
6° arrays are created (and deleted) dynamically during computations
of programs, there is no syntactic guarantee that the value of a variable
points to an array (cf. 2° above), 7° it is possible to read the lower and
upper bounds of an array.
For languages like LOGLAN and others, our theory of arrays is
not sufficient, and the notion of reference must therefore be introduced.
In what follows we shall use a notational convention close to that
of programming languages:
get(<z, /) will be replaced by a[i]9
a := put(tf, /, e) will be replaced by a[i] := e.
 20. HASHTABLES 193

20. HASHTABLES

The reader has no doubt seen a few examples of interpretation—imple­

mentation where an implementation of a data structure retained sorts
and simply introduced new operations. Hashtables are a good example
of a different kind of situation. A concise definition would read: a hash-
table is an array of queues. Two modules of queues and of arrays are
needed in order to implement hashtables. Moreover, a sort E of ele­
ments is mentioned in the definition of hashtables below. The spec­
ification of this sort is almost void; we assume only that there exists
a function h:E -> N enumerating the elements of the sort E. It is as­
sumed additionally that the image h(E) is a finite set. In fact our definition
of hashtables will be generic for the whole family of similar data struc­
tures. They differ in sorts E and functions h.
The data structure o f hashtables consists of five sorts:

N , £ , Q, Ar, HT.

The language of our theory is the union of the languages of queues

and of arrays. Additionally, we have a functor h :E -+ N . We shall
consider queues of elements from set E and arrays of the queues.
To the axioms of queues of elements (cf. § 14) and of arrays of queues
we add axioms defining operations on dictionaries:

insert^, s) = begin i := h(e);

j [i] := in(e, s[i])
end s ;
d e le te r s ) = (.y[/i(e)] := del(<?, *y[A(e)])).s;
member(<?, s) = mb(e, .s[/*(e)]);
amember(^)—in order to find a member of s it is satisfactory
to find a non-empty queue among s[l], ..., ^[w]
and an element in it.

The proof of correctnes of the implementation given above is easy

(cf. § 14). Again we can make use of the Representation Theorem for
arrays in order to convince ourselves that the definitions above induce
a model of dictionaries.
194 IV ALGORITHMIC PROPERTIES OF DATA STRUCTURES

21. RATIONAL NUMBERS

In this section we shall present some results concerning programmab­

ility in the field of rational numbers Q (cf. A. Kreczmar, 1977).
First, we shall prove that the stopping property of Euclid’s algorithm:
E : while x ^ y do
if x > y then x := x —y else y := y —x f i
od
characterizes the field of rational numbers up to isomorphism.

Theorem 21.1. For every ordered field 2r, If 5 a model for the for­
mula
(Euc) (Vx, y)((x > Oa t > 0) => E true)
then F is isomorphic to Q.
P roof. Every ordered field contains a subalgebra isomorphic with
the field of rational numbers Q. Hence it is sufficient to prove that
every element e of the Euclidean ordered field $ is of the form kjm
where k and m are integers. Consider two arbitrary positive elements
x0, v0 of g. By the (Euc) axiom we know that the computation of Euclid’s
algorithm is finite. The sequence of consecutive values of the vari­
ables x, y is finite. Let us denote it by
(x0, y 0), (xn, y n).
All values x i9y t are positive and xn = yn. There exist positive integers
kn and m such that x0 = k • x n and y 0 = m • xn. Hence x • y~ l
= {k • 1) -(m • l)-1, i.e. every element of the field g can be represented
as a rational number.

Theorem 21.2. For every ordered field if 5 Is Euclidean then #

is Archimedean {cf § 1 o f this chapter).

P roof. Suppose that $ is not Archimedean. There then exist two

elements x0, t 0 such that for every natural number n9 {n-x0) < To-
This implies that for these x 0 and y 0 Euclid’s algorithm does not ter­
minate since for every n9
y 0 —n *x0 > Xq. □
 22. COMPLEX NUMBERS 195

21.3. A total function f: Q

T heorem £ i is programmable in & iff
there exist three total recursive functions g, A, j such that
f ( ( n - k ) / m ) = (g(n)-h(k))/j(m )
for all natural numbers n, Jc, m. □

22. COMPLEX NUMBERS

We shall prove that the algorithmic theory of complex numbers is

hyperarithmetical (cf. Grabowski, 1978). On the other hand the set of
Engeler’s algorithmic properties, i.e. Boolean combinations of for­
mulas Koc (where a is an open formula and K is a program), is axio-
matizable and /Incom plete.
We shall study the properties of the field of complex numbers
d = <C, + , - , *, /, 0, 1, =>.
Observe that the class JT of algebraically closed fields of characteristic
zero with an infinite degree of transcendency is axiomatizable by algorith­
mic formulas. Indeed, in Section 1 we have seen the axiom % of fields
of characteristic zero
(x) (z : = 1) (while z ^ 0 do z : = z+ 1 od true).
Let A' denote the set of axioms of algebraically closed fields of char­
acteristic zero. Let {P fx , y 1, ..., y n)} denote a sequence of all zz-th
degree polynomials with rational coefficients and indeterminates x,
yi , yn There exists a program K which for given data (x, y 1
. . . , • y n /) , . . . , ,

computes the value of the z-th polynomial in the sequence {/l (x , y t , ...
...,}>„)} and assigns it to the variable z. Consider the following algo­
rithmic formula <pn( x ,y l9 ..., j n):
begin
z := 1; / := 0;
while z ^ 0 do i := i + 1 ; K{i9z) od
end true.
It defines the property: “x is algebraic with respect to y l 9 ...,y n”.
To the set A' we add formulas
(VVi, ..., yn) (3x) ~ <p„(x, , ..., y„) for every natural n
The resulting set will be denoted by A . It is easily seen that the class X
is characterized by the set A of axioms and that A is a recursive set.
196 IV ALGORITHMIC PROPERTIES OF DATA STRUCTURES

T heorem 22.1. (Vaught, 1973). Let 5 i , 2r2 be two fields o f the class j f .
The algorithmic theories o f $ i and $2 are equal, i.e. fields 5 i and $ 2
are algorithmically equivalent.
P roof. Suppose the contrary; then there is a sentence a such that
0Ti 1= a and $2 |=: - a .
Consequently A u {a} and ,4 u {~a} are consistent sets. By the Down­
ward Skolem-Lowenheim Theorem (Theorem 3.3, Chapter III) there
exist enumerable fields 5 i and which are models for Au{oc} and
Av a} respectively. 5? and $ e2 are fields of characteristic zero, alge­
braically closed and with an infinite degree of transcendency. By Steinitz’s
Theorem (Vaught, 1973) they are isomorphic. This is a contradiction. □

From Theorem 22.1 above we see that the set of theorems of the algo­
rithmic theory of the field of complex numbers, i.e., theory Th(£) forms
an analytical set. In fact, by the Completeness Theorem Aj=a iff A b- a.
Hence, A (— a iff for every enumerable set D such that A u A x cr D
(here A x denotes the set of logical axioms of AL) and D is closed under
the inference rules, the formula a is in D.
The theory Th((£) of complex numbers is not arithmetical since
for every arithmetical property p it is possible to construct an appro­
priate formula in the language of the field C which defines p. Natural
numbers are definable in (£, hence we can relativize each occurrence
of an individual bounded variable to natural numbers. This transform­
ation in effective, hence we have proved that the set of first order sentences
valid in the standard model of arithmetics is recursively reducible
to Th(£).
To estimate the location of Th(£) in the analytical hierarchy we first
observe that it is either hyperarithmetical or TI\ .

L emma 22.2. The field o f complex recursive numbers belongs to the

class J f .
P roof. The complex numbers whose real and imaginary parts have
effective decimal representation form the algebraically closed field
of characteristic zero (cf. Rice, 1954; Mazur, 1963).
It remains to be proved that its degree of transcendency is not finite.
Let us suppose the contrary, i.e. that there exists a finite set of recur­
sive complex numbers at , ..., an such that for every recursive number x
 22. COMPLEX NUMBERS 197

there exists a polynomial f e Q[x9x l9 ..., x„] such th at/(x , ax, a2, ..., an)
= 0. By a diagonalization argument we shall prove that there exist
recursive numbers x such that for every polynomial/ , /(x , al9 ..., an) + 0.
We begin with an effective enumeration of all polynomials from
Q[x, Xj, ..., x n], A polynom ial/(x, al9 ..., an) can be treated as a poly­
nomial of single variable x with coefficients determined by al9 ...,a n.
These coefficients are effectively enumerable. Each coefficient is a recursive
number and a limit of a recursive sequence which is recursively con­
vergent. By Rice’s theorem at least one complex number which is the
root of a polynomial with recursive coefficients is the recursive limit
of an effectively given recursive sequence. In order to obtain other roots
of the polynomial in a uniform way we uniformly and effectively gener­
ate the coefficients of the quotient polynomial. Now we can effectively
enumerate all these numbers which are roots of polynomials from the
sequence defined above. Let us denote this sequence of recursive complex
numbers by cl9 c2, ... There is a uniform algorithm of the generation
of the subsequent approximation of the z-th number so defined. The
construction of the necessary recursive real number x is easy. Ensure
that the z-th decimal digit of the real part of ct differs from the z-th
decimal digit of x. We compute ct with accuracy 10_I+1. If the two
last digits of the real part of this approximation are not 00 or 99, then
we define the z-th decimal digit of x simply to be different from the
z-th digit of ct . If these two digits are 9 or 0 then we put the z-th decimal
digit of x equal to 5. □

Lemma 22.3. The field o f recursive complex numbers is definable in the

algorithmic theory o f natural numbers. □

T heorem 22.4. The algorithmic theory o f the field o f complex numbers

is hyperarithmetical.
Proof. Let 5 be a field isomorphic to the field of complex recursive
numbers definable in the system of natural numbers 91. By Lemma 22.2,
5 belongs to the class J f and, by Theorem 22.3, Th(£) = Th(5). For
every formula a in the language of arithmetic of complex numbers we
can effectively construct a first-order formula a' such that
£ (= a iff 91 (= a'. □

Consider now some simpler algorithmic formulas.

 198 IV ALGORITHMIC PROPERTIES OF DATA STRUCTURES

T heorem 22.5. An enumerable set o f open (i.e. quantifier-free and

program-free) formulas is satisfiable in £ ijf its every finite subset is
satisfiable in £. □

The proof makes use of two facts and the following definition:
A field 5 satisfies the finite covering condition iff for every algebraic
variety A and every enumerable set {B( }ieo) of algebraic varieties over
5 , if A a ( J Bh there exists a finite subset / c: co such that A a \
ieco i el
(By-an algebraic variety we mean the set of zeros of a finite set of poly­
nomials).

T heorem 22.6. Let {/t* }, {/?,♦} be two enumerable sets o f algebraic

varieties over a field 5 which satisfies the 'finite covering condition” . I f
U W - A d = g"
iea)

then there exists a finite subset I a co such that

u (Bi - A i) = d ”.
ie/
Proof of this theorem can be found in Kreczmar (1977). □

T heorem22.7 (T. Mostowski). The fields o f complex numbers and real

numbers satisfy the finite covering condition.

The proof is to be found in Kreczmar (1977). □

Theorem 22.5 is an easy corollary of Theorems 22.6 and 22.7.

Another interesting corollary of the results quoted above is the
following theorem:

T heorem 22.8 (Kfoury, 1972). There is an effective method o f trans­

forming every total program K in £ (i.e. such that £ fn A^true) into
a loop-free program M equivalent to K.
The proof follows from Theorem 22.5 and the observation that the
halting formula of the program K is equivalent to an infinite disjunc­
tion of open formulas. □

Theorem 22.8 asserts the algorithmic triviality of the field of complex

numbers.
 22. COMPLEX NUMBERS 199

D efinition 22.1. Any Boolean combination o f formulas o f the form Ky9

where y is an open formula and K is a program, will be called an algo­
rithmic property. □

Theorem 22.9 (Kreczmar, 1977). The set o f algorithmic properties

valid in field £ is a 11f complete set. □

The following theorem gives an axiomatization for the algorithmic

properties valid in the field £. Recall that %denotes the axiom of fields
of characteristic zero.

Theorem 22.10. For every algorithmic property

iff XH-/8.
Proof. It is obvious that £ is of characteristic zero. Now suppose
that for a field F of characteristic zero fl is not valid. Without loss of
generality we can consider to be of the form

( \ / 0Ci(xi , ..., Xtt) => \ / fij(xi, ...,

ieco jeco

If /? is not valid in F then

.F |= ( 3 x i, x „ ) \ / (XiC*!, . . . , x„) a / \ ~ P j ( x lt ...,x„).
ieu) ieco

The same formula is valid in the algebraic closure F' of F since it is

in existential form. Thus there exists k e co such that a set {afc, ~(Ji9
i eco} is satisfiablein F \ Hence its every finite subset is satisfiable in F \
and therefore it is also satisfiable in £.
If every finite subset of some enumerable set of open formulas is
satisfiable in £ then by Theorem 22.5, the set {ock, is
satisfiable in £. This proves that £ f= □

There are numerous applications of this fact (cf. Kreczmar, 1977).

We shall end this section with an example showing that certain
functions are not programmable in £.
Consider the predicate r(z)—the number z is real. If it were strongly
programmable over £ then there would exist a program K(z, x)9 such
that the formula K(x = 0) would define the subset of real numbers in
the set of complex numbers. By Theorem 22.8 we can assume K to be a
loop-free program. Hence the formula K(x = 0) would be equivalent
200 IV ALGORITHMIC PROPERTIES OF DATA STRUCTURES

to an open formula oc(z) of one variable. But this means that the
set defined by a is finite or cofinite. The straight line of reals is neither
finite nor cofinite in the field (L Hence the relation r(z) is not pro­
grammable in (L

23. REAL NUMBERS

In this section we shall study a few theories of real numbers. The lan­
guages used may be classified as follows:
E—we admit only Boolean combinations of formulas Koc,, no classical
quantifiers;
££A—iteration quantifiers admitted, no classical quantifiers;
—no restrictions.
Let 91 = (R, + , —, •, / , 0, 1, = ) be the field of real numbers. By
9ID we shall denote the ordered field of reals. Observe that in STF there
exists a formula defining the ordering relation
x < y = (3z)(x + z 2 = y).
For S£e and A the cases of 9? and 910 should be discussed separately.
In a manner similar to that of the preceding section we can prove
the following:

Theorem 23.1 (Kreczmar, 1977). An enumerable set o f open formulas

is satisfiable in 91 iff its every finite subset is satisfiable in 91. □

Theorem 23.2 (Kreczmar, 1977). The set o f algorithmic properties

valid in field 91 is a [Incomplete set. □

D efinition 23.1. A field $ is called formally real iff for every natural
number n
x \ + ... +x„ 7 ^ - 1 . □

It is easy to observe that formally real fields are of characteristic zero.

Let us denote by 0 the axioms of formally real fields, i.e. the axioms
of fields and the scheme of axioms
(Vxl5 ..., x n)(x\ + ... + x l 7 ^ -1 ) , n > 1.

Theorem 23.3 (Kreczmar, 1977). For every algorithmic property ft,

iff
 23. REAL NUMBERS 201

The proof is similar to that of Theorem 22.10 and is omitted. □

The above theorems do not hold in the ordered field of reals 910.
Making use of the fact that every Archimedean ordered field is embed­
dable in 910, together with the observation that the Archimedean axiom
is a universally quantified formula, we obtain the next theorem.

Theorem 23.4 (Engeler, 1967). For every Boolean combination o f

formulas Koc
910 |= p iff Q h- P
where Q denotes the axioms o f Archimedean ordered fields, □

In contrast with the field (£ of complex numbers, we have the following

result.

Theorem 23.5 (Grabowski and Kreczmar, 1978). The set o f Boolean

combinations o f formulas Koc valid in 910 is a Ill-complete set.
Proof. By Kleene’s normal form theorem (cf. Rogers, 1967) it is
sufficient to prove that every set A definable by the formula

(V/)(3iv )r (f(w ),x ),

where r is a recursive relation and / is a function, is definable
in «£?£(9lO)—the theory of Boolean combinations of formulas Koc valid
in 910. We shall use the well-known fact that every real number x
can be represented in a unique way as a continued fraction

1
x = a0 + ------------ --------

where a0 is an integer and at are natural numbers. Every continued

fraction obviously represents a real number.
We shall construct a program K ( x ,j,a ) such that foi any real x
and any natural number j the value of the output variable a is equal to
a3—the y-th denominator in the expansion of x into a continued fraction.
The integral part of a real number x , i.e., entier(;c) is the programmable
function in 910. Hence, our program K takes the following form:
202 TV ALGORITHMIC PROPERTIES OF DATA STRUCTURES

begin
z := x; i := 0;
while i ^ j do
a := entier(z);
if z / a then z := \/(z —a) else z : — 0 fi;
/ : = i+ l
od
end.
Now, observe that every recursive relation is programmable in 910.
Let us assume that a program T ( z ,y ,x ) and an open formula a are
so defined that Toe computes the Kleene predicate T*t l ( z ,y ,x ) (cf.
Rogers, 1967). The formula;
(Vx) begin w := 0; p := true; while p do w := w+1;
K (x ,w ,a ); T(n, a, n); p := oc od end true,
where p is a propositional variable and n denotes the constant (1 + ... + 1),
w-times, defines then in 9^0 a ill-complete set is1 (Rogers, 1967). □

T heorem 23.6 (Grabowski and Kreczmar, 1978). Every analytical

set is definable in J*?F(9lO). □

Corollary (Grabowski and Kreczmar, 1978). The algorithmic theory

o f thefield o f real numbers is not an analytical set.
The algorithmic theory of the ordered field of real numbers is not an
analytical set. □

24. CONCLUDING REMARKS

The map of data structures shown in Figure 24.1 summarizes the dis­
cussion of this chapter. Implementability relations are represented
by arrows.
Obviously, many interesting and important structures have been left
out of the map. Moreover, the map can be enriched by the information
about the costs of implementation treated as quasi distances associated
with arrows.
Observe that the formulas
(if a then K fi)1a ((if a then K fi)* ~ a)
 24. CONCLUDING REMARKS 203

Dictionaries

express the properties: computations of the program while a do K od

include at least (at most) i iterations of the program K, respectively.
This shows that AL can be used in considerations concerning com­
putational complexity. Moreover, the complexity of algorithms (and
of interpretations) can be derived from specific axioms of data structures.
It is not difficult to see that algorithms interpreting priority queues,
say, in stacks, have a cost proportional to the depth of the stack in
question.
The theory of interpretations mentioned here is the counterpart
of the theories considered in classical logic by Szczerba (1977).
An extension of first order logic which admits the quantifiers “there
exists a finite set such that ...”, “for all finite sets...” is called a weak
second-order logic. It can be proved that for every algorithmic formula
there exists an equivalent weak second-order formula.
By the representation theorems for theories of stacks, dictionaries
etc., one arrives at the following observation: in a model of the theory
of stacks (dictionaries...) every weak second-order formula is equiv­
alent to an algorithmic formula (cf. Grabowski, 1981). This means that
models of stacks (dictionaries...) are expressive. They are also arithme­
tic in the sense that every partial recursive function is programmable
in the model.
A data structure is called constructive iff there exists an enumera­
tion a of its elements such that:
204 IV ALGORITHMIC PROPERTIES OF DATA STRUCTURES

(i) every programmable relation is recursively enumerable with

respect to a, and
(ii) every recursively enumerable relation is programmable.
Among many other data structures that can be axiomatized let
us mention the constructive systems of Malcev, Markov, and Turing
(cf. Malcev, 1965). Programs of some special form correspond to the
normal algorithms of Markov, Turing machines, etc. In this way we
can uniformly approach the Church thesis (cf. Malcev, 1965). By exhaus­
tion of known definitions of the notion of an algorithm we verify that
in every constructive system notions of programmability and of effective
computability coincide.

BIBLIOGRAPHIC REMARKS

There are many approaches to the problems of data structures. Three

of the most basic are domain identification (cf. Scott, 1976), algebraic
specification (cf. Goguen, 1977, Guttag, 1977) and construction of do­
mains (cf. Constable, 1982). The approach presented here goes back
to the early papers of Engeler (1967).
It has been pointed out in a paper by Hoare (cf. Hoare, 1972) that
the job of programming should be subdivided into two stages:
(i) specification and subsequent implementation of data structure,
(ii) design and verification of the abstract program in the data
structure.
Among programming languages, SIMULA-67 was the first succesful
realization of this principle, because it allows concatenation of type
declarations, but it was learned only a few years later. LOGLAN brings
a full solution to problems connected with the concatenation of type
declarations; it removes all the limitations imposed on concatenation
of types which occur in SIMULA.
Logic-based theories of data structures have been studied either
from theoretical point of view (cf. for example Engeler, 1973; Kfoury,
1972; Kreczmar, 1977; Grabowski, 1978; Urzyczyn, 1981, 1982), with
the aim of describing structures occurring in program languages
(Salwicki, 1980, 1981, 1982; Mirkowska, 1981) or from the point of
view of implementation (cf. Oktaba, 1981; Bartol, 1981).
Obviously other structures appear in programming practice which
arc either of a geometrical nature (as in computer graphics), or are
 BIBLIOGRAPHIC REMARKS 205

used for data processing in management (e.g. banking or real-time

applications). In every case one can conceive of an algorithmic theory
of the data structure in question. Its axiomatization serves various
purposes: identification of the domain, verification of correctness
statements about programs, testing of the appropriateness of an imple­
mentation and, most important, a proper insight into data structure
problems.
The objection can be made that the theories presented here are
static or abstract since they do not reflect important phenomena related
to problems of identification of objects. This aspect of data structures
has been successfully studied by Oktaba (1981). The algorithmic
theory of references which enables dynamization of objects will be
presented in Chapter VII.
 CHAPTER V

PROPOSITIONAL ALGORITHMIC LOGIC

The aim of propositional algorithmic logic PAL is to investigate the

properties of program connectives:
begin... end,
if... then... else... fi,
while... do... od,
either...or...ro (the connective of non-deterministic choice).
In this it resembles the program of classical propositional calculus,
where we study the properties of the propositional connectives and, or
(disjunction), and not. Classical propositional logic provides us with
useful inference rules for proofs and this is also true of PAL, which
provides us with the inference rules necessary for proving the proper­
ties of program schemes. We are also interested in tautologies, i.e. ex­
pressions which are true by virtue of their syntactic composition, in­
dependently of the various interpretations which may be associated
with the signs occurring in them.
We intend here to study PAL, in which:
(1) schemes of programs are constructed from program variables
and propositional formulas by means of program connectives,
(2) formulas are either propositional variables or are composed
of simpler formulas by means of logical connectives or are composed
of program schemes and shorter formulas by means of the modalities
possible, 0, and necessary, □ .
The semantics of PAL is based on the notion of a semantic struc­
ture—directed graph of states in which edges are labelled by program
variables; a valuation of propositional variables is associated with every
state of a semantic structure. This enables us to introduce the next
important notion, that of computation. Given a program M, a semantic
structure SCR and a state s determine a tree of acceptable computations
of M in SCR starting from the initial state Among the various properties
of the tree we shall mention: strong termination (all branches of the
tree are finite), looping (the existence of an infinite computation);
 V PROPOSITIONAL ALGORITHMIC LOGIC 207

correctness of M with respect to an input condition a and output con­

dition /?, etc.
The meaning of the formulas of a PAL language depends on the
meaning of their components in the usual way. Here we shall men­
tion the modal expressions ^M a, Q M a:
QMoc—after a finite computation of the program M its resulting
state satisfies the formula a,
□ M a —all computations of the program M are finite and all final
states satisfy the formula a.
It is clear that with the help of these modal phrases we are able to
construct formulas expressing the important properties of programs
like termination, looping, correctness, and partial correctness. For
example, the last property, program M being partially correct with
respect to a postcondition a, can be expressed by ~$M ~oc.
In PAL we study the properties of semantics: we are looking for
axioms and inference rules. These are discovered by studying the prop­
erties of the semantic consequence operation. Here we encounter
several difficulties. First, we observe that the logic does not have the
compactness property. This has already been observed in the case
of the first-order deterministic AL. Thus in order to assure comple­
teness we are forced to introduce the infinitary rule of inference
{(□ (if y then M fi)‘(~ y A «) => /?)},•«,*_
(□while y do M od a => /?)
where y, a, /? are formulas and M is a program scheme. This rule is
sound if the following equivalence holds:
(*) □ while y do M od a = l.u.b. D (if y then M y A a).
ie N

However, we shall see that (*) is not always valid, it holds in certain
cases and not in others. This is the source of our greatest difficulties.
The following question remains unanswered: what are the nesessary
any sufficient conditions for equivalence (*)?
We introduce an assumption of a finite degree of non-determinism
of the interpretation of program variables. Under this assumption,
(*) holds and we can prove the soundness of the infinitary rule of in­
ference. However, this property of a finite degree of non-determinism
is not expressible in PAL, although for every n we can express that the
degree of non-determinism is at most n.
208 V PROPOSITIONAL ALGORITHMIC LOGIC

In view of the lack of a general axiom we consider the family of sys-

terns PAL„, where n denotes the degree of non-determinism of sem­
antic structures. Thus we consider separately the case of deterministic
interpretations of program variables and the case of bounded non-
deterministic interpretations of program variables. For all these systems
we shall prove the Completeness Theorem. The case of deterministic
interpretations of program variables is treated in a way similar to the
proofs in earlier considerations on AL. The other cases are much more
difficult. We propose a method of proof of the Completeness Theorem
which is a combination of the algebraic method of Rasiowa and Si-
korski (cf. Rasiowa and Sikorski, 1968) for classical logic with the
Kripke method for modal logic (cf. Kripke, 1963).
Propositional algorithmic logic is surprisingly powerful. One would
naturally expect that program scheme properties such as termination,
looping, partial correctness, correctness, etc., might be expressed by
PAL formulas. It turns out, that in addition, we can define data struc­
tures by means of axioms written in the language of PAL. It is possible
to study propositional theories of stacks, natural numbers, etc. These
theories are cathegorical in the sense that all normalized models of a the­
ory are isomorphic. Another propositional theory of natural numbers
can be constructed which not only describes the sequence of natural
numbers but also allows us to program every recursive function. The prop­
ositional approach is also recommended for providing a theory of
control for a given concurrent program.
Propositional logic of programs is closely related to modal logics.
The properties of relations like transitivity, reflexivity and associativity
can be expressed by formulas of PAL. One can construct algorithmic
theories which are the counterparts of systems studied in modal logic.

1. SYNTAX AND SEMANTICS

We shall consider a formalized language L 0, an extension of a proposi­

tional language in which there are propositional variables and program
variables, and apart from the usual propositional connectives there
are program connectives.
Let V0 denote an at most enumerable set of propositional variables
and Vp an at most enumerable set of program variables. Let F0 be the
set of all classical propositional formulas composed in the usual way
 1. SYNTAX AND SEMANTICS 209

by means of the propositional connectives: disjunction v , conjuction a ,

negation ~ and implication =>, and the two logical constants, true
and false.
The set of all well-formed expressions in the language L 0 will be
augmented by schemes of programs, hence let us first define what a pro­
gram scheme is.
By the scheme o f a program we understand any element of the set
of expressions I I which is the least set containing the program vari­
ables Vp and a program constant Id, and is closed under the following
rules:
—If M , N are schemes of programs then the expressions of the forms
begin M; N end, either M or TV ro are schemes of programs,
—If y is a classical formula y e F0 and Tlf, TV are schemes of pro­
grams, then the following expressions are schemes of program:
while y do M od, if y then M else TV fi.
Now, we can define the set of all formulas F as the least set con­
taining F0 and such that;
—if a is a formula and M is a scheme of a program, then QM a,
^Afa are formulas,
—if a, /?are formulas, then ~ a , (a v/?), (oca/?), (a => P) are formulas.
The semantics of the language L 0 is based on the notions of inter­
pretation and valuation. A valuation is a function which assigns an
element of the two-element Boolean algebra B0 to every propositional
variable. An interpretation assigns to every program variable a binary
relation in a non-empty set S. The elements of S will be called states.
Every state will be understood to be an abstraction of a concrete situ­
ation on which the behaviour of the program and the value of any for­
mula depends. Every state carries information about the valuationes-
of propositional variables. Depending on the choice of the set of states
and the kind of relation which is assigned to program variables,
we can obtain various semantics for a given algorithmic language.

D efinition 1.1. By a semantic structure we shall mean a system

< S ,J ,w >
where S is a non-empty set o f states— the universe o f the structure, J is an
interpretation o f the program variables
210 V PROPOSITIONAL ALGORITHMIC LOGIC

J : V p -+2SxS and J ( U ) = { ( s ,s ) : s e S )
and w is a function which assigns to every state a valuation o f proposi­
tional variables
w:S-+ o.
For a given structure 9Jt = < S ,*/, w} and a given state s e S the
Boolean value of the formula oc is denoted by a^O ) and is defined for
classical connectives as follows:
falser (V) = 0, tineas) = 1.
Pm(s) = w(.y)(/?), p e V 09
(<xv = ocwi(s)vfiwi(s\
(oc => P)m(s) = aan(^)-> AmC?),
(a a B)m(s) = ocm(s)nfim(s\ = -asmCO-

In this way any formula determines a one-argument relation in S.

The meaning of the formula DA/a or $Moc will be defined after some
preliminary definitions.
Let us denote by Km a relation which is assigned to a program
variable K by interpretation J in the semantic structure 9H = <S, «/, w>.
For a given state s9Km(s) is the set of all states s' such that (s, s') e Km-
By a configuration (cf. Chapter II, §2) we shall understand an
ordered pair <£, M l9 ..., AO , where s is a state in the structure 9JI and
M l9 ..., Mn is a sequence of schemes of programs (which may be
empty).
For a given interpretation «/ of the program variables let h* denote a
binary relation of successorship in the set of all configurations such that:
(Ks \M l9 ..., M„y !-> < /;Af2, ..., M„> where M t is an atomic
program, i.e. M^eVp and (s9s') e ./(Afj.),
(s\ either M t or M 2 ro, Af3, ..., M„y
M x, Af3, ..., Mn>,
<.s; either M t or M 2 ro, Af3, ..., M„>
<5*; M 2 , A /3 , A /„ > ,

<5;ify then A/\ else Af2fi, • AO

f <a; Afl9 Af3, A f B> if yaafr) = 1,
lO ;A /2, M3, ...,A /n> if y<m(s) = 6,
 1. SYNTAX AND SEMANTICS 211

<0?; beginM^AT, end, A/3, . . . , M n>

»-*<■*; M i, Af2, M„>,
<5; while y do M t od, M 2, ..., Mn}
( <^; Afx, while y doM x od, M 2, , Mtt> if 7^(5) = 1,
h* !
1 ; M 2, ..., Mn> otherwise.
Let N 0 be an initial segment of the set of natural numbers.
A sequence {ci}ieNo of configurations will be called a computation
o f the program scheme M in the structure 50t at the initial state s iff c\
= <5; Af> and for all /, ct 1-+ ci+li and the sequence {Ci}ieNo is maximal
in the sense of relation h *.
If the computation is a finite sequence cl9 ..., cn and the last con­
figuration cn is of the form < /; ), i.e. the second part of the configur­
ation cn is the empty sequence, then the computation will be called
successful. The state s' in a successful computation will be called the
result o f the computation o f the program M in the structure 501.
The set of all results of the program M in the structure 501 at the
initial state s will be denoted by Mm(s).
Hence, for a given structure 501, to every program scheme M we can
assign a binary relation Mm such that
sMms' iff s' e Mm(s)-

E xample . Consider the program scheme M of the form

while ~ (a \ v a 2 v a 3 va4vaQ) do K od;

Let 50Z = w} be a semantic structure such that
5 = { 0 ,1 ,2 ,...} , {(/ + 5,i): i = 0 , l , ...},
w(i) — Vi where v^aj) — 1 iff j = i.
The program scheme M describes in 501 a binary relation such that
( i j ) e Mm iff /(mod 5) = j. □

Now we are ready to define the value of the formulas QMoc and
§Mcc in a given structure 501 at a given initial state s.
(§Mcx)m(s) = 1 iff there exists a successful computation of the
program M at the initial state ^ in 501 such that its resulting state sat­
isfies oc.
212 V PROPOSITIONAL ALGORITHMIC LOGIC

(□Ma)grc(Y) = 1 iff all computations of the program M at the state

s in the structure SCRare successful and all the results satisfy the formula a.
We shall say that the formula a is valid in the semantic structure
</, w> (or SR is a model o f a), iff a is satisfied by every state
s e S, i.e. = X for all .y. In symbols, SR |= a.
If a is valid in every semantic structure SR, then a is called a tautology,
in symbols ji:a.
In what follows we shall write SR, s\=zot to denote that a$n(y) = 1.
E xam ple . For every program scheme M and for every formula a
the following formulas are tautologies:
QMoc), ( □
( □ M ol => oc=>~
(□ M ol = (□ Mtrue a ~ <>M «)).
(<>A/a = (<>Mtrue a ^ a)),
(-□ A fav-Q A f-a). □

2. SEMANTIC PROPERTIES OF PROGRAM SCHEMES

In this section we shall discuss the basic properties of program schemes.

The while-scheme will be our main interest.
Note that there is a stiict correspondence between the set of all
computations of the program while ydo Mod and the set of all compu­
tations of the program (if y then M fi)*, where / is a natural number.
Consider an arbitrary successful computation (9 of the program
scheme while y do M od. Let j\ ,..., j n be numerals of those configurations
in which the list of programs begins with while y do M od. We shall
construct another sequence of configurations such that:
—every configuration j k of the form
<s'; while y do M od, M 2, . . .)
will be replaced by the two configurations
O'; (if y then M fi)n~k+1, M 29 ...),
O '; if y then M fi, (if y then M fi ) n~k, M 2, k = 1 , n9
—in all configurations between j k and j k+i we put (if y then M fi)”"fe
instead of while y do M od. The resulting sequence of configurations & is
a successful computation of the program (if y then M fi)”.
Conversely, if we have a successful computation of the program
 2. SEMANTIC PROPERTIES OF PROGRAM SCHEMES 213

(if y then M fi)M whose result satisfies the formula ~ y 9 then, we can
similarly construct a computation of the program while y do M od.
The following facts are immediate consequences of the above ob­
servations.
Fact 1. If there exists a successful computation of the program
while y do M od, then there exists an i such that the program (if y then
M f i) f has a successful computation with the same result.
Fact 2. If there exists a successful computation of the program
(if y then M f i) 1 for a certain i such that its result satisfies the formula - y,
then there is a successful computation of the program while y do M od
with the same result.
Fact 3. If the program (if y then M f i) 1 has an unsuccessful com­
putation (or infinite computation), then for every j > i the programs
(if y then M fi) J and while y do M od have an unsuccessful (or infinite)
computation.
For a given program scheme and a given semantic structure 9JI the set
of all results of the program can be characterized as follows:

Lemma 2.1. For every formula y, programs M, N and every state

s e S in the structure SEJt the following hold:

(if y then M else N fi)ro(s) = jl N m{s)

if 9Jc, ^ |= ~ y ,
(either M or N ro)aJ;(.v) = Mw(s)'uNm.(s),
(begin M; N end)»((s) = ( J Nw (s’),
s'eMyftis)
(while y do M o d ) ^ ) =
U {j/ G (if y then M fi)hi(s): Wl, s ' ^ ~ y } . □
ieN

In connection with the last equality in the above lemma let us con­
sider the following example.

Example 2.1. Let

M: if p then K' else K f i,
M x : while q do M od,
where q9p are propositional variables and K \ K are program variables.
Consider the semantic structure
SK = <S,,^ ,w >
214 V PROPOSITIONAL ALGORITHMIC LOGIC

such that
5 = {(/,/): U = 0, 1,2,
J ( K ’) = {((0,0), ( i,0 ) : i = 1 , 2 , 3 ,
J ( K ) = {((i.y+l), (i , j )): i , j = 0, 1,2,
= 0 iff y=l,
w(i',./)(?) = 1 iff 7 = 0.
The tree of all possible computations of the program M x in the
semantic structure 9JI at the initial state (0, 0) is described below
(Figure 2.1).
< (0,0); M y >

]
< (0,0); M,M\ >
J
<(0,0); K ', M O

<(3, 3); K, M O
1
<(3, 2); M O

1
<(3,2); M , M O

1
<(3,2); A', M O

1
<(3, i);m o

I
<(3,i); >
Fig. 2.1
 2. SEMANTIC PROPERTIES OF PROGRAM SHEMES 215

It is easy to see that each computation of the program M is finite

but there is no common upper bound on the length of the computa­
tions. However, we shall see that if we consider only those interpre­
tations for which /&(>) is a finite set for all states s, then there exists
an z'o such that
(while q do M od)a«(j) = (if q then M fi)^(s). □

The next lemmas will be of great importance in our further discussion.

L emma 2.2. For any state s in the structure SCR and for arbitrary y e F0,
oceF,, M e / / the following equality holds:
(Awhile y do M od oc)%i(s)
= l.u.b <>(if y then M fi)* (~ y A a)aji(.y).
ieN

P roof . Suppose that

(1) (Awhile y do M od a)gfl(.$) = 1,
(2) l.u.b. <>(if y then M fi)*(~yA a)ajt(.y) = 0.
ieN

By (2), for every natural number /, i e N

(3) <>(if y then M fi)1 ( ^ y A a ) ^ ) = 0.
Hence,
(4) for every z, either (if y then M fi)k(^) is empty or for all
s' e (if y then M fi)a^(^), SCR, s' |= y or SR, s' \=: ~ a.
If, for a certain /, (if y then M fi)aji(^) = 0 , then all computations
of the program while y do M od are unsuccessful and consequently
SR, £ |= ~ Awhile y do M od a, which contradicts (1).
Let us assume that for every z, (if y then M fi>jji(s) ^ 0 . We then have
(5) (V/)(V s'e(if y then M fi>ii(.s)) SR, s’ |= y or
SR, j ; t= (~ y A ~ a )

Let i be an arbitrary natural number. If we have a computation of

(if y then M fi)‘ whose result satisfies ( ~ y A ~ a ) then we can construct
the computation of while y do M od (see Fact 1), whose result does
not satisfy a. Let us skip all such computations. All the remaining
computations of (if y then M fi)1 have results which satisfy the formula y .
There are two possible cases: either (a) the computation of the pro­
gram (if y then M fi)* can be extended to a computation of a program
216 V PROPOSITIONAL ALGORITHMIC LOGIC

(if y then M fi)j, j > /, such that its result satisfies ~ y , or (b) there
is no such extension.
Tn case (a), by (5), the result of the extended computation does sat­
isfy ~ a. In case (b), we can construct an infinite computation of the
program scheme while y do M od. Thus
(Awhile y do M od a)gji(s) = 0,
which contradicts (1).
Conversely, suppose that
l.u.b 0(if y then M fi^ ^ y A a)an(.y) = 1.
ie N

Hence, for a certain i0, 9K, s |=: <>(if y then M fi)io(~ y A a). Consider
a successful computation of the program (if y then M fi)*0 with a result
satisfying ( ~ / a a). After a simple transformation we shall obtain
a successful computation of while y do M od such that its result satis­
fies a. Thus 9JI, s |= 0 while y do M od a. □

From Lemma 2.2 we conclude that every formula of the form

<>while y do M od a
defines an infinite operation. For the formula □ while y do M od a
the problem is more complicated. It is a simple consequence of Fact 1
and Fact 2 that:
9Ji, .s' J=: D (if y then M fi)*(^y a a)
for a certain i implies
9Jl, ■?!=:□ while y do M od a.
But the converse is not true in general, as was shown in Lemma 2.1.
However, if we consider only special interpretations, then a lemma
analogous to Lemma 2.2 can be obtained. These special interpretations
will have the so called finite degree o f non-determinism property, referred
to for short as the FDN property.

D efinition 2.1. We shall say that a structure 9JI = <S, J , w> has the
property o f finite degree o f non-determinism (FDN property) iff for
every program variable K and every state s e S, the set K$ji(f) is finite. □

The structure with FDN property we shall call simply FDN structure.
 2. SEMANTIC PROPERTIES OF PROGRAM SCHEMES 217

Lemma 2.3. For every structure 9JI = <5, w) with the FDN prop­
erty, and for every state s e S and y e F0, a e F, M e I I the following
equality holds:
□ (while y do M od a)sjjt(.s)
= l.u.b. D (if y then M fi)4 ( ~ y a oc)m(s)-
ieN

Proof. Suppose that

(6) SCR, s |zz □ while y do M od a
and
(7) non 9JI, s |= n ( if y then M fi)*(~yAa)
for every natural number /.
By (7), for every i there are three possible situations:
A. There exists an unsuccessful computation of (if y then M fi)1’
at the initial state s.
B. There exists an s' e (if y then M fi)yji(s) such that
9JI, s' |= (~ yA a).
C. There exists an s' e (if y then M fi)m(s) such that
9JZ, s' |= y.
However, if for a certain / case A holds, then we can construct an
unsuccessful computation of the program while y d o M od, contrary to (6).
Analogously, if for a certain i case B holds, then we can construct
a computation of while y do M od which has a result not satisfying a.
This contradicts (6).
Suppose that case C holds for every natural number /. Thus for all
/ there exists a computation of while y do M od in which program M
is executed i times. Since the degree of any vertex in the tree of all possible
computations of the program while y do M od is finite, then by Konig’s
Lemma (cf. Kuratowski, 1967) there exists an infinite computation
of while y do M od. This contradicts (6).
Thus
SR, s |=z □ while y do M od a
implies
l.u.b. Q (if y then M fi)l‘(~yA oc)m(s) = 1.
ieN

The converse implication is obvious. □

218 V PROPOSITIONAL ALGORITHMIC LOGIC

It appears that for structures with the FDN property the above results
can be made even stronger. To simplify future considerations let us
first prove an auxiliary lemma.

L emma 2.4. Let a, a* 9ie N , be formulas and yRbe a semantic structure

with the FDN property. If:
(i) for every state s in 9Ji, ocm(s) = l.u.b. o c ^s) and
ieN
(ii) fo r every i and j ^ /, SOI |z: (a,- => a f)
then for every program variable K e Vp we have:
(iii) for every state s9
(□^a)aw(-y) = l.u.b.(nJfaj)aw(j),
ieN

($Kot)m(s) = l.u.b. ($K<Xi)9)i(s),

ieN

(iv) for every i and j ^ i,

SR |= ( D K o c j => O K o c d , SR ( O K o c j => 0 K v d .

P roof. T o prove (iii) let us suppose that

( 8) (\3KocMs) = 1
and
(9) lu.bfBKocdm is) = 0.
ieN

By (9), for every natural number / we have

( 10) (OKocdmis) = 0.
There are two possible situations: A’sr(.s) = 0 and Km(s) ^ 0 .
Km(s) = 0 implies that (□/Cx)gji(s) = 0, contrary to (8). Km(s) ^ 0
implies by (10) that for every / there exists an s' e Kyn{s) such that
a/aw(-s') = 0.
Since by assumption is finite, then for at least one s' e K$n(s)
there are infinitely many formulas a* which are not satisfied by s'.
By (ii) non s' (= af for all i e N. Thus l.u.b. a/au(0 = 0. By (i) agj^') = 0
ieN
and therefore (□Aa)aft(s) — 0, which contradicts (8). Conversely,
let us assume that l.u.b.(DATat)9ji(^) = 1. Hence there exists an i such
ieN
that (□^OawCv) = 1, i.e. K$n(s) =£ 0 and for every s' e Km(s), ocm(s')
= 1. Thus, for every s' e K%i(s) there exists an i such that
SR, s' |= a, .
 2. SEMANTIC PROPERTIES OF PROGRAM SCHEMES 219

In consequence, l.u.b. a ^ s ') = 1 for every s' e ^ ( s ) . By the second

ieN
assumption (ii)
SCR, s' p a for every s' e
i.e. (□^a)aK(.y) = 1.
Thus, the first part of (iii) is proved. The other equality will be
proved analogously. Suppose
(11) SCR, ^ 1=: QKoc and l.u.b.foJTa,)®^) = 0.
ieN

Thus, for every i e N, (0Koci)^(s) = 0.

This means by the definition of the value of the formula that either
£ sr(.s) = 0 or K$i(s) / 0 and for all s' e o c ^s') = 0 for
i e N. If Kyn(s) = 0 then ((^ a )^ .? ) = 0, which contradicts (11).
Assuming that
Km(s) ± 0 ,
then
l.u.b. ocm(s') = 0 for all s' e Km(s).
ieN

By assumption (i)
aan(.s') = 0 for all s'
and therefore
($Kot)wi(s) = 0, contradiction!
Conversely, suppose that
(12) l.u.b.(QKoii)m(s) = 1.
ieN

Then there exists an i e N such that (QJ£a;)<m(.s) = 1. This means

that for a certain s' e K%i(s),
l.u.b. <Xiw(s') = 1.
ieN

By assumption (i), SCR, s' |= a for some s' e K^i(s), and hence (^ATa)an(.v)
= 1, and the proof of (iii) is finished.
To prove (iv), assume that SCR|= (otj => af) and suppose that for
some state s
m 9s\=:{JKoCj.
Then
Km(s) # 0 and for all s' e K%i(s), SR, s' [= ocj.
220 V PROPOSITIONAL ALGORITHMIC LOGIC

By assumption, for all s' e Km(s), and therefore

SOI, 5 HKoti.

Thus SOI t= ({JKocj => OKoci). Analogously, we can prove that

9JI {§Kocj => QKoci). □

Let pref denote a finite sequence of program variables with modal­

ity signs,
pref e( {□#}*<: kp u {$K}KeVp)*.
The following lemma is a generalization of Lemma 2.2.

Lemma 2.5. Let 9JI be a structure with the FDN property. In that case
pref (O while y do M od a)® ^)
= l.u.b. pref O (if y then M i\)'(~ y a a)gn(.s),
ieN

for every y e F 0,o te F , M e l l and every state s. O denotes either

□ everywhere or
P roof. The proof is by induction on the length of pref. The basic
step has been proved in Lemmas 2.2 and 2.3. To apply Lemma 2.4
it is sufficient to prove that for every / e N and j < i the formula
( 0 ( if y then M fi);’( ~ y a a) => Q (if y then M fi)l( ~ y A a ) )
is valid in the structure 3JL But this follows immediately from the fact
that each computation of
(if y then M fi)J
with a result satisfying determines a successful computation of
(if y then M fi)*
with the same result.
Thus, using Lemma 2.4, we shall obtain the required equalities. □

As a simple consequence of the above lemmas we have:

l.u.b. pref D ( if y then M fi)l’( ~ y a a )^ ? )
ieN
= (pref □ while y do M od a)*^),
l.u.b. pref <>(if y then M fi)‘( ~ y A a)®?(5)
ieN
— (pref 0 while y do M od a ) ^ ) .
 3. PROPERTIES OF SEMANTIC STRUCTURES 221

The algorithmic language presented in this chapter allows us to

describe certain important properties of program schemes:
SR |= n M true,
i.e. all computations of the program scheme M are successful,
SR (oc => OM/3),
i.e. if the initial state satisfies a then it is possible to have a result of
M which satisfies /?,
SR |= □ (if y then M fi)* ~ y,
i.e. the number of iterations of M in all computations of the program
scheme while y do M od is less than ( / + 1).

3. PROPERTIES OF SEMANTIC STRUCTURES

In the sequel we shall study different semantic structures. The aim of this
section is to present several definitions and some of their properties.

D efinition 3.1. We shall say that the semantic structure SR

= < 5 , w> is proper iff the set S o f states is composed o f valuations
o f propositional variables, S c: B q° and w is the identity function. In what
follows we shall write simply SCR = < 5 ,,/) . □

Lemma 3.1. Every semantic structure 9R — <5, J , w} such that w is

a one-to-one function is isomorphic to some proper structure. □

D efinition 3.2. We shall say that the semantic structure SR

= <5, */, w) is normalized iff for every two states s, s' e S,
s — s' iff for every formula a, ag^(5) = □

For every FDN semantic structure SR we can construct a normalized

structure SR* such that for every algorithmic formula oce F
SR 1= a iff SR* |= a.
Let SR be an FDN semantic structure SR (S , w> and « an
equivalence relation in S such that
3’ X s' iff (Va e = asjjj(s'), s, s' e S .
222 V PROPOSITIONAL ALGORITHMIC LOGIC

We shall construct a new structure 9Ji* as follows:

S* = S / s , ki = {s':s a s'},
J * :V P -> 25**5* and for all K e Vp,
J * ( K ) = {fl* I, |s2 1)1(351 6 k |) (3^ e |s2 I) ( S i , S'2 ) e J ( K ) } ,

W *(\S\) = w(s).
Notice that w* is a well-defined function
w*:S* -»
since if 5', 5" e |s|, then w (/) = w(s").
In several proofs we shall make use of the following definition of
ordering in the set of all formulas F:

D efinition 3.3. We shall say that the formula oc' is submitted to the
formula ft', oc' -< /?', iff the pair {oc', /S') belongs to the transitive closure
o f the relation -<, which is a set o f the following pairs:
(a, OKoc) fo r K e V p,
(a, aV/S), (a, aA|S), {oc, ~ a),
(O M 1(OM2a), O begin ; M2 end a),
(O M ^, O either or M2 ro a),
( O M 2oc, O either Mi or M 2 ro oc),
(0 ( if 7 then M fi)1( ~ y a oc), O while 7 do M od oc)
fo r i e N ,
((7 a OMxOc), O if 7 then else M 2 fi oc),
( ( ^ 7 a O M 2cc), O if 7 then M 1 else M 2 fi a),
wAere M v, M 2 are any program schemes, 7 is a classical formula, oc, fi are
formulas and O denotes □ or □

Lemma 3.2. For every formula oc e F and for every state s in the struc­
ture 9JI,
asm*(1$I) = a®i(5).

Proof. (By induction w.r.t. the ordering relation -< defined above).
It is obvious that for every propositional variable p e V0 and for
every state s e S,
Pm*Qs\) = pm(s).
 3. PROPERTIES OF SEMANTIC STRUCTURES 223

Assume that Lemma 3.2 holds for all formulas which are sub­
mitted to a formula a.
A. Consider the formula a = QKoc, K e V p.
Let s e S and SCR, ^ §Koc. Then (3^ e ASmC5)) SCR, f= oc. By the
definition of the structure SR* we have

^ 0> (3^i e ■£an(*s)) (M , I) g K<m* and

SR, s t 1= oc.
Hence,
SR*, \s\ t= $Koc.
Conversely, if SR*, |$| $Koc for a certain s e S, then there is an el­
ement st such that 1^1 e ATan*(|.s|) and SR*, From the defini­
tion of SR*, there are s[ e 1^ | and s' e |.y| such that (s', si) e Kg®.
By the induction hypothesis SR,tfif=:a. Since £ 1 , ^ g |, we have
SR, s[ f=a and therefore ($Koc)m(s') = ($Koc)m(s) = 1.
B. Consider tr.e formula a = [JKoc.
If SR,*sf=Di^a, then =£ 0 . Thus A®i*(|*s|) ¥> 0 . Letl^l g
g AT>m*(l*s|), then there are elements s 2 , s ' such that S 2 ^ \ s 2 \ 9 5*' g j^!
and ( s ' , s 2 ) e K m . Since SR, 5-'[=: we have y j l 9 s 2 ) = z o c . Hence
aan(l*si|) = 1 = a®i*(|s2|). Consequently, SR*, \ s \ |~ r \ K o c .
Conversely, if, for a certain s e S, SR*, |s| (n HKoc, then Aim*(| si) ^ 0 .
Thus =£ 0 for some s' e |s|. If we take s t e K$si(s'), then |Sx \ e
e Aan*(|s'|), i.e. \st j £ ^ * (^ 1 ) , and therefore SR*, |^i|f=:a. By the in­
duction assumption for oc we have S R ,^ oc. Hence SR, . s 'Q A a
and therefore SR,sf=II]Aa.
C. Consider the formula a = □ while y do M od oc.
Suppose that SR, a (= □ while y do M od oc. By Lemma 2.3, this is
equivalent to the following
l.u.b.D(if y then M fi)*(~yA a)gn(.s) = 1.
ieN

By the induction hypothesis we have

l.u.b.D(if y then M fi)f(~ y a a)a«*(|j|) = I,
ieN

and therefore by Lemma 2.3

SR*, \s\ jz: □ while y do M od a.
All the remaining cases can be discussed analogously. □
224 V PROPOSITIONAL ALGORITHMIC LOGIC

D efin itio n 3.4. Two semantic structures SR and^SV are algorithmically

equivalent iff‘ for every formula a e F9
SR a iff SR' a. □

L emma 3.3. Every FDN semantic structure is algorithmically equiv­

alent to some normalized FDN structure. □

Let us now compare proper and normalized structures. Since the

value of any formula is defined in a unique way by a given structure
and a given state, then for all valuations v x, v2 in the proper structure SR
we have
Vi = v 2 iff (V^asDi^i) = ocm(v2).
Thus, if SR is a proper structure, it is normalized.
The following lemmas describe some properties of relations which
can be expressed in propositional algorithmic language.

L emma 3.4. In every semantic normalized structure SR, the following

properties are satisfied:
SR |= {(QKoc => D ^a)}aeF iff (ffs) card (KgjiCs)) < 1,
SR 1= {($K( ocaP) a $K( oca ~0))=> D K o c } ^ e Fiff
(ffs) card (7Cm(>)) ^ 2,
SR |= { ( $ K ( o c a [ } ) a § K ( oc a ~ P ) a $ K ( ~ o c a P ) )
=> iff m card(Km (s)) < 3.
We shall prove the first equivalence.
P ro o f .
Obviously, if is at most one-element set, then for every for­
mula a, (0Koc => UKoc) is valid in SR.
Conversely, suppose
SR |= {(OKoc => □ tfa )}a6F
and for some states s 9sl9 s2 in SR, s t e A^O), s2 e si ^ s 2-
Thus there exists a formula /? such that

AwOi) ^
Hence, SR, s ^AT/S and non SR, s |= DAT/?, a contradiction.
The proof of the second property can be found in Lemma 10.1.
The proof of the third property is left to the reader. □
 3. PROPERTIES OF SEMANTIC STRUCTURES 225

L emma 3.5. Let 93X be a normalized FDN semantic structure. The fol­
lowing equivalences then hold:
(i) 931 [={(/? => $Kft)}(jeF iff Km is a reflexive relation,
(ii) 93? \={($K(~QK(}) => ^^)}/5e f iff Km is a symmetric relation,
(iii) 931 ^=.{($K($K/3) => 0 K@)}peF iff Km is a transitive relation,
(iv) 9[ K M ( 0 ^ ( ~ 0 ^ ) = > ~ £ ) a ( 0 ~ p )} PeF iff rela­
tions Mm and Km are mutually inverse.
P ro o f . All four properties have similar proofs. We shall illustrate
the method of proving showing the second equivalence, as follows.
Ad (ii). Let 931 be a normalized FDN semantic structure and
(1) 931 j= (0 A( ~ §Koc) => ~ a ) for every formula a.
Suppose s, s' are two fixed states such that
( 2) (s ,s ' ) e K m
and let {sl9 ...,s n} be the set of all states such that ( s ',^ ) for
/ ^ n. Suppose st ^ s for all i < n. Since 331 is a normalized structure,
for every / < n there exists a formula oct such that
931,^1=^ and 931, ^ —af.
Let a = (oct A a2A ... a a„). Thus
(3) 931, a and 931, sf (=: ~$Koc.
By (2) 33t, s $K(~$Koc) and as a consequence of (1) 931, s (= ~cc,
contrary to (3). Thus (2) implies (s', s) e Km.
Conversely, assume that for all s, s'
(4) if (s, s') e Km, then (s', s) e Km.
Suppose that
(5) 931, s\= ocand 331, a (= $K(~$Koc).
Thus there exists a state s', (s, s') e Km such that non 931, s' $Koc.
By assumption (4) (s',,?) e Km and furthermore non 9)1, s\=zoc, which
contradicts (5). □

At the end of this section we shall present a negative result which

is of great significance for further considerations. We shall prove that
the FDN property is not expressible in the propositional algorithmic
language.
226 V PROPOSITIONAL ALGORITHMIC LOGIC

T heorem 3.6. There exists no formula a such that for every semantic
structure sr
SR |= a iff SR has the FDN property.
P roof. Suppose, on the contrary, that there exists a formula a0
such that for every SR
(6) SR \=z oc0 iff SR has FDN property.
Let us consider the family of structures (SR/}/e;V such that SR/
= <S i, J>i, wf->, where S tn S j = 0 for i ^ j and S t = {si9 sil9 ..., su }9
J'iiK) = {(si9 Sij): j ^ i}9 *fi(K') = 0 for all program variables K'
different from K9 SRf, W/fo) q iff q = p-x and SR/, w/foj) [n q iff
q - qj.
The family {SR/}/eiV can be described more intuitively by the graphs
shown in Figure 3.1.

SR,: 2R 2 : 3W ,:

Fig. 3.1
As an immediate consequence we have the following:
(7) SR/ has the FDN property for every i e N.
Let 3* be the maximal extension of the Frechet filter in the set of
natural numbers N (cf. Malcev, 1970).
=> {X a N : N —X is a finite set}.
Let us denote by SR* = <5*, */*, w*> the product of all structures
{SR/}/eiV modulo filter 3F (cf. Malcev, 1970)
SR* =
ieN

For every w e ) ( SR/ let W/ denote the f-th clement of u and let \u\ = \ur:
ieN
{/: Ui — ul} e#*}.
Hence 5* = (|w|: w e ) ( SR/} and
i eN
(M , \u'\) iff {/: (ui9u\) e J t(K)} s ^ 9
SR*, w*(|w|) \=. q iff {/: SR/, W/(w/) jn q } e ^ .
 3. PROPERTIES OF SEMANTIC STRUCTURES 227

Let 9J1 be a restriction of 9)1* to the states s, sJ for j e TV, where s

= (Ai ? ^2 ^ •••) and sj = (slu ..., sjj9 sj+ ij9 sJ+2j9 ...). For every y e TV,
|j | # \sj \ since {/: st = sj} = 0 .
For every y e TV, (|*si,|.sJ |) belongs to <f*(K) since TV == {/: (si9s{)
e J i ( K ) } e F and \s‘i) $ K m since {j: (sj, ,yj) e J j ( K ) } = 0 .
Moreover |s*| # |.s'| for k ^ 1, since {/: s* = jj} is finite and therefore
does not belong to Thus there are infinitely many successors of the
state |s|.
We obtain
(8) 991 does not have the FDN property,
as a consequence of the above considerations.
Note that the situation in which |r|, \t'\9 \t"\ are different states in
9)1 and (\t\, 11'|) e Aim, \t"\) e Asm is impossible since in that case
we would find a corresponding triple ti9 //, of states in the structure
9)1/ such that (ti9 /•) e A ^ , {t’i91-') e Kwi9 in contradiction to the
definition of the structure 3Jl£.
By induction on the length of the formula we can prove that for
every \u\ e SR and for every formula a of PAL,
(9) 9)1, jw|f=a iff {/: 9)1/, ut |= a} e SF.
They key part of the proof is the case when formula a is of the form
□ while y do M od /?. From the previous observation we have
9)1, \u\ f= □ while y do M od /? = ( ( 7 a □ M (~yA /3))v
v (~y a /3)),
since there is at most one iteration of the program M during a compu­
tation of while y do M o d in the structure 9J1. By the inductive hypothesis
we shall obtain
{/: 9)1/, ut |= ((yA Q A f(~yA /?))v(~yA |S ))j e# "
and therefore
{/: 9)1/ ,« * [= □ while y do M od /?} e 3F.
To complete the proof let us notice that by (6) and (7) 9)1/1= oc0
for every i eTV. Hence for every state \u\ in the structure 9)1
{/: 9)1/, ut |n a0 } = TV
and therefore by (9), 9)1, \u\ f=a0. As a consequence 9Jtf=a0, as op­
posed to (8). □
228 V PROPOSITIONAL ALGORITHMIC LOGIC

T heorem 3.7. The FDN property is not expressible in PAL, i.e., the
following property does not hold: there exists a set o f formulas Z such
that for every semantic structure 931,
93\\=.Z iff 931 has the FDN property. □
R e m a r k . Theorem 3.6 can be strenghtened. Namely, FDN property
is not expressible in PAL in the class of all normalized structures.

4. THE SEMANTIC CONSEQUENCE OPERATION IS NOT COMPACT

D efinition 4.1. ^4 semantic structure 931 = < 5 ,^ , w> is a model o f the

set o f formulas Z iff 9Ji is a model o f every formula ocfrom this set. □

D efinition 4.2. We shall say that oc is a semantic consequence o f the

set o f formulas Z,Z\=.oc iff every model o f Z is a model o f oc. □

The semantic consequence operation has certain classical properties

(cf. Chapter II, § 4). An important difference is exhibited in the following
lemma which implies non-compactness of |= (see also Chapter II,
Theorem 4.1).

L emma 4.1. There exists a set o f formulas Z and a formula oc such that
Z\noc and such that for every finite subset Z 0 o f Z there exists a model
o f Z 0 which is not a model o f oc.
P roof. Consider the following example. Assume that
Z = {□ begin K t ; K[ end q0 }ieN,
where Kt , K2 are program variables and q0—a propositional variable,
and oc = ~ (<> begin K x ; while q0 do K 2 od end true). It is easy to show
that a is a semantic consequence of the set Z.
If < S ,«/, w> is a model of Z, then for every state s e S and for each
natural number /, every computation of the program begin K x; K\ end
is successful and all results satisfy the formula q0. Hence, there exists
no finite computation of the program
begin K t ; while q0 do K 2 od end.
This implies that < £ ,./, w} is a model for oc.
Now, assume that V0 = {qi}ieN. For every finite subset X of TV, let us
construct an interpretation </ in the following way: For every valu­
 5. SYNTACTIC CONSEQUENCE OPERATION 229

ations v 9v '9v ” of the propositional variables v J ^ K ^ v ' iff v'(qt) = 1

for / e l , and v\q^) = 0 for i $ X 9 v fJ { K 2)vn iff v"(qi) = v'(qi+1)
for / = 0, 1, ...
Let 9Jt be a semantic structure ( W 9j y .
First let us observe that all computations of the program begin K x;
K\ end in the structure 9JT are finite in the interpretation J for all valu­
ations and for all i e N . Let v be a fixed valuation. The value of the
propositional variable qt in the valuation v' obtained after execution
of the program is 1 if i e X . After the execution of the whole program
we have a resulting valuation v ” such that v"(q0) = 1. Thus (W , «/>
is a model of Z x = {□ begin K t ; K2 end q0}ieX-
< W , j y is not a model for a. Let us take as i0 the smallest natural
number such that i0 and let v° and vjt/{ K 2) vj+l for j < i0
and some valuation v. The sequence of configurations
(v°; while q0 do K2 od>,
(v°; K2 \ while q0 do K2 od),
( v 1; while q0 do K2 od),
( v 1; K2; while q0 do K2 od),

(v io; while q0 do K2 od),

( v io; y
is a successful computation of the program while q0 do K2 od. Thus,
9Kf=:~a. □

5. THE SYNTACTIC CONSEQUENCE OPERATION

We shall now characterize the semantic consequence operation de­

scribed above in syntactic terms.
Theorem 4.1 assures us that it is not possible to construct a complete
and recursive axiomatization of PAL with finite rules of inference.
We thus allow rules of an infinite character.
All axioms A xl-A xll of algorithmic logic AL (cf. Chapter II, § 5)
and the following schemes are axioms of PAL:
(□A fa => <>Afa), (OA^true => □ATtrue),
O begin M l ; M 2 end a = (O M 1(O M 2a)),
O if y then M t else M 2 fi a
= ( 0 A O M , a )v (-y A O M 2 oc) ) ,
230 V PROPOSITIONAL ALGORITHMIC LOGIC

O while y do M y od a
— ( ( ~ y a a) v ( y a O M f O while y do M x od a))),
0 either M t or M 2 ro a = ( O ^ i a v <>M2 a),
□ either M 1 or M 2 ro a = (D M 1<
x a C\M2 oc),
□ Af( aA/S) = ( □ M a A Q M /S ) ,
<>M(av/S) == (<>A/a
( □ M ~ a => —QMoc),
( □ A f true =>(~§Moc => □ M ~ a )),
~ O M false.
O ld a = a.
We assume the following rules of inference:
a, (a => /?) (a => /?)
"■j5 5 lO M ^ ~ O M P )9
{ (pref(Q (if y then M fi)*(aA ~ y)) => p )}£ejv_
(pref (O while y do M od a) => /S)
In all the above schemes K denotes a program variable, A f, M r , Af2
denote schemes of programs, y is a classical propositional formula
and a, are arbitrary formulas from F. All occurrences of O in a
formula must be understood either as 0 throughout or as □ through­
out; pref is an arbitrary prefix (see § 2 of this chapter).
The set of all axioms and inference rules defines the syntactic con­
sequence operation C in the usual way. For any set Z of formulas,
C(Z) is the least set which contains Z and all axioms of PAL and is
closed under the rules of inference. System <L0, C> will be called the
propositional algorithmic logic PAL.
A formula a is called a theorem of PAL iff a is an element of C (0), 1- a
for short.
By a formal proof o f a formula a from the set o f formulas Z we shall
understand a finite path tree labelled by formulas such that its root
is a formula a, all leaves are axioms and every vertex is obtained from
the set of predecessors by one of the inference rules (cf. Chapter II, § 5).
We shall write Z |— a, a e C(Z) iff a has a formal proof from the set Z.

L emma 5.1. All axioms o f PAL are propositional algorithmic tautol­

ogies.
 5. SYNTACTIC CONSEQUENCE OPERATION 231

P ro o f . The proof is by an easy verification. As an example we shall

consider two formulas:
A. true => DAT true), K e V p and
B. ([JM~oc=>
Let SR = <5, , w> be a fixed semantic structure, and s an arbit­
rary element of S.
A. Assume that SDT, ^ 0 ^ true. Then Aan(.s) # 0 and all compu­
tations are one-element sequences. Thus SR, .?[=:□ AT true.
B. Assume that SR, s ]= D M ~ a . Then all computations of the
program M are successful and all results satisfy the formula ~ a. Hence,
there exists no finite computation which satisfies the formula a. This
means that SR, .s |= ~ 0 Moc. □

L emma 5.2. The set o f all formulas valid in all FDN semantic struc­
tures is closed under all rules o f inference mentioned above.
P ro o f . Let SR be an FDN semantic structure. We shall prove that
for any inference rule, if all premises are valid in SR then the con­
clusion is valid in SR.
Consider the rule -7-—^ — --”^ - ^ • Assume that SR hr (a B)
(□A fa => U M f ) ^
and SR, s DA/a for some state s. Thus all computations of the pro­
gram M in the structure SR at the initial state s are successful and all
results s' satisfy the formula a, i.e. SR, s' f=:a. By assumption
SR, s' (=:/? and therefore SR,^j=DA//3. As a consequence we have
SIR, s fn (QAfa => □ Mfi). Hence (QAfa => DA//3) is valid in SR.
{(pref D(if y then M fiy(~yA «) =>
Consider the rule
(pref □ while y do M od a => /S)
Assume that for all i e N the formula
(pref □ (if y then M fi)*(~yA a) => /?)
is valid in an FDN structure SR.
Suppose that for a fixed state s in a structure SR
(pref □ while y do M od a)^(^) = 1 and pw(s) = 0.
This means that for all i e N ,
(pref □ (if y then M K f { ~ y * oc))m(s) = 0.
232 V PROPOSITIONAL ALGORITHMIC LOGIC

T hus
l.u.b. pref D (if y then M fi)* ( ~ y A oc)wi(s) = 0.
ieN

Applying Lemma 2.5 we arrive at a contradiction. □

As a natural consequence of the previous two lemmas we have the

following theorem:

T heorem 5.3. For every formula a o f the language L 0, if oc is a theorem

o f PAL then a is valid in every semantic structure with the FDN prop­
erty. □

L emma 5.4. Propositional algorithmic calculus is consistent.

P roof . Suppose the contrary. There then exists a formula a such
that a and ~ a are theorems in PAL. By the adequacy theorem for
every FDN structure 9JI and state s
a^(^) = 1 and = 1.
Since the value of the formula is defined in a unique way, we shall
arrive at a contradiction. □

The question naturally arises, whether every formula valid in every

FDN structure possesses a proof in PAL.
In Sections 8-10 of this chapter we shall discuss some classes of
interpretations and extensions of PAL which have the completeness
property.
By a theory based on PAL we shall understand a system <L0, C, A )
consisting of the language L 0 of propositional algorithmic logic, the
syntactic consequence operation C and the set of formulas A a F,
called specific axioms.
By a model o f the theory T = <L0, C, A ) we shall mean any model
of the set A.
We can prove the following adequacy theorem for any algorithmic
theory T = <L0, C, A):

T heorem 5.5. I f a is a theorem o f a theory T, then every FDN model

o f T is a model o f a.

The proof follows from Lemmas 5.1, 5.2. □

 6. EXAMPLES OF PROPOSITIONAL THEORIES 233

6. EXAMPLES OF PROPOSITIONAL THEORIES

E xam ple 6.1. Propositional theory of arithmetic.

Let us consider a theory Ar = <L0, C, Axar) based on PAL. We shall
assume that the algorithmic language L 0 contains two program vari­
ables N, P and one propositional variable z. Axar is the set of all form­
ulas of the form:
□ A ^z, (z = ~ D P true),
(QNa => D A Toc), (<>Pa => D P a ),
(a => DAOPa), ( ~ z =>(oc => D PO ^a)),
□ while ~ z do P od true,
where a is any formula.
This set of axioms was discovered by V. Pratt and A. Salwicki (cf.
Mirkowska, 1981).
The Axar theory is consistent since it posseses a model.
Consider the structure 91 = ( N , «/, w>, where N is the set of all
natural numbers and J ( N ) = {(/, z+1): i e N } , J ( P ) = { ( i+ l,/) : i eN};
w(i) (z) = 1 iff / = 0. By an easy verification we infer that 91 is a model
of Axar. We shall call this model standard. Let us see what the meaning
of Axar axioms is. If SCR is a normalized model of Axar, then
9Jt|=Q /V ~z
says that a state obtained by Nm does not satisfy z;
9ft M C O N a => □ A /ra )}fleeF,
9ft |=:{(0Pa => D Pa) }aeF
say that Nm and Pm are functions;
9ft f= ( ~ z = D P true)
says that Pm is defined only for states which do not satisfy z;
9ft t={(a => DN^Poc)}a&F9
9ft |= { (~ z =>(a => □ P 0 ^ ) ) } aeF
say that Nm = Pm for all states in which ~ z ;
9ft (=: □ while ~ z do P od true
says that from any state we must return to the state that satisfies z
after a finite iteration of P.
On the basis of the above information we can easily prove the fol­
lowing lemma:
234 V PROPOSITIONAL ALGORITHMIC LOGIC

Lemma 6.1. Every normalized model o f Axar is isomorphic to the stan­

dard model 9t.
P roof . Suppose that 931 f= Axar and that 931 is a finite structure.
Let S = {1,2, ..., n} be the set of all states in 931. By the last of axioms
(1) there exists a state j such that 9Jt,y[=z. Let 1, . . . , k be all states
j for which 9Jl,j\=zz. By the first of axioms (1), for every state i ^ n,
the set Nm{i) is non-empty. Hence
{fc+l, . i ^ n.
It follows that there is a sequence of states j \ 9 such that ;*! = j my
j i e [ k + 1, and ( j i j i + J e i V i for i ^ m. This means that there
is an infinite computation of while ~ z do P od starting from the initial
state j ly contrary to the axiom □ while ~ z do P od true.
Hence if 9ft is a model of Axar then card(9ft) ^ %o • We shall prove
that for every normalized model of Axar there is a unique state s0
such that
9ft, s0 [= z.
Suppose, conversely, that there are two states sl9 s2 and
(2) 9K,^i(=iz, y jl,s 2 \=z, S l ^ s 2.
Thus the set Z = {a: / ocm(s2)} is not-empty. Let a be a mini­
mal formula in Z with respect to the ordering -< defined in Defi­
nition 3.3.
The formula a cannot take the form of pref ( P L v /?2), pref ( j 3 L a p 2),
pref => fl2), pref ~/3l since then pref or pref fi2 would be in Z.
The formula a cannot take the form of
pref O begin ; M 2 end pref O while y do M od /?,
pref O if y then else M 2 fi /?, pref O either M xor M 2 ro
since then it would be possible to find a formula which is submitted
to a and which belongs to Z.
Formulas of the form pref z remain to be considered, but in this
case it is sufficient to restrict the prefix to □iVf, where i > 0. However,
from the axiom
931 j=: [I]Af~z
we have 9ft, st [= ~ CW'z and 931, s2 j= ~ \Z\Nlz.
 6. EXAMPLES OF PROPOSITIONAL THEORIES 235

Thus the states sx, s2 satisfy exactly the same formulas and therefore
s x = s2, a contradiction with (2).
Hence in every normalized model 9JZ of Axar there is exactly one
state which satisfies z.
Since Nm and are functions, the only possible situation is de­
scribed by Figure 6.1.

This is obviously isomorphic to the standard model 91 since the map­

ping /?,
h(n+ 1) = Nm (h(n)),
K 0) = s0,
defines a one-to-one homorphism from 91 onto 9Jt. □

Lemma 6.2. Any two models o f Axar are algorithmically equivalent.

P roof. This follows from Theorem 3.2 and Lemma 6.1, since any
two isomorphic structures are algorithmically equivalent. □

R emark. One can conceive of the propositional theory of arithmetic

as the theory of a calculator. We are given a black box (cf. Figure 6.2)
with a lamp z and two buttons N and P. The axioms (1) are all we know.

^ buttons

lamp- z N P
Fig. 6.2

Their interpretation is as follows: after pressing the button N the

lamp z is switched off*. If the lamp z is switched on the button P is blocked;
236 V PROPOSITIONAL ALGORITHMIC LOGIC

button P pressed a finite number of times causes the lamp z to

light up.
From Lemma 6.1 we know that inside the black box there is a regis­
ter for a natural number (don’t ask us how this is implemented). Suppose
we have three such modules (cf. Figure 6.3)

® o o ® o o ® o o
2, Pi z2 N 2 P2 *3 N 3 p 3

Fig. 6.3

and consider the following program

PLUS: begin while ~ z 3 do P3 od;
while ~ z 2 do N 3 ; P 2 od;
while ~ z x do N 3 ; P t od;
end.
We can imagine that a lid is constructed which, when put over the three
modules, brings into operation a new button + which, when pressed,
causes the sum of registers and R 2 to be evaluated and placed in the
register R 3. □

E xam ple 6.2. Propositional theory of stacks. We shall now describe

a propositional version of the algorithmic theory of stacks.
Let St = <L, C, Axst> be an algorithmic propositional theory, where
L is an algorithmic language as described in § 1 which contains the
propositional variables e, tl, t l and the program variables push,
pop. Axst is the set of specific axioms and contains all formulas of the
following form:
□ push((~6?A ~ t l A t \ ) V ( ~ e A ~ t l a tl)),
( e ~ ~(*1W 2)),
□ while ~ e do pop od true,
(<*=>□ push(Opopa)),
(e => 0P°P true),
(□ pop a = ^ pop a),
((^push(aA i8 )A ^push(aA ^i8))=> □ push a ),
where a, (3 are arbitrary formulas of the language.
 7. LINDENBAUM ALGEBRA 237

The St theory is consistent since the following structure is a

model of Axst: SR = <5, </, w} where S = {1 ,2}*u0.
./(pop) = {(/*?, s): s € S, i ~ 1,2},
./(push) = {($, Is): s e S}v{(s, 2s): s e S }9

w(s) = vs such that as(ff) = 1 iff s = \ i xi2

fls(*2) = 1 iff s = 2/1/2
77s(<?) = 1 iff ^ = 0 .
This model, known as the standard model, is illustrated in Figure 6.4.

Ill
•••
211
•••
112
•••
212
Fig. 6.4

L emma 6.3. Every normalized model o f S t is isomorphic with the

standard one.
The proof is similar to the one given in the previous example. □

L emma 6.4. Any two models o f S t are algorithmically equivalent. □

7. LINDENBAUM ALGEBRA

We shall now describe the Lindenbaum algebra of a theory T

— <L, C, A ) based on PAL and some of its properties, which will be
useful in further considerations.
238 V PROPOSITIONAL ALGORITHMIC LOGIC

Let Tbe a theory based on PAL and let x be an equivalence relation

in the set of all formulas F defined as follows:
oc # (3 iff (a => /?) and (/? => oc) are theorems in T.
It is easy to verify that % is a congruence with respect to v , a , ~ ,
and if a z then, for every program M, [JMoc ^ DA//? and $Moc
x §M(3.
By 11a|| we denote the set of all formulas ft such that oc ^ f The fol­
lowing theorem characterizes the algebra F/ x (cf. Chapter III, §1).

T heorem 7.1. The system ( F / x , v , n 9 —) is a Boolean algebra,

where ||a||u||j3|| - ||(a v 0 )||, - ||a|| = ||~ a ||, |[a|!n[!|8|| = ||(aA/?)||
and:
(i) 11a|| ^ ||j8|| iff (pc=> fi) is theorem in T,
(ii) a is a theorem in T iff ||a|| = 1,
(iii) ||^ a || ^ 0 iff oc is not a theorem in T □

T heorem 7.2. For the arbitrary formulas oce F, y e F0 and for any
program scheme M, the following equalities hold:
11pref □ while y do M od a| |
= l.u.b.|| pref (D (if y then M fi)l(~ yA a))|j,
ieN
11pref 0 while y do M od a||
= l.u.b. || pref (0(if y then M fi)*(~y a a))||,
ieN

where pref is an arbitrary prefix.

The proofs of Theorems 7.1, 7.2 are similar to the proofs of Lem­
mas 1.1-1.3 in Chapter III. □

C orollary. Under the same assumption as in Theorem 7.2

11—pref □ while y do M od a||
= g.l.b.|| ~pref D (if y then M fi)*(~yA a)||,
ieN
11~ pref 0 while y do M od aj|
= g.l.b.11~pref 0(if y then M fi)*(~yA a)||. □
ieN

By the above theorem, the Lindenbaum algebra F\ ^ can be considered

as a Boolean algebra with an at most enumerable set of infinite oper­
ations (Q)
 8. DETERMINISTIC TOTAL ACTIONS 239

l.u.b.|| pref □ if y then M f i( ~ y A a ) ||,

ieN

^ l.u.b.|| pref $ if y then Af fi (~ y A a )||

ieN

for all M e 17, oc e F, y e F0 and an arbitrary prefix pref.

Let us recall that by a Qfilter in the Boolean algebra i 7/ ~ with the set
o f infinite operations Q we understand a maximal filter that preserves
all Q-operations, i.e. a maximal filter such that l.u.b.H pref 0 ( if y
ieN
then M fiV(~yA a)|| e implies that there exists an iQ such that
11prefO(if y then M fi)l*°(~yA a)|| cf. Appendix A.
Making use of the Rasiowa-Sikorski Lemma (Rasiowa and Sikorski,
1968) we obtain the following:

Lemma 7.3. I f the theory T is consistent then the Lindenbaum algebra

o f that theory is a non-degenerate algebra and the family o f all Qfilters
in F / x is a non-empty set {cf Appendix A). □

8. DETERMINISTIC A ND TOTAL INTERPRETATIONS OF ATOMIC

PROGRAMS

In this section we shall consider a special kind of semantic structures

called functional semantic structures.
By 9JIf we denote a semantic structure <£, */, w> which assigns
a total function in S to every program variable. We shall say that 9K/
is a functional semantic structure.
Let us extend the set of axioms defined in § 5 of this chapter by the
axioms of the following two schemes:
□AT true,
{§Kot => \Z\Foc), for K e V p
and all formulas oce F. Denote the new consequence operation by Cf
and corresponding propositional calculus by PALr .
We shall say that a is functionally valid if it is valid in every functional
structure.

Lemma 8.1. I f oc is a theorem o f PALj then a is valid in every functional

structure 9Jlf .
240 V PROPOSITIONAL ALGORITHMIC LOGIC

P roof. T o prove this lemma it is sufficient to discuss the axioms

U K true and (QKoc => DKoc), where K e V p.

The validity of these formulas follows immediately, since for every
state s, the set K^if (5) has exactly one element (see also Lemma 3.4). □

L emma 8.2. The propositional algorithmic logic PAL/ is consistent. □

Let us note that the set of all theorems in PAL/ is closed under the
generalization rule
a
for KeV„
□ *a

L emma 8.3. The following formulas are theorems in P A L / :

□Jr(av/3) = □iKxvDAjff,
$K(otAp) = §K ocaK(},
~ UKcc = § K ~ gc9
where K is a program variable and a, /? are arbitrary formulas. □

C orollary 8.1. There are formulas which are functionally valid and
which are not valid in every structure. □

Let Tf be a consistent theory based on PAL/. We shall construct

a model of such a theory. Let be an arbitrary 0-filter in the
Lindenbaum algebra of that theory (cf. § 7 of this chapter).
We shall consider a proper semantic structure
W r = <W09S> 9
where
W0 is a set of valuations vPTe{, pref e ({<y£}*:eFj,u {(H^keFp)*
^pref(^) = 1 iff I[pref q\\ e for every propositional variable q, and
/ is a functional interpretation of the program variables in W0
such that

J ( K ) = {Over, tWm*:): for every prefix pref}, K eV„.

The following lemma holds.
 8. DETERMINISTIC TOTAL ACTIONS 241

L emma 8.4. For every formula a and every prefix c

IM Ie jr iff 5DlsF,z’c f=a.
The proof is by induction on the complexity of the formula.
P ro o f .
The basic step of induction follows immediately from the definition
of Assume that Lemma 8.4 holds for all formulas which are
submitted to oc0.
1. Suppose oc0 is of the form \Z\Koc where K e V p ;

iff 9 K ^,^c n x i=a.

By the inductive assumption ||c QAall g

2. Let a0 be of the form (aV|5).

yjljr9vc (= (a v P) iff 9Jlj?5^c i=a or , vc [= /?.
By the inductive hypothesis, this is equivalent to ||ca|| g or \\cj3\\
g # \ But the formula (cocvcfi) = c(ocv fi) is a theorem in T, thus
I|c(av/?)||G JF.
3. Consider a formula a 0 of the form □ while y do M od /?. By
Lemma 2.3 we have vc j= □ while y do M od /?, i.e. iff there exists
an i0 such that 9JV, vc \=: Q ( if y then M fi)io( ~ y A /?). By the in­
ductive hypothesis this is equivalent to the following:
(3/0)|I□ (if y then M fi)io( ~ y A ff)\ \
By the definition of the Q-filter ^ we have
$Jljr,vc \zzoc0 iff l.u .b .||c D (if y then M i\)1 y a fi)\\ g
ie N

and from Lemma 7.2.

SJljr, vc \=: oc0 iff ||cO while y do M od /3\\ g $F.
4. Consider a formula a 0 of the form □ either M 1 or M 2 ro (3.
By the definition of interpretation and the value of the formula
SLRjsr, v c j= □ either M x or M 2 ro p iff 9Jtjr, and
vc ( = D M 2 i8. By the inductive hypothesis and the properties
of the 0-filter we have
□ (either M x or M 2 ro p)m ^(vc) = 1 iff
Wc UM^ W and ||c D M 2iS|| g # \
Since
P A L f h- \2M 2fi) = □ either M i or M 2 ro /3
242 V PROPOSITIONAL ALGORITHMIC LOGIC

then from Lemma 8.3 we have

$Jljr9vc \=oc0 iff He □ either or M 2 ro p\\
5. Let a0 be of the form ~ a . Then vc \=z ~ a iff ||ca|| £ .
Since the filter is prime and the formula (C |J£~a = ~ [ J K oc) is a
theorem in PAL/, we have 9JV,*;C}= '- a iff ||c ~ a || e <F.
The remaining cases can be dealt with analogously. □

T heorem 8.5. For every formula a, a is a theorem o f PAL/ iff a is

functionally valid.

P ro o f . By the Adequacy Theorem 4.1, if a is a PAL/ theorem, then

a is functionally valid.
Suppose that a is a functionally valid formula and a is not a theorem
in PAL/. By Theorem 7.1, ||~ a || / 0. By Lemma 7.3 there exists
a (^-filter 3F in the Lindenbaum algebra Fj x such that 11~ a| | e
Let us construct the set of valuations vc and the interpretation «/ as
defined above for this filter. By Lemma 8.4, 30W, v0 |n ~ a , and
therefore a is not functionally valid. □

T heorem 8.6. The theory T — ( L 0, C , A } based on PAL/ is con­

sistent iff T has a model.
P roof . The one-way implication is obvious. Assume that T is con­
sistent, i.e. that there exists a formula a such that a is not a theorem
in T. Thus 11~ a| | / 0 and there exists a Q-filter such that 11~ <x\ | e IF.
The semantic structure 9Jtjr defined as above is a model of T. Indeed,
if (} e A, then for every prefix c,
A |- c0.
Hence || c/? || g # \ By Lemma 8.4 9JX ^ ,v c \=-P for every valuation vc
in $0t^, i.e. m * \= p . □

As a consequence of the above theorems we have the following

Completeness Theorem:

T heorem 8.7. For any consistent theory Tf based on PAL/, the fol­
lowing conditions are equivalent:
(i) a is a theorem o f T;
(ii) a is valid in every proper functional model o f T f
 9. PARTIAL FUNCTIONAL INTERPRETATIONS 243

(iii) a is valid in every normalized functional model o f 7};

(iv) a is valid in every functional model o f T f.
P roof.

(i) -* (ii) by the Adequacy Theorem 5.3.

To prove that (ii) implies (i), assume that a is not a theorem in Tf .
Thus ||~ a || # 0. A Q-filter such that |j~oc|| e J* therefore exists.
Let us consider the proper model connected with 3F. From
Lemma 8.4, for every prefix pref,
t= iff llpref ~ oc| | e &.
In particular,
non [= a,
and therefore it is not true that a is valid in every proper model of 7}.
(iii) -> (i) since the canonical model SQZ^r is normalized.
(i) -* (iv) by Adequacy Theorem 8.5.
(iv) -> (ii) and (iv) -> (iii) are both obvious. □

9. P A R T IA L F U N C T IO N A L IN T E R P R E T A T IO N S

In § 8 of this chapter, where the simplest version of propositional

algorithmic logic was described, the meaning of the program variable
was a total function.
We now study another version of PAL, in which every interpretation
of the program variable is a partial function. We shall prove the Com­
pleteness Theorem in a new way; the models constructed here are no
longer proper models.
Let us denote by PALpf a deductive system based on the axioms
and rules described in § 5 of this chapter with one new axiom scheme
(§Kot => □ Koc)
for every program variable K and every formula a. Our aim in this
section is to prove the following property:
For every set of formulas Z and every formula a
Z b-pf a iff Z )=pf a.
(=pf means that we shall consider only structures 3Jlpf = <*S, «/, w>
in which for all K e V p and s e S, K^(s) is an at most one-element set.
In other words, the meaning of a program variable is a partial function.
244 V PROPOSITIONAL ALGORITHMIC LOGIC

First of all, let us note that in every structure 9Jlpf the formula
($Koc => QA^a)
is valid for every K e V p and oceF (cf. Lemma 3.4).
As an immediate consequence of Lemma 5.2 and the above obser­
vation we obtain the following lemma.

Lemma 9.1. For every theory T based on PALpf and every formula a,
i f r h pfa, then T |npfa. □

Let T be a consistent theory based on PALpf. We shall construct

a model of T in the Lindenbaum algebra of that theory (cf. § 7 of this
chapter). By a canonical structure of a theory T we shall mean a semantic
structure 9Jl0 such that
9Jlo = <QF, J 0, w0y,
where:
QF is the family of all Q-filters in the Lindenbaum algebra of the
theory T,
for every program variable K, (K) ~ { (J ^ , & 2) e QF2 '- ilO^true!
£ x and, for every a, if ||II]ATa|| £ then ||a|| e & 2}\
w0 is a function which to every Q-filter e QF assigns a valuation v&
such that for all p e V0
M /0 = 1 iff llp lle ^.
Let us consider the canonical model 9JZ0 of a consistent theory r Pf,
SKo = <QF, J 0, w0>.
Fact 1. QF is a non-empty set.

Fact 2. For every program variable K, every formula /? and every

Q-filter if ||<>F/?|| £ iF then there exists a Q-filter iF x such that
PKm o& i and
Proof. Let us denote by Z,^K the following set
{N|: W n m e F } .
1° Z * K ± 0 .
Indeed, since ||$ F true11 £ and b-pf (§K true => [JK true) we have
IICHAT true11 £ 3F and therefore [|true|| eZ ^K -
2° Z ^ K is a filter.
 9. PARTIAL FUNCTIONAL INTERPRETATIONS 245

Let us assume that | |(a a /?)|| g Z ^ . From the definition of Z*?K,

\\OK( ocaP)\\ e 3?. From the axiom \JK ( ola ft) = (UKocAlJKp)
we have IKDA'aA [JK^)\\ In fact $F is a filter, thus ||II]ATa|| e ^
and IIDA^II e and therefore ||a|| g Z ^ and |[/?|| e Z ^ K.
3° Z& k is a maximal filter.
Suppose that ||a|| v ||/?|| e Z&K. Thus, ||(av/?)|| e Z&K and con­
sequently, |[□ AT(oc v /?)[| e From the axioms of PALpf, h-pf0^<5
= □ Kb for every formula b and
h ^ ( a v ^ ) = ftK otv$K p).
Hence, we have IKDATav [JK(f)\\ e 3F. Since 3F is a maximal filter,
\\U K o c \\e ^ or \\[JK^\\ e As a consequence of this, ||a|| e Z ^ K
or ||/?|| e Z ^ K for any two formulas a, /?.
4° Z ^ K is a 2-filter.
Suppose that
llpref □ while y do M od a|| e Z&K
for some prefix pref, formulas y g F0 and oce F and a program M e 77.
Hence, 11DAT pref □ while y do M od a|| e . But is a g-filter, thus
there exists an i such that \\[JK pref □ (if y then M fi)‘(~ y A a )|| e
e By the definition of Z & K , || pref □ (if y then M fi)*(~yA a)|| e
e Z&rK.
Analogously we can prove that if [[pref $ while y do Af od a|| e Z&K
then there exists an i such that | |pref $ (if y then M fi)I*(^y a a)|| e Z&K.
Hence Z ^ K is a g-filter.
Observe that since \\0Kp\\ and b-pf(0^/?=> □ •£/?), then ||/?|| e
e Zj?K. By the definition of ( ^ \ Z$?K) e A ^ 0. Hence Z ^ k is the
required g-filter. □

Fact 3. For every Q-filter e QF and every program variable K,

K<sji0( ^ ) is an at most one-element set.

Proof. Suppose the contrary. Let , 3F2 e ATOTo(#'). By the defi­

nition of the canonical structure and the proof of Fact 2,
&2 ZpK and ^ y id ZjrK.
Since Z&K is a g-filter, it cannot be contained in any other g-filter.
Thus = 3F2 = Z&K. □
246 V PROPOSITIONAL ALGORITHMIC LOGIC

F ac t 4. I f ||O K a|| e F then, for every Q-filter F \ F K moF ' im­

plies | ja| | g F f.
This is an immediate consequence of Fact 2. □

The following lemma is basic for our further considerations:

L emma 9.2. For every formula a o f a propositional algorithmic language

and for every Q-filter IF g QF'
(*) SH0,Fj==a iff \\oc\\eF.
P roof . The proof is by induction on the complexity of the formula a.
For the base of induction (propositional variables) the proof of
Lemma 9.2 follows immediately from the definition of the canonical
structure 9Jl0.
Assume that (*) holds for all formulas that are submitted to a
formula a (cf. Definition 3.3).
— Let us consider a formula [JKp, where K is a program variable.
Suppose that 9Jt0, F [= HK0.
By the definition of the structure 9Jt0 >Kmf F ) # 0 , and
(1) for every F ’ g Kmo(F ), Wl0, F ' j= 0.
By the inductive assumption ||/?|| gF ' and since F K ^ 0F \ we have
(2) 11§ K true 11 g F .
Now suppose that \\OKP\\ $ F . The formula
= (0K~p v~$Ktrue))
is a theorem of PALpf and therefore
\\($K~(l v ~ $ K true)11 gF.

Since F is a maximal filter, we have

(3) \\$K~p\\eF or
(4) 11~ true 11 g F .
Case (4) is impossible because of (2).
Suppose (3). By Fact 2 there exists a Q-filter F " such that
F K m 0F '' and ||~ / ? || g # " '.
By (1) and the inductive assumption we have \\P\ \ e F ", a contradiction.
Hence, if 9Jt0, F (= UK0 then ||Q K0\\ g F .
 9. PARTIAL FUNCTIONAL INTERPRETATIONS 247

Conversely, if ||DA/?|| then by Fact 3, for every Q-filter SF*

if then \\(i\\ e and by Fact 2, K%ji0( ^ ) # 0 . By the
inductive assumption 9Jl0, P and therefore 90t, ^ |= □A'/?.
— Consider the formula QKoc, for K e V p. Suppose that 9Jt0, & |= OA^a.
By the definition of interpretation there exists a Q-filter SF* such
that 3FKmJF* and 9K0, 1= a. By the inductive assumption, we have
(5) F K ssl and ||a ||e ^ \
Suppose that ||$.Ka|| $F, then
(6) \\~ $ K * \\e & .
Since tFKmoP'* we have 110-^ true 11 e Since b- OK~oc
= (~§KocA$Ktrue), we have by (6) ||D A S 'a ||e # ' and by (5)
||~ a || g # '', a contradiction. Conversely, if ||$A a|| G#"then, by Fact 2
and the definition of the interpretation 9Jto> 3F |= :0^a -
The proof of other cases is similar to that of the analogous theorem
for non-deterministic algorithmic logic (cf. Chapter VI). □

T heorem 9.3 (Model Existence Theorem). For every consistent theory

r pf = <L0, C, A ) based on PALpf there exists a model o f Tp{.

P roof. We shall prove that the canonical structure 93l0 of the theory
Tb( is a model of A.
If we let j3 e A, then ||/?|| g for every Q-filter By Lemma 9.2,
9Jl0, 3F \—ji. Thus 9Jt0 ls a model of the set A. □

The Completeness Theorem below is a simple consequence of the

above considerations and the fact that 9Jl0 is a normalized model.

T heorem 9.4. For every formula oc o f a consistent theory TP(

= <L, C, A ) the following conditions are equivalent:
(i) a is a theorem o f T„.
(ii) a is valid in every pf-model o f Tpf.
(iii) a is valid in every normalized structure 90lpf which is a model o f Tp{.
P roof, (i) implies (ii) by virtue of Theorem 5.3. To prove that (ii) im­
plies (i), assume that a is valid in every model of TPt and a is not a the­
orem. Then by Lemma 7.1, ||~ a || / 0. Hence there exists a Q-filter
248 V PROPOSITIONAL ALGORITHMIC LOGIC

which contains | | ~ a||. From Theorem 9.3 the canonical structure SR0
is a model of A and from Lemma 9.2 formula oc is not valid in Thus
SCR0 is not a model of oc. □

10. BOUNDED NON-DETERMINISM: THE COMPLETENESS THEOREM

In this section we shall consider another complete extension of PAL.

Every program variable will now be interpreted as a relation which
contains at most m pairs with the same first element.
We shall discuss in detail the case m = 2, i.e. we shall assume that
in every semantic structure and for every state we can pass to at most
two other states by means of an atomic program K, K e V p.
Let us denote by Ax2 the following scheme
($K(oc a /?) a $K(oc a -/?)=> UKoc)
where K e Vp, oc, (i e F.
Lemma 10.1 below explains the meaning of this formula.

Lemma 10.1. Let SCR be a normalized structure SCR = <5, */, w>.
7/SR |n A x2 then for all s e S, card( / ( K ) (s)) ^ 2.
Proof. Let SR be a fixed normalized structure and
( V a j G f ) SCR1= A x2 .
Suppose that
card («/(£)($)) > 2 for some state 5.
Let sl9 s2, s3 e and st # s2, s 2 ^ s3, s x ^ s3. There then exist
formulas oc, /? such that
^ ( ^ i ) ^ a^(^2), = aan(y3),
i) /
Let y denote y or ~ y depending on its value in the structure SR and
state sl9
_ j y if SR, sx |=y,
y l ~ y if SR, s1 [= ~ y.
We now have
SR, Si |= (oca/?) and SR, s3 |= (a a ~/?).
 10. COMPLETENESS THEOREM 249

Hence,
SCR, 5 \= ( $ K ( olA 0) A $ K ( ola ~ 0 )),
and at the same time
$DM2 t=~ot, i.e. a r t,J t= ~ n * a -
Thus
SCR, ^ 1= ~ ( ( ^ ( oca/?)a <>Z(oca~/?))=> □ * £ ) ,
a contradiction. □

Lemma 10.2. I f $R is a semantic structure SCR = < 5 ,# , w) such that

for all s e S, card(ATgrn(^)) < 2, then SCR is a model o f Ax2.
Proof. Since the value of the formula is defined in a unique way
and any state cannot simultaneously satisfy both of the formulas (a A/?)
and (aA ~/?), Lemma 10.2 is obvious for card(£gt(.?)) ^ 1. Suppose
that for some s, c a rd ^ a j^ ) ) = 2. If one state of the set £^(5) satisfies
(aA/?) and another one fa a ~/?), then obviously DAjx is also sa­
tisfied. □

Let PAL2 denote a propositional algorithmic logic which is an ex­

tension of PAL by the scheme Ax2 :
(($K(aiAP)A$K(<xA~P))=>nKa), a ?iS e F , K e V p.
Let T2 be a consistent theory based on PAL2 and let 9CR0 be the
canonical structure for that theory, 9Jl0 = i Q F , J ' o , w 0 } (cf. § 9 of
this chapter).

Lemma 10.3. The canonical structure for T2 is a model o f Ax2.

Proof. By Lemma 10.2 it is sufficient to prove that c a r d ^ ^ f # ) ) < 2
for every Q-filter Suppose that
* « o { ^ 1 , ^ 2 , ^ 3},
where , # 2, # 3 are different g-filters. Hence, there exists a for­
mula a such that
H alle#"! and | | a | | ^ # 2.
Since # 3 is maximal, then either ||a|| or ||~ a || belongs to # 3.
A. If 11a|| e # 3 then there exists a formula /? such that
\\P\\t ^ 3 and ||/ ? ||e # '1.
250 V PROPOSITIONAL ALGORITHMIC LOGIC

B. If ||a|| $ ^ 3 then there exists a formula /? such that

||/ ? ||^ 3 and m \ e & 2.
These two possibilities are illustrated in the following diagram, Fig­
ure 10.1:
A. B.

Consider case A.
If IID^ajl e iF , then || a|| G # '1n ^ 2 by the definition of the inter­
pretation J ' q. This contradicts our assumptions. Thus, \\[JK oc\\
Since is a maximal filter, we have || ~ □ Abc|| e .
By A x2 and the maximality of
(1) |i /?)|| g or
(2) ||-0 ^ (a A -/?)|| e^F.
Assuming (1), we have
11(~ □ K true v □ K ~ (a a /5))l | e
Thus \\U K ~(aA /?)|| e ^ and in consequence
(3) 1\~( oca{})\\ e # rl n,?r2n # r3.
 10. COMPLETENESS THEOREM 251

But ||~ a || an(l \\~P\\ ^ i > which contradicts (3).

Assuming (2), we have
||(~ninruevnA:~(aA~/?))|| s<F.

Thus \\n K ~ ( oca ~P)\\ e J 5' and by the definition of J 09

|j ~ (a a ~ /?)|| e l n ^ r2 n ^ ’3 .

But i| ~ a| | $ #"3 and ||/J|| J^ 3, a contradiction. Hence situation

A is impossible.
Now let us consider case B.
After considerations similar to the above ones, we find that both
of the assumptions
\\n K ~ o c \\ e ^ and \\n K ~ « .\\$ 3 ?
lead to a contradiction.
It is thus impossible to have three different ^-filters ^ ^ i * ^2
such that
& K ,0& i9 1 = 1 ,2 ,3 . □

The following lemma is fundamental to our further discussion.

Lemma 10.4. If\\§Kot\ \ e J% then there exists a Q-filter such that

||a|| e # " ' and
P roof. Consider the set
{\\P\\: W U m e F } .
Z&K is a proper filter as was shown in § 9 of this chapter.
A. We claim that for every formula of the form
pref O while y do M od /?
there is an index i such that
Upref O while y do M od /?=> pref Q (if y then M fi)*(~yA p)\\
E Z jr^ .

We denote the antecedent by while for short and the succedent by if.
Suppose that for every i
(4) 11(while => i f l)\\ $ Z 3rK.
By the definition of Z ^ K
11- UK{while => i / 1) 11 e ^ for all /.
252 V PROPOSITIONAL ALGORITHMIC LOGIC

By axiom Ax2, for every formula <5

11~ §K((while => i f 1) a (3) v ~ ((while => i f 1) a ~ <3) 11 e ^ \
Let us take the formula while to be <5. We then have
||( ~ $ K ( i f a while) v ~ $ K ( ~ w h ile ))\\e ^ .
Since 11OATtrue [| e ,¥ and since is a maximal filter, we have for
every natural number /, either
WQKifW $ & or \\U K w h ile \\E ^ .
Hence, either
(5) \\UKwhile\\ e jF or
(6) \\$K i f 11| ^ for every i e N .

If (5), then by the properties of g-filters there exists a natural number

i such that if\ \ e .
Hence | \if'\ | e Z&K and since b- (if1=> ( if 1v ~ while)) we have
\\(while => i f l)\\ e Z j r K, which contradicts (4).
If (6), and since ^ preserves all infinite operations, then
(7) l.u .b .||0 * iy ‘| | * # \
ieN

By the properties of Lindenbaum algebra (cf. § 7 of this chapter) we have

l.u .b .H ^ ^ /il = \\0Kwhile\\.

ieN

Thus by (7) \\~while\ \ e Z ^ K.

The formula
(~ while =>(while => i f 1)) for all i e N
is a theorem and Z&K is a filter, hence \\while=>ifl|| e Z ^ , which
contradicts (4). This proves supposition A.
B. We shall now consider the set Z ^ u { ||a ||} .
This set has the finite intersection property (cf. Appendix A). So, if

Ilftlle Z ^ , i ^ n and H^Ha ... a HftJlA ||a|| = 0 ,

then
(0C=> - ( ^ A ... A fin)),
 10. COMPLETENESS THEOREM 253

and consequently

0 * ~ G M - A ft)).
Since ||0 ^ a || e we have
||0*~G & i A ... a ^ ) || e#\
Thus || ~ i a ... Aj8B)|| e ^ in contradiction to ||& || e Z& k -
C. We can hence construct a proper filter which contains

Z j ^ u {||a||}, cf. Appendix A.

By the Kuratowski-Zorn Lemma (cf. Rasiowa and Sikorski, 1968)
this filter can be extended to the maximal filter
This filter is a g-filter, since from A, if
l.u.b.H pref 0 ( if y then M fi)f( ~ y a e
ieN

then there exists an i such that

|| pref 0 ( if y then M fi)*'(~yA$)|| s l F ’.
This proves Lemma 10.4. □

We can now prove the following truth lemma:

L emma 10.5. Let T2 be a consistent theory based on the two-non-deter-

ministic algorithmic logic PAL2, and let 9Jt0 be a canonical structure
o f T2. For every Q-filter 3F in the Lindenbaum algebra o f T2 and every
formula a,
H a ile d iff 9W0, ^ l = a .
The proof is by induction on the complexity of the formula oc and
is similar to the proof of Lemma 9.2. The fundamental step in this
induction was proved in Lemma 10.4 in connection with the formula
§K oc. □

C o r o lla r y . The canonical structure 9Jt0 o f T2 is a normalized two-

-non-deterministic model o f T2, □

Using Lemma 10.5, we obtain the Model Existence Theorem:

254 V PROPOSITIONAL ALGORITHMIC LOGIC

T heorem 10.6. Theory T2 is consistent iff there is a model o f T2. □

The following theorem asserts that the semantic consequence oper­

ation and the syntactic operation coincide.

T heorem 10.7. (Completeness Theorem). For every consistent the­

ory T2 based on PAL2 the following conditions are equivalent:
(i) a is a theorem o f T2\
(ii) a is valid in every normalized two-non-deterministic model o f T2;
(iii) a is valid in every two-non-deterministic model o f T2.
P roof.
(i) -» (iii) by the Adequacy Theorem 5.3 and Lemma 10.2.
(iii) (ii) obvious.
To prove the theorem it is sufficient to verify that (ii) implies (i).
Suppose (ii) and non T2 \- a. Hence, by Lemma 7.1, || ~ a || ^ 0,
and from Lemma 7.3 we can construct a 2-filter in the Lindenbaum
algebra of that theory such that || ~ a || e # \ By Lemma 10.5, for the
canonical structure 9Jl0 of T2 the following condition holds:
9Jt0, S' (= in contradiction to (ii), since 9Jt0 is a normalized
two-non-deterministic model of T2. Thus (ii) (i), and Theorem
10.7 holds. □

At the beginning of this section it was proved that two-non-deter­

ministic structures can be characterized by formulas in algorithmic
propositional language. It would be interesting to know whether the
language assumed here allows us to characterize m-non-deterministic
structures.
By an m-non-deterministic structure we shall mean a semantic struc­
ture 9Ji = < S ,«/, w> such that card ( ^ ( s ) ) ^ m for all s e S and K e V p.
The following lemma provides an answer to our problem. For each
natural number m there is a set of formulas Z in the propositional
algorithmic language which satisfy the following condition: for every
normalized semantic structure 9Jt, 9Ji \=z Z iff 9Ji is m-non-deterministic.

L emma 10.8. Let m be a fixed natural number and let A xm be the set
o f all formulas o f the following fo rm :
m -\ f . m —1 . .
n A ... a a;*) =9. D t f O j ... A a*"*))
;=o i=o
 10. COMPLETENESS THEOREM 255

where k = [log m] + 1, (n\ ... n[) is a binary representation o f z, K e V p,

aj e F, j ^ k , a0 denotes a azzd a 1 denotes ~oc. Then the following condi­
tions hold:
(i) z/ $01 f= y4xw and $01 z\? normalized, then $01 w an m-non-de termin­
istic structure;
(ii) if $01 w an m-non-deterministic structure, then
$R\=:Axm.
P roof. Let $01 = <*S, </, w> be a normalized structure and $01 fn
Assume that the theorem does not hold, i.e. for some K and s9
card(Kyn(s)) > m. Let s09 ...9sm- i9 sm be elements of Km(s). Since
$01 is normalized, there are formulas which distinguish these states.
Let k = [log(m +1)] + 1. Let a A, ock be formulas such that for any
two states si9sj there is a formula which is satisfied by st and is
not satisfied by S j . Let
$01, So [= (a t A ... A ock),
$0i, S L [r: (a! A ... A ~ a fc),
$01, s2 (axa ... a ~ a fc_ t a a*) ... etc.
The state sm does not satisfy any of the first m conjunctions. Thus
m- 1 . i
n OK(ocnp A ... a otlk) is satisfied in s and sm does not satisfy
/=o
m—i i i
( J (a"1a ... a a%k), in contradiction to $01 f= A xm. This proves the
i= 0
first part of Lemma 10.8.
We now assume that $01 is an m-non-deterministic structure. Thus for
all s e S
card (A^rt(V)) ^ m.
If card(£$R(V)) < m for some s9 then the antecedents in the formulas
from A xm are not satisfied by .y. Hence A xm is valid in s.
Suppose that card ( ^ ( 5)) = m and for the formula
di = (a"*1a ... AaJ*)
we have
m- 1
$01, s f= p i 0K6t.
1=0

No two formulas di9 8j, i ^ j 9 can be satisfied by the same state. Hence
m —1
for every s' e Km(s) there exists z, such that $01, s' <5/. Thus [JK 8t
1=0

holds in s. Hence $0lf=:^xm. □

256 Y PROPOSITIONAL ALGORITHMIC LOGIC

Note that we can also describe the strict degree of non-determinism

by a set of formulas.
Assume that, for a program variable K ,
m—1 m—1
X = {DATtrue, ( H $Kdt s U * i)l
i=0 i=0
where <5* is the same as in the lemma above. Then for any normalized
structure 9K = <*S, */, w>
9JI \=lX iff (\fs g 5) card (S(K)(s)) = m.
Consider the algorithmic logic PALmwhich arises from PAL by adding
a scheme of axioms A xm. From the Adequacy Lemma 5.5 and Lemma 10.8
this logic is adequate.

L emma 10.9. I f a is a theorem o f algorithmic theory based on PALm,

then a is valid in every m-non-deterministic model o fT m. □

Adapting the procedure described in §§ 9 and 10, we can generalize

the theorems obtained previously.
I. The canonical structure of Tm is a normalized m-non-deter­
ministic model.
II. Tm is consistent iff Tm possesses a model.
III. For any consistent theory Tm the following conditions are equiv­
alent:
Tm f- a;
SCR(=;a for all normalized m-non-deterministic models 9JI of Tm\
901 f=a for all m-non-deterministic models SR of Tm.
We can also consider a mixed system such that from the point of view
of one variable it is m-non-deterministic and from the point of view
of another variable it is «-non-deterministic.
Let m = (m1,m 2,...) be an infinite sequence of natural numbers
and let us assume that K t , K2, ... is the sequence of all program vari­
ables in the algorithmic language L0. We shall say that SR = <S , J , w>
is an m-non-deterministic structure if for every program variable Kt
and for every s e S, card (J(K i)(s)) ^ mf.
We shall consider the propositional algorithmic logic PAL^ as an
extension of PAL by the set of schemes
Axmi(Ki) for i = 1 ,2 , ...
 11. ELIMINATING OF BOUNDED NON-DETERMINISM 257

Namely, for every program variable Kt which is mr non-deterministic

we shall assume one scheme of axioms A xmt(Ki). It is obvious that
properties I, II, III hold for any theory based on PAL^.
I. Tjti is consistent iff possesses a model,
II. The canonical structure of is a normalized m-non-deter-
ministic model,
III. For every consistent theory the following holds
iff □

11. E L IM IN A T IO N O F B O U N D E D N O N -D E T E R M IN IS T IC P R O G R A M
V A R IA B L E S

We shall prove that non-deterministic program variables can be elim­

inated by deterministic ones. For example, if ATis a program variable
satisfying axiom A x2
(§K(oca /?) a §K(oca ~ (3) OKoc),
then we can replace K by the non-deterministic program
either K t or K2 ro
with two program variables K x, K2 which satisfy the axioms
(O^i oc=> \JK t a), (0K2oc=> \JK 2 a).
In this way each m-non-deterministic theory Tm can be transformed
to a partial function theory TPf
We shall construct a mapping which assigns formula oc' in to
every formula oc in Tm with the following property
T m \—moc iff T p f h - p f oc'.

Let Tm be a fixed consistent m-non-deterministic theory

Tm = <L0, C ,A ).
To every program variable K e V p of the language L 0 let us assign m
program variables K l9 K2y ..., Km which do not belong to L 0.
The propositional algorithmic language based on the set of program
variables V'p = {AT1? ..., Km}KevP and the same set of propositional
variables will be denoted by L'0.
Let a be a formula and let M be a program scheme in the language L 0.
We shall write oc' to denote a formula in L'0 and M ' to denote a program
258 V PROPOSITIONAL ALGORITHMIC LOGIC

scheme in L'0 which are the results of simultaneous replacement of all

occurrences of K in a and in M by a program scheme of the form

either Kx or
either K2 or

either or Km ro
ro

ro.
For short, (Kx or K2 or ... or Km).
Let 9JI be a semantic ra-non-deterministic structure
m = <*s, s 9 wy
for the language L 0. We shall construct a new structure 9Jt'—a partial
function structure —for the language L'0 in the following way:

W = <S9S ' 9 w>:

If S (K ) = {(s9si): i = 1, ...9k } 9 then
S \ K j ) = {(s9sj)} for j = l 9...9k 9
= {(s, sk)} for m ^ j > k.

If J(K)(s) - 0 , then S'(Kj)(s) = 0 for j = 1, ..., m. This trans­

formation is illustrated in Figure 11.1.
Let m = 3.
It is obvious from the definition that
Km{s) = (Kt or ... or
for all K e V p and every state s. This equality can be generalized to any
program scheme. Let us first note that every computation & of the
program scheme M in the structure 9K at the initial state s can be trans­
formed into a computation & of the program M f in the structure
9JT at the same initial state. This transformation is described as follows:
1. Let us put the program
or ... or Kn)
in the place of K.
 11. ELIMINATING OF BOUNDED NON-DETERMINISM 259

The structure SR The structure SR'

K .*
Fig. 11.1

2. Let us replace any two configurations of the form

<s; K, Rest),
< ^; Rest),
by the following sequence of configurations:
260 V PROPOSITIONAL ALGORITHMIC LOGIC

or ... or Kn), Rest),

<s; (K2 or ... or Kn), Rest),

<j; (Kt or ... or Kn), Rest),

<>; Ki9 Rest),
<,Si; Rest).
3. The sequence obtained in this way is a computation & of the
program M ' in the structure SR'.
The converse transformation is obviously also possible. Moreover:
(i) The computation 0 is infinite iff the computation 0' is infinite.
(ii) s is the result of 0 iff s is the result of O'.

C o ro llary 11.1. For every program scheme M and every formula oc

M**(s) = M h(s),
xw(s) = *01O'). □

L emma 11.2. A theory Tm = (L 0, Cm, A) has a model iff the theory

TPt = <Lq, Cpf, A '} has a model.

P ro o f . Let 9Ji be a model of Tm. By the corollary, 9JI' is a model

of Tpf. Conversely, if SR' is a model of 7 ^ then the structure
m
= < 5 ,y , iv>, where S{K){s) = Q Km {s), K e V p, s e S , is a
/= 1
model of Tm. □

From the Model Existence Theorem for TP( and Tm we infer that
an w-non-deterministic theory Tm = <L0, Cm, A) is consistent iff the
corresponding partial function theory T* = <L0? Cpf, A') is consistent.
Analogously, by the Completeness Theorems for TPr and Tm we
have the following theorem:

T heorem 11.3. For every formula a e L 0, a is a theorem o f the m-non-

-deterministic theory Tm = Cm, A ) iff oc' is a theorem o f the partial
function theory Tp = <Lq, Cpf, A '). □
 12. YANOV SCHEMES 261

12. YANOV SCHEMES

The original language of Yanov schemes (cf. Yanov, 1959) is different

from that used here. We shall adapt the orthography of Yanov schemes
to the syntactical patterns of this chapter.
Let us assume the following definition:
By a Yanov scheme we shall mean a program scheme in a proposi­
tional language for which every program variable has an associated
carrier which is fixed and finite. (From this definition we can associate
a finite carrier to every program scheme).
A natural interpretation of a Yanov scheme consists of a relation K Y
associated with every program variable K such that for every two valu­
ations v , v ' of propositional variables
(v , v ') e K Y iff v = v' off Car(A'),
where Car(K) is the carrier of K. Let us call this interpretation the Yanov
interpretation.
By a computation o f a Yanov scheme M with a given valuation v
we shall understand a maximal sequence of configurations c0, cl9 c2, ...
such that C i ^ C i +i and c0 = (v; Af>. The relation is defined as
in § 1 of this chapter. Let us mention here one step of this definition:
(v; K, Rest) h* ( v '; Rest),
where K e V p and (v, v') e K Y.
Although all program variables are interpreted in a similar fashion
(every program can change its variables in any possible way), their
carriers may differ and this is why we cannot treat a Yanov scheme
as an algorithm with a single program variable.

R em a rk .There is a natural correspondence between Yanov scheme

and non-deterministic programs (cf. Chapter VI).
For a fixed program variable K, let Car(AT) = {ql9 .. . , q n}. The set
of all possible valuations of these variables has 2n elements. Let us con­
sider the corresponding set of sequences of atomic formulas true and
false, i.e. the set { ( / / ,...,/^)}7<2« where iJk e {true, false} for j ^ 2n
and k < n.
For a given sequence (//, ..., iJn) let Mj denote the program
begin qi := i{\ . .. ; q n := iJn end.
262 V PROPOSITIONAL ALGORITHMIC LOGIC

Let M be a non-deterministic program of the following form

(M l or M 2 or ... or M ln)
It is easy to see that the sets of all results of M and K are equal for any
given valuation. In conclusion we have the following result.
For every Yanov scheme M we can construct a non-deterministic
program M ' (with assignment instructions and without program vari­
ables) such that the behaviour of M and M ' will be the same, i.e. the
trees of the possible computations will be equal. □

We can consider a logic of Yanov schemes as a propositional algo­

rithmic theory with the set of specific axioms Yax, i.e. the set of all
formulas of the forms:
□AT true,
{$Kq => q)9 ($ K ~ q => ~q) for all q $ Car (AT),

n « j,A ... aA

where (m{, ...,ra£) is a binary representation of the number j and qf

is q and q\ is qt for /' ^ n and K is a program variable such that
Car (A') = {ql9
We shall now prove the following lemma:

Lemma 12.1.
(i) Every semantic proper structure with a Yanov interpretation is
a model o f Yax.
(ii) I j \ f is an interpretation o f program variables such that 9Jl — (IV, J)>
is a proper model for Yax, then J is a Yanov interpretation.

Proof.
(i) Let us consider a proper semantic structure 9K = (W , Y), where Y
is a Yanov interpretation of program variables.
The first two axioms are valid since by the definition of Ay, $01, ^[=<7
iff 9JI, v ’ (= q for all q $ Car(A), all v' e K Y(v) and for every valuation
v e IV. The third axiom is also valid for every v e W since all possible
changes of the values of variables from Car(A) are admissible as a re­
sult of Ky .
(ii) Suppose 9Jl = is a model of Yax. If (v, v f) e K%i,
 13. APPLICATION OF PAL IN MICROPROGRAMMING 263

then v = v 9 off Car(i£) since for q e Car(AT) v \q ) = 1 implies by the

second axiom v(q) = 1 and v \q ) = 0 implies v(q) = 0.
Conversely, let us assume that v — v 9 off Car(£) and let qx, ..., ft
be all variables from the set Car(jK) such that ft(z/) = 0 for i < k .
Consider the formula ft of the form
(~ ft a .. . a ~ f t A f t +1 a ... A f t ) .

By the third axiom 5BI, Hence there exists such that

v" e Km(v) and v" (=/?, i.e. for all = *>(ft). By the previously
proved implication
= © off Car(X).
Thus v" = z/ and therefore z/ e ^ ( z ;) . □

13. APPLICATION OF PAL IN MICROPROGRAMMING

Propositional algorithmic logic seems well-suited to the analysis of micro­

programs. In this section we present a small example of a microprogram
and its transformation to another, more efficient microprogram which
performs the same operation of multiplication of integers. We shall
work within the frame of a theory of registers defined later. Before
we present it let us recall the structure of a simple arithmetic unit. It will
serve as a basis for future intuitions.
The unit consists of four registers and an adder, as shown in
Figure 13.1.

Fig. 13.1

The microoperations of the unit are

Acc := Acc + Arg,
264 V PROPOSITIONAL ALGORITHMIC LOGIC

shift Acc and M to left (to right), check whether the last bit of M is 0,
check if Acc and M contains only zeros, subtract 1 from the counter,
add 1 to the counter, test if counter contains 0, etc.
This physical model gives us an insight into the formal theory pre­
sented below. We shall imagine a collection of registers. Each register
can contain an infinite sequence of bits (binary digits)
... ^3 (I2 do d_ j d_ 2d_ 3 ...
The set of program variables will represent microoperations on reg­
isters; for every i , j we have the following program variables:
au—add the content of the register R ( to the register Rj,
Rj := Rj + Rj,
lt —shift R t to the left, R t : = 2 x R t,
rt —shift R t to the right, R ( := Rtl2,
Oi —put 0 into Ri, R t: = 0,
Si —add 1 to R i, R t := R t + 1,
P i—subtract 1 from R t, R t := R i— 1.
For every i we have the two propositional variables:
Zi—check if Rt contains only zeros,
et—check if R t contains zeros on all non-positive positions.
The schemes of programs can in these circumstances be interpreted
as microprograms. The algorithmic formulas need not contain the
modality signs □ and 0 since we assume that the actions are deter­
ministic, i.e. instead of □ M ol or $ M ol we shall simply write M ol. We shall
operate with axioms having the form of equalities of microprograms.
The equality M = M ' should be conceived as the scheme M ol = M ' ol
for every formula a.
Below we present the schemes of axioms of our theory T of registers:
lidij = afjli, afjrj = rjdij, Sipt = PiSt = Id,
auh = hafj, a.-y/'i = r,afj, h r; = r j i ,
h$i $ih> hPi P ih >
nsi = sfr-„ pf r t = rtpi,
r%°i = hoi = stOi = PiOi = ot = ajiOi,
h^i — ~ f i%i 5
while ~ z t do p t od true =s> ~ si zt,
et = while ~ z t do p f od true.
 13. APPLICATION OF PAL IN MICROPROGRAMMING 265

Moreover, we assume that for different indices the operations com­

mute, e.g.
aupk = pkau for k ± i and k + j,
Pih = hPi for i + j.

L emma 13.1. The following formulas are provable in the theory T o f

registers:
(1) (while ~Zi do /?* od true => st while do p t od true),
(2) (et => ~Piei).
P ro o f . By axioms
(while ~ Z i do od true => s*~Zi)9
= Id
SiP i

and, by classical propositional calculus, we have

(while ~ z t do p t od true => (si~ZiASiPi while ~ z { do p.
od true)).
By axioms of PAL (cf. Chapter V, § 5)
SiZiASiPi while ~ z t do p t od true) => st while ~ z t do p t
od true).
Hence by law of syllogism we have proved formula (1).
To prove the second implication (2) observe first that for arbit­
rary j > 0, (zt => sj~Zi) is the consequence of (1) and of axiom
(while ~ z t do p t od true => s^Zi).
Hence using the following rule of inference
ot => j3
p h ^p tfi
and axiom Sipt = Id of theory T we obtain
(phi => ~ ph i) for arbitrary natural numbers k ^ L
Hence for arbitrary k and /
(pi (if ~ z t then pf fi)k zt => ~ (if ~ z t then pf fi)* zt).
By co-rule of PAL we obtain that for every l e N,
((if ~ z t then pf fi)* z t => ~ p t while ~ z { do pf od true).
Using once again co-rule we obtain formula (2). □
266 V PROPOSITIONAL ALGORITHMIC LOGIC

Let us consider the following microprogram M performing multi­

plication of registers R t and R 3, assuming that R 3 contains a natural
number. The result of computation is placed in R 2:
M: begin o2 ; while ~ z 3 do a12; p 3 od; ox ; o3 end.
The aim of this section is to improve the above program.
Assume the following denotations:
Ki — if ~ z 3 then al2 ; p 3 fi,
K 2 = if ~ z3 then a\ 2 ; p\ fi,
K = if ~ e 3 then a12; p 3 fi.

L emma 13.2. For an arbitrary formula fi and for an arbitrary natural

number j the following formula is provable in T :
(3) (K {(z3 a ot o3 fi) = if ~ z 3 then K ; /, ; r3 fi K[Jj21(z3 a ot o3/?)),

where [2jj2\ = l(2/+l)/2J = /

P roof . By axiom
if ~ z 3 then K x else Id fi fi == (z3A K 1 fiv ~ z 3/\fi),
we have
K {(z3A 0 l 0 3^)
= ( ~ ^3 A 2 />3 ^ 2 i/ 2 J ( z 3 A 0 ! 0 3 /?) V / sT ^ , 2 J ( z 3 A 0 t 0 3 / ? ) ) .

Let us multiply the right hand-side of the above formula by (e3 v ~ e 3).
Applying (2) and the following ample facts:
( ~ z3a ~ e 3) = ~ e 3,
((if ~ z 3 then a\ 2 ; p\ fi)u/2J(z3a oto3P) => e3),
(012p3(if ~ z 3 then a\2\p\ fi)u/2J(z3a Oj o3fi) => ~ e 3)
we obtain
(4) K {( z 3 a o 1 o 3{}) = if ~ 03 then «12; p3 fi K 2LJI21(z3A o i o3j3).

By axioms of the theory T of registers

(z3A 0 l 03P) = l1r3(z3A 0 103fi)
and
a d p l h r 3P = h r 3ai2p 3P
 13. APPLICATION OF PAL IN MICROPROGRAMMING 267

for arbitrary formula /?. Hence

= / i r 3K [ JI 21f i .

Applying the obtained equivalence to the formula (4) we have

K {(z 3A o l o 3f i )
= if ~ e 3 then a1 2 \p 3 fi l1 r3K \JI21(z3A o l o3f}).
However
( r 3a A7, r3 K \ JI2\ z 3a 0 l o * fi) = ^ 2j ( z 3a 0 lo3/S).
Thus
K{(z3Aoxo3p) = if ~ z 3 then tf; ; r3 fi K { j/2j (z 3 a oxo3p).
□
Let / be a natural number and let 2k~1 ^ y < 2* for some ^eiV , i.e.
[logyj = k — 1. By Lemma 13.2 and simple induction on /, 1 ^ ^ k,
we have
K{ ( z 3a o 1o 3 ff) = (if - z 3 then K ; l 1 ;r3 fi)1K ^ 2\ z 3a o 1 o 3 j8 ).

Hence for / = k, i.e. for / = [logjJ 4-1

(5) K{(z3ao 1 o3P) s (if ~ z 3thenK;lx ; r3fi)ilosJi+1(z3A o l o3p).
Applying twice the co-rule of algorithmic logic we obtain
Mp = o2 (while ~ z 3 do K\ lx ; r3 od (o1o3P)).
The final conclusion is that program M is equivalent to the following
program;
begin

while ~ z 3 do
if ~ e 3 then al 2 ; p 3 fi;
h ; ^3
od;
° i ; 03
end.
It is not difficult to observe by (5) that the complexity of the last
microprogram is much better than the original one (the obtained micro­
program is frequently implemented in computers). It requires [logA3J+ 1
steps in comparison with the R 3 steps of the original algorithm.
268 V PROPOSITIONAL ALGORITHMIC LOGIC

BIBLIOGRAPHIC REMARKS

The first result in propositional logic of programs belongs to Yanov

(1959), who proved that the equivalence of program schemes is decid­
able. Many papers devoted to schematology have developed Yanov’s
ideas; it is impossible to quote all of them. The next important step
was when Glushkov (1965) introduced algorithmic algebras. The same
ideas and many new results were proposed by Fisher and Ladner (1979)
in their paper introducing PDL—a propositional dynamic logic.
Since 1977, when this paper appeared, many authors have studied the
propositional logics of programs: Segerberg, Gabbay, Chlebus, Berman,
Parikh, Kozen, Harel, Meyer, Valiev, Vakarelov, Passy, Mirkowska,
Pratt. This list does not exhaust the names of all contributors to the field.
The results reported in this chapter are mainly from Mirkowska (1981)
except for Section 13 which is based on an example from Glushkov
et al (1978).
 CHAPTER VI

NON-DETERMINISM IN ALGORITHMIC LOGIC

In this chapter we shall deal with non-deterministic while-programs.

Among many reasons for introducing non-determinism let us mention
concurrency, whose semantics requires some non-deterministic actions.
We shall study the semantic properties of non-deterministic programs,
and also the non-deterministic logic NAL. The basis of our consider­
ations is the algorithmic logic of deterministic while-programs and the
propositional algorithmic logic PAL. In fact, every propositional
tautology of PAL is a scheme of a tautology of non-deterministic algo­
rithmic logic. On the other hand, NAL is a natural extension of algo­
rithmic logic.
In contrast to the deterministic case, a non-deterministic program
can have various computations. Thus we shall interpret a program
as a tree in which every path represents one way of going through the
program during the evaluation of its result. Hence a non-deterministic
program can have many different results. We are therefore obliged
to change our intuition connected with the algorithmic formula Kcc.
There are two natural interpretations: to consider all results of all
computations, or to consider a particular result.
Both interpretations are worthy of investigation. For this reason
we shall introduce two modal constructions to the set of formulas
<>Afa and □ Afa, where Af is a non-deterministic program and a is a for­
mula. The informal meaning is as follows:
^M a—it is possible that after performing M the formula a holds,
□Afa—it is necessary that after performing Af the formula a holds.
(We have already met these constructions in PAL.)
Formulas of this kind can easily express properties of programs
like termination, correctness, etc., and properties of data structures.
In thic chapter we shall present a Hilbert-style axiomatization;
it is also possible to construct a Gentzen-type axiomatization. The logic
presented, NAL, is complete in the sense that the semantic and syntactic
consequence operations determine the same sets of consequences.
270 VI NON-DETERMINISM IN ALGORITHMIC LOGIC

However, the axiomatization has an infinitary character, since, follow­

ing the arguments presented for AL (see Chapter II, § 4), we can prove
that the semantic consequence is not compact.

1. NON-DETERMINIST1C while-PROGRAMS AND THEIR SEMANTICS

Let us assume that we are given a fixed alphabet in which V is a set

of individual and propositional variables, P is a set of predicates, and 0
is a set of functors. On the basis of this alphabet we are going to con­
struct a non-deterministic algorithmic language L and in particular
the most important element of L—the notion of a non-deterministic
program.

D efinition 1.1. By a non-deterministic program we shall mean any

expression M such that:
(i) M is an assignment instruction, (x := r) or (q : = y), where x is
an individual variable, q is a propositional variable, r is a term and y
is an open formula (for the notion o f term or open formula see
Chapter II, § 1), or
(ii) M is o f the form if y then M x else M 2 fi, begin ; M 2 end,
while y do M 1 od, where M L, M 2 are arbitrary non-deterministic pro­
grams and y is an open formula, or
(iii) M is o f the form either M L or M 2 ro, where M u M 2 are arbitrary
non-deterministic programs. C

Hence the set of all non-deterministic while-programs is an extension

of the set of deterministic programs defined in Chapter II, § 1. We
shall denote this set by 11.

Example. Let empty be a one-argument predicate and let left and

right be one-argument functors. The following expression is then an
example of a non-deterministic program:
while empty(x) do
either (x := left(x)) or (x := right(x)) ro
od. D
Let 31 be a data structure
^ ~ }§ep)
 1. NON-DETERMINISTIC while-PROGRAMS 271

in which, for every 77-argument predicate q, is an 77-argument relation

in A and, for every 77-argument functor ip, is an 77-argument opera­
tion in A .
The given data structure 31 determines the interpretation of open
formulas and terms as defined in Chapter II, § 2. The interpretation of
non-deterministic programs will be defined in a way similar to that
presented in PAL (cf. Chapter V, § 1).

D efinition 1.2.B y a tree ofpossible computations o f a program M in the

structure 31 from the initial valuation v we mean a tree Comp(M, v , 31)
such that the configuration <[v; M ) is the root o f the tree and:
(i) I f a configuration <yf; if y then M 1 else M 2 fi, Rest) is a vertex
o f Comp, then the unique son o f this vertex is ( v f; M u Rest) in the case
31 , v ' t = y and ( y ' ] M 2, Rest) in the case 31 ,v't=z~y (Rest denotes
a sequence o f programs).
(ii) I f the configuration ( v f; begin K\ M end, Rest) is a vertex o f the
tree Comp, then the unique son o f this vertex is (v'; K, M , Rest).
(iii) I f the configuration ( v f; while y do M od, Rest) is a vertex o f
Comp, then the unique son o f this vertex is ( v f; Rest) in the case
31, v' |n ~ y and is <z>'; M, while y do M od, Rest) in the case 31, v' |= y.
(iv) I f the configuration (v'\ either M \ or M 2 ro, Rest) is a vertex
o f Comp, then the left son o f this vertex is (v; M u Rest) and the right
son is ( v ’\ M 2, Rest).
(v) I f the configuration <V; (x : = w), Rest) is in Comp, then the unique
son o f this vertex is <•v Rest) where v"(z) = v'(z) for z # x and v"{x)
=
(vi) I f the configuration <V; > is a vertex o f Comp, then it is a leaf
o f D, i.e., has no sons.
Every path o f the tree Comp (M, v, 31) is called a computation o f a pro­
gram M in the structure 31 at the initial valuation v.
I f ( v r; ) is a leaf o f the tree Comp, then the valuation v' is called the
result o f the corresponding computation. □

L emma 1.1. Let K be a program o f the form while y do M od. I f all

computations o f K at the initial valuation v in a data structure 31 are
finite, then there exists a common upper bound o f the length o f the com­
putations.

Proof. Let Comp be a tree o f all possible computations o f the pro-

272 VI NON-DETERMINISM IN ALGORITHMIC LOGIC

gram K starting from the valuation v in 31. Suppose on the contrary

that for every natural number b, there exists a path in Comp of length n.
Since the degree of any vertex in Comp is equal to 1 or 2, by Kdnig’s
Lemma (Kuratowski and Mostowski, 1967) there exists an infinite
path in the tree Comp, contrary to the assumption. □

Let us remark that the set of all finite computations of the program M
determines a binary relation M<& in the set of all valuations of a data
structure 31 such that
(v , v') e M% iff v' is a result of a computation of M from
the valuation v in the structure 31.
The relation M% is called the interpretation of a program M in the
structure 31.
Hence, the interpretation of a program begin K ; M end is a compo­
sition of the interpretations of K and of M; the interpretation of a pro­
gram either K or M ro is the set-theoretical sum of the interpretations
of K and M and the interpretation of while y do M od in 31 is
U (if 7 then M fi)!fto {(^?v): 31, v |= ~y}.
ieN

Let K%(v) denote the set of all results of the program K at the valu­
ation v in the structure 31, K%(v) = {vf: (v,v') eKy}. The following
lemma gives a characterization of this set according to the structure
of the program.

Lemma 1.2. For arbitrary programs K , M and an arbitrary valuation

in a data structure 31 the following equalities hold:
(begin K\ M en d )^ ) = U Myfv'),
v' e Kyf o)

\K%{v) i f % v \ p y,
(if y then K else M fiM®) = ,r Qr , A,
v ' [Mn(v) if % ©|= ~ y ,
(either K or M ro)»(©) = K<n(v) u
(while y do M od)ai(©)
= (if y then M fi)a(©) n {©': 31, v ’ \=~y}.
ieN

For the proof see the similar considerations which have been pre­
sented in PAL (cf. Chapter V, § 2). □
 2. PROPERTIES OF NON-DETERMINISTIC PROGRAMS 273

2. PROPERTIES OF NON-DETERMINISTIC PROGRAMS

We shall begin our considerations from a description of a formalized

non-deterministic algorithmic language and its semantics, since the
formulas of this language will represent the properties of the programs.

D efinition 2.1. By a formula o f non-deterministic algorithmic language

we shall understand every expression oc such that:
(i) a is a propositional variable, or a is an elementary formula
(«c f Chapter II, § 1),
(ii) a is o f the form (3x)j3(x), (\/x)j3(x), where x is an individual
variable,
(iii) a is o f the form (/?v 6), (/?a 6), (/? => <5), ~/3,
(iv) a is o f the form QAf/3, <>M/3,
(v) a is o f the form \_]Mj3, \ J f \ M @ {the signs [“]> L L
V, A w/// be called iteration quantifiers), where <5, are arbitrary
formulas and M is an arbitrary non-deterministic program. □

The set of all formulas will be denoted by F. The sets of terms, for­
mulas, and non-deterministic programs determine the non-determin­
istic algorithmic language L.
We shall define below the semantics of the language under con­
sideration.
Let 51 be a fixed data structure for L. The semantics of non-deter­
ministic programs has been defined in § 1 of this chapter. Hence it
remains to define the semantics of formulas. However, the formulas
constructed by means of the classical connectives a , v , ~ , =>, and
quantifiers 3, V are interpreted in the usual way (see Chapter II, § 1)
and therefore need not be mentioned here.
Thus for an arbitrary valuation v in the data structure 51 we assume
51, ^ i= <>Ma iff (3w' e M<u(v)) 31, v' )=: a,
51, © [= Q M a iff (Vz>' g M<u(v)) 31, v' |= a and all com­
putations of M at the valuation v in
31 are finite,
51, v |= ]_\Mot iff (3/ e N) 31, ©(= n M ‘a,
51, v [= r\Moc iff (V/ b N) 31, v (= Q M 'a,
51, v |= \ J Moc iff (3/ g N) 31, ©1=0M la,
51, v |= f\M cc iff (Vi e N ) 3t, v |= OM'a.
274 VI NON-DETERMINISM IN ALGORITHMIC LOGIC

R em a rk .If M is a deterministic program then the formulas §M<x.

and Q M a are equivalent. Moreover, every formula a of a non-de-
terministic algorithmic language in which the instruction either—or—ro
and classical quantifiers do not occur is equivalent to an algorithmic for­
mula a' which is obtained by replacing all subformulas of the form
□AT/?, QMfi, U n M 0 9\ / M p 9/ \ M p by the corresponding expres-
sions Af/?, UAfjS, C\M(i of AL, i.e., 91,*>[=a iff 9 l ,^ |= a ' for an
arbitrary data structure 91 and valuation v. □

It follows directly from the definition of semantics that algorithmic

formulas can describe the properties of computations. For example
the formula QAf true descibes the stop property of the program Af,
since for an arbitrary data structure 91 and every valuation v
91, v [r: QAf true iff all computations of the program M
at the valuation v in 91 are finite.
There are some variants of this formula which also express inter­
esting properties:
~ <>Af true—all computations of the program Af are infinite,
true—there exists a finite computation,
~ D M true—there exists an infinite computation.

E xam ple 2.1. Let us consider the following program M

M: while b do
either x := x + 1 or x := x —1 ro;
either b := true or b := false ro;
od
The formulas <>Mtrue and D M true are both valid in the data structure
of integers since both infinite and finite computations are possible. □

One of the most important properties of programs is correctness.

In the case of non-deterministic programs the partial correctness prop­
erty (cf. Chapter II, § 3) and the correctness property have different
variants:
(1) (a => —if an input data satisfies the condition a, then
there exists a finite computation of Af starting from this data whose
result satisfies condition /?,
 2. PROPERTIES OF NON-DETERMINISTIC PROGRAMS 275

(2 ) ((a a true) = > —if an input data satisfies condition oc

and there exists a finite computation then one of the results of M sat­
isfies property /?,
(3) ((a a D M true) => <>M/?)—if an input data satisfies condition a
and all computations of M from this data are finite, then there exists
a result of M which satisfies
(4) (a => DAfjS)—if an input data satisfies condition a then, all
computations of M are finite and all results satisfy
(5) ((a a Q M true) => DAf/?)—if an input data satisfies condition a
and all computations of M are finite, then all results satisfy property j3.

Example 2.2. Let M be a non-deterministic program and let 31 be

a data structure of real numbers.
M : begin
either c := a or c := b ro
while \b —a\ > s a |/ ( c)| > s do
x : = (a + b)/2;
either a := c or b := c ro
od
end.
Program M is correct (in the sense of (1)) with respect to the input
formula f(b) •f(a) ^ 0 and the output formula true since for every
valuation v in 31
31, v (= (f(b) • f(a) < 0 => $ M true),
and is not correct in the sense of (4) since
31, v |= ( f(b) • f{a) < 0 a - D M true). □

In the case where a program is of the form while y do K od we can

construct formulas which determine the length of the computation:
(6) □ (if y then M fi)* ~ y —the number of iterations of the program M
in every computation of the program while y do M od is at most /,
(7) <>(if y then M fi)r’y—there exists a computation of the program
while y do M od such that the number of iterations of M is at least i.
The last property we shall mention has a different character: it ex­
presses that a program satisfies some condition throughout the com­
putation. We shall say that such a condition is an invariant of the pro­
276 VI NON-DETERMINISM IN ALGORITHMIC LOGIC

gram. To show that a formula a is an invariant of a program M we

shall introduce a recursive definition of the expression lu M oc\
lu soc = ( a a $sot),
lu if y then K else K' fia = ((yA lu Koc) v (~y A lu K' oc)),
lu begin K; K' end oc ~ ( ui K oca ~ K ' o c )),
lu either K or K' ro a = ( lu K oca lu K' oc),
lu while y do K od a = (a a ~ \ J if y then K fi(yA ~ lu K oc))
where s is an assignment instruction, K, K' are programs and y is an
open formula.

L emma 2.1. For every data structure 31 and every valuation v,

31, v f= LuMa iff the formula oc is satisfied by every valuation o f every
computation o f the program M starting from the valuation v in 31.
The proof is by induction on the length of the program M.
P ro o f .
It is obvious that Lemma 2.1 holds for assignment instructions,
since there is a unique computation of such a program.
Suppose the lemma holds for the programs K and K' (the induction
hypothesis).
Let us consider the program M of the form either K or K' ro. By
definition
%,v\~mMoc if f %,v)~inKoc and 31, v lu K'oc.
Hence by the inductive assumption every valuation which occurs in
a computation of K or in a computation of K' from the valuation v
in 31 satisfies the formula oc. Since every computation of either K or K' ro
is either a computation of K or a computation of K', every valuation
of every computation of M satisfies oc.
Similar considerations for the programs begin K; K' end, if y then K
else K' fi are omitted.
Let us consider the program M of the form while y do K od and let
Comp be the tree of all possible computations of M at the initial valu­
ation v in 31. Suppose that for some vertex <v ; ...) of the tree Comp,
31, v (= ~ a . Let us consider a path going through this vertex. Assume
that we have made exactly i iterations of K on this path such that all
the valuations obtained satisfy the property a. Hence there exists a valu­
ation v e (if y then A T i)^ ) such that 31, v [= y and v occurs in a com-
 3. SUBSTITUTION THEOREM 277

putationof the program K from the valuation v or 31, v (= ~ a . Thus by

the induction hypothesis
31, © t= (yV ~LU Koc),
and consequently
31, ® }=: ( ~ a v <>(if y then K fi)r’(y a ~ lu K oc)).
From the definition of semantics we obtain
31, ^ }=: ( ~ a v V ^ 7 then K fi ( y a ~ lu K oc)).
The above considerations can easily be converted so as to show that
3 l , ^ | = ( ^ a v V ^ y then K fi (y a ~ lu K oc)) implies the existence of
a computation of while y do K od in which not every valuation
satisfies the formula a.
This will complete the proof of Lemma 2.1. □

R em a rk . The set of all invariants of a given program M creates a

(distributive) lattice, since if a, j3 are two invariants of M, (a v /?) and
( a a /?) are also invariants of M. □

3. THE SUBSTITUTION THEOREM

In this section we aim to show that the tautologies of propositional

algorithmic logic are schemes of tautologies of non-deterministic al­
gorithmic logic. The replacement of atomic formulas and atomic pro­
gram schemes by formulas and programs of non-deterministic algo­
rithmic logic NAL applied to a tautology of propositional algorithmic
logic PALpf gives a tautology of NAL, or the resulting expression
does not belong to NAL.
Let a be a formula of PAL and let £ ba a substitution of the form
(1) (*7i/^i, K-i /M i , . .., Km/Afjj^),
where qt e V0, for / = 1, ..., n, K} e V p for j = 1, ..., ra, ocj are for­
mulas of NAL and are deterministic programs of NAL. By sac we
shall mean the expression obtained from the formula a by the simul­
taneous replacement of any variable qt by the formula af and any pro­
gram variable Kj by the program M5. Analogously, we shall denote
by sM the expression obtained from the program scheme M by the
simultaneous replacement of any variable qk by the formula ocj and of any
program variable Kj by the deterministic program Mj.
278 VI NON-DETERMINISM IN ALGORITHMIC LOGIC

For every data structure 31 of NAL, every valuation of individual

variables in 31, and every substitution £ of form (1), let us define
the set W0 of valuations of propositional variables vs%v as follows:

VsWvifli) l 1, ...,n,

v&Lv(q) = 1 for all <1$ {<h > •••>?*}•

Let J denote an interpretation of program variables such that

(^0 — ^ € sKyi (^) }

for K e {Kx, . . . , K m} and K j = 0 for all other program variables.

Denote by 9Jt the semantic structure ( W 0, S } .
We can now formulate the following fundamental lemma.

L emma 3.1. For every substitution s o f the form (1), every data struc­
ture 31 o f non-deterministic algorithmic language, every valuation o f
individual variables v, every formula a and program scheme M o f PALpf,
if is a well-formed formula and sM is a well-formed program o f
sol

NAL, then the following holds:

(i) H k(v) = ocm(vsKv\
(ii) v ' e sM%(v) iff vs^ e M m(vs^v).

The proof of Lemma 3.1 is by induction on the complexity of the

formula a and of the program M.
We shall use the following definition.
A program scheme M is o f less complexity than a program scheme
N iff the pair (M , N ) belongs to the transitive closure of the relation
given below:

((if y then M x fi)*, while y do M 1 od) for all / e N,

(Mt, if y then M l else M 2 fi),
(Mt, either M 1 or M 2 ro),
(Mi, begin M x ; M 2 end),

where y is a propositional classical formula and M x and M 2 are program

schemes of PAL.
 3. SUBSTITUTION THEOREM 279

Proof of Lemma 3.1. By definition of the valuation vs%v and

interpretation the lemma holds for all open classical propositional
formulas and for all program variables of PAL.

Inductive assumption: Lemma 3.1 holds for all formulas that are
submitted to the formula a' and all program schemes that are of less
complexity than M'.
Let 31 and s be a fixed data structure of NAL and a fixed substi­
tution of the form (1) respectively. We shall discuss different forms
of the formula a' and the program M ' such that ' and sM ' are a well-
so l

formed formula and a well-formed program, respectively.

Ip. Let M' be a program scheme of the form begin M 1 ; M2 end. Hence
v ( e sM k(v) iff v' e s begin Mt ; M 2 endyfo).
By the definition of the semantics we have v* e sM%(v) iff there exists
a valuation of individual variables v" such that v" e sM ^ iv) and
v' e sM2%(v "). By the inductive hypothesis the last sentence is equiv­
alent to: There exists a valuation of propositional variables v&V"
such that
vs%v" e M ^ { v s%v) and vskv' e M 2m (vs%v>).
Hence, from the definition of interpretation
v sW e begin M t ; M2 e n d ^ O ^ ) .
2p. Let M' be a program scheme of the form if y then M 1 else M2 f i.
From the definition of semantics of NAL we have
v' e sMk(v) iff v' e sM ^{v) and sy^(v) = 1 or
v' e sM 2k(v) and sy^(v) = 0.
By the inductive assumption we have
VsKv G ^ i 9 and = 1
or
Vs%vr e M 2<
ssi(vs%^) and ~ yan(^«iw) = 1-
Thus by the definition of an interpretation v s%v>e
3p. Consider the program scheme M' = either or M2 ro. By the
definition
v' e s (either M 1 or M2 ro)^(^) iff v' e sM ^{v) or
v' e sM2k(v).
280 VI NON-DETERMINISM IN ALGORITHMIC LOGIC

This is equivalent (by the inductive hypothesis) to:

Hence
v f e sM%(y) iff vMv e (either M x or M 2 ro)m(vs%v).
4p. Consider the program scheme M = while y do M od. By the
semantic properties of non-deterministic algorithmic logic NAL we have
v' e sM%(v) iff there exists an iQe N such that
v' e (if y then M fi)*$(V).
By the inductive assumption this is equivalent to the statement that
there exists an i0 such that e (if y then M fi)^ (©,*„) and therefore
vs%v>e (while y do M o d ) ^ ^ ) .
Now let us consider the formulas.
If. Let us assume that ex is of the form <>ATa, where K e V p. By the
definition of semantics
s 0 Kex%(v) = 1 iff there exists a finite computation of the
program sK<& at the initial valuation v
such that its result v' esK^(p) satisfies
sex.
By the inductive hypothesis, there exists a successful computation
of the program K such that
vs%v’ g Kwi(vsftv) and 2R, vs%v>f= ex.
Hence
% ,v \n s § Kex iff SUt, vs%v [=: §Kex.
2f. Consider the formula ex' of the form QATa, where K e V p. By the
definition of a semantic we have
31, v\=is[!]Kex iff all computations of the program sK%
are finite and for all v ’ esK%(v)y 31,
v'^zsoc.
By the inductive assumption for the program variable K and for the
formula a we have
31, v\=zsQKoc iff all computations of the program
scheme K are successful and for all
*>Mv' e ATanfosu,) we have 9JI, vs%v |=a.
 3. SUBSTITUTION THEOREM 281

By the definition of the value of the formula in PAL

A, v 1=s □ Ktx iff SCR, vskv |= [jKoc.
3f. Let us consider a formula a' of the form □ either M x or M 2 ro a.
By the properties of semantics we have
91, v f=.sQ either M t or M 2 to oc iff
91, v\=zs[2 M i 0c and 91, v = s[3M 2oc,
Hence, by the inductive hypothesis,
9ft, vs%v [= □ Afi a and 9ft, v&v (= □ Af2 a,
and therefore SCR, vs^v [= □ either M l or M 2 ro a.
4f. Suppose now that a' is of the form § while y do M od /?. By
the definition of semantics we have
91, v <> while y do M od iff
l.u.b. (s$ (if y then M f\y(s(3 A ^ s y ))% (v ) ~ 1-
ieN

Hence, by the inductive hypothesis,

91,^ iff l.u.b.(<)(i fythenMfi )r( ^ y a = 1.
ieN

By Lemma 2.3 from Chapter V we have

91, v (=:Sa' iff 9ft, vs%v (= 0 while y do M od /?.
The proof of the remaining cases runs analogously. □

The following theorem is our goal in this section.

Theorem 3.2. For every formula a 0/P A L and for every substitution
s o f the form (1), ifsoc is a well-formed formula 0/N A L and a is a taut­
ology o f PALpf then the formula sol is a tautology o f NAL.
Proof. Let a be a tautology of PALpt and let i b e a well-formed
formula of NAL for some substitution 51.
Suppose that 91, v }=: ~ sol for some fixed data structure 91 of a non-
deterministic algorithmic logic and valuation v of individual variables
and 9ft the corresponding to 91 semantic structure. From Lemma 3.1
of this chapter,
9I ,^ j= £ a iff 9ft, vs%v |= a.
Hence = 0, and therefore a is not a propositional tautology,
a contradiction. □
282 VI NON-DETERMINISM IN ALGORITHMIC LOGIC

4. NON-DETERMINISTIC ALGORITHMIC LOGIC

In this section we shall introduce the deductive system called Non-

deterministic Algorithmic Logic (NAL), which enables us to character­
ize syntactically the notion of tautology. As a result of the PAL—com­
pleteness theorem (cf. Chapter V, § 9) and of the Substitution Theorem
(cf. § 3 of this chapter) all instances of axioms of PAL which are non-
deterministic formulas are tautologies of NAL. This justifies the adop­
tion of the following set of axioms and reference rules.
A x l-A x ll—axioms of the classical propositional calculus (cf. Chap­
ter II, § 5).

Qsy = Osy, = sy
0 M(a v 0) = (QMa v 0 Af/?), □ Af(a a ff) = (D M a a □ Af$),
\ f M a s (a v \/A f(0 M a)), UAfa = (a v uAf(DAfa)),
/\Moc = ( a a /\A f(0A fa)), nAfa = (aA nA f(D M a)),
.y((3x)a(x)) = (3t)^(( x := T)a(x)),
where y is an individual variable not occurring in sy
(~ § M a => O A f~ a), □ M true => (<>Af ~ a = ~ □ Afa'),
$(x := r)a(x) = (3x)a(x) for every term r,
(Vx)a(x) = ~(3x)a(x),
<> begin Af; Af' end a = <>Af(<)Af'a),
□ begin Af; Af' end a = □Af(DAf'a),
0 if y then Af else Af' fi a = ((7 a <>Afa) v ( ^ 7 a $M'oc))y
□ if 7 then M else Aff fi a = ((7 a QM a) v ( - 7 a □ Af'a)),
0 while 7 do Af od a
— ( ( - 7 A a ) v ( 7 A<)M(0 while 7 do A fo d a ))),
□ while 7 do Af od a
= ((~ y A a )v (7 a D A f(n while 7 do Af od a ))),
<>either Af or Af' ro a = (^Afa v $ Af'a),
□either Af or Af' ro a = (QAfaA DAf'a).
In the above schemes of formulas a, /? are arbitrary formulas, 7 is an
open formula, Af and Af' are arbitrary programs and s is an assignment
instruction.
The set of inference rules contains all rules of PAL and some rules
which characterize the classical and iteration quantifiers.
 4. NON-DETERMINISTIC ALGORITHMIC LOGIC 283

Rules

—— modus ponens,
P
((x := y)a(x) =>18) where y is an individual variable
((3x)a(x) => /?) ’ occurring neither in a nor in /?,

(«=» P)
(OMa => $Af0) 5 (□Afa => DJIf/J) 5
a) => i8)},6/v { (O M ^ D ^ a ) => j8)}/e*
( O M '( V ^ ) => /») ’ (O M '(uM a) => /?)

{(£ => □ A f'(0A f,‘a))}/62V {(l» =>

(£=> D M '( A ^ ) ) ’ ( P => D M '(nM a)) ’

{Q A T (0 (if y then M fl)f(« a y ) ) => py^ieN

while y do A/ 0 oc)=> P)

{(0 M '(n (if y then M fi)l’(^ y A a)) => P)}ieN

( 0 Af'(D while y do M od a) => (3)
Note that some of the inference rules have infinitely many premises.
This is an effect of the non-compactness of the semantic consequence
operation.

D efinition 4.1. By the non-deterministic algorithmic logic NAL we shall

understand a system <L, C>, where L is a non-deterministic algorithmic
language and C is a syntactic consequence determined by the axioms
and rules mentioned above.
By the non-deterministic theory we shall understand a formal system
<L, C, A ) based on NAL such that A is a set o f formulas o f non-deter­
ministic algorithmic language L. □

The notions of a theorem, of a model, and of consistency are very

like those of algorithmic logic (see Chapter II, Definitions 5.2, 6.1, 6.2)
and therefore are not presented here.

Lemma 4.1. I f oc is a theorem o f a non-deterministic theory T, then a

is valid in every model o f that theory.
Proof. Let T = <L, C, A ) and let SOI be a data structure for L.
284 VI NON-DETERMINISM IN ALGORITHMIC LOGIC

For an arbitrary valuation v, 9ft, ^ |= /\A fa is equivalent by the defi­

nition of semantics (see § 2) to the following:
SW, ]n QM*a for every natural number i.
Hence 9Jl,v\=:oc and 9ft, v \=z QM'^Moc) for every i ^ 0. The latter
formula is equivalent to 9ft, ( a a /\M(<>Afa)). As a consequence
of the above considerations the formula
/\Moc = ( oc a / \ M(Mot))
is valid in every data structure for L, i.e. it is a tautology.
In a similar way we can prove that all axioms of NAL are valid
in every data structure (see also Chapter II, § 5 and Chapter V, § 5).
Moreover, we claim that the inference rules go from valid premises
to a valid conclusion.
Let us check the last sentence in the case of the rule

( 0 M r(U M a)=>j5)'" *
Assume that SCR is a model of T and that all formulas (0 M '([ jM loc)
=> /?) are valid in SCR. Suppose that for some valuation v
SCR, €? |=: $M'(uMoc) and 9ft, v [=
Hence there exists a finite computation of M ’ such that its result sat­
isfies the formula \jMoc. By the definition of semantics it follows that
9ft, v |= DAToc for a certain i e N and a certain valuation v e M%{v).
Thus non 9ft, v |z: (OAf^DAf'a) => /S) contrary to the assumption. □

The most important theorem of this section is the Model Existence

Theorem. The proof of the theorem makes use of the Rasiowa-Sikorski
algebraic method (see Chapter III, § 2).

T heorem 4.2 (Model Existence Theorem). A non-deterministic

algorithmic theory is consistent i f and only if it has a model.
P roof. One implication is obvious. We shall present below a sketch
of the proof that if a theory T = <L, C, A ) is consistent then there
exists a model of the set A.
(1) The first step is to construct the Lindenbaum algebra F f« of the
theory (cf. Chapter III, § 1).
 4.NON-DETERMINISTIC ALGORITHMIC LOGIC 285

(2) Since the theory T is consistent, the Lindenbaum algebra is a non­

degenerate Boolean algebra and moreover

||\/M a || = l.u.b.llOM^H, |IA M all = g.l.b. ||0 M ‘a||,

ieN ieN
||U M a || = l.u.b. IlDM^H, ||r W a || = g .l.b .||n A /'a||,
i eN ieN
||(.3x)a(x)|| = l.u.b.||(x := r)a(x)||,
teT

||(Vx)a(x)|| = g.l.b.||(x := r)a(x)\\.

teT

(3) Let Q denote the set of all infinite operations mentioned in (2).
By the Rasiowa-Sikorski Lemma (Rasiowa and Sikorski, 1968) for every
non-zero element a of the Lindenbaum algebra there exists a g-filter
V such that a e V (see Appendix A).
(4) Let 9Ji be a data structure in the set of all terms of the language L
such that
("Ti , . . . , T„) G iff | | ^ ( T j , . . . , T,,) j | G L >

Van(h, rn) = \p(xl9 ..., r„),

for an arbitrary ^-argument predicate g, an arbitrary ^-argument func­
tor xp and arbitrary terms r ly ..., rn of the non-deterministic language L.
(5) By induction on the length of the formula a we can prove that
9Ji, v 0 [=: a iff ||a|| G V,
where v 0 is a valuation such that v 0(x) — x for all individual vari­
ables x and v(q) = 1 iff ||#|| g V for all propositional variables.
(6) It follows by (5) that 9Ji is a model of the set of specific axioms A. □

The last theorem of this section characterizes the connections between

the syntactic and the semantic consequence operations.

T heorem 4.3 (The Completeness Theorem). For every consistent

non-deterministic algorithmic theory the following conditions are equiv­
alent:
(i) a is a theorem o f T;
(ii) a is valid in every model o f T.
Tn other words, A f- a iff A a for an arbitrary set A. We shall
omit the proof since it is very similar to the proof o f the Completeness
Theorem o f algorithmic logic. □
286 VI NON-DETERMINISM IN ALGORITHMIC LOGIC

5. C E R T A IN M E T A M A T H E M A T IC A L R E S U L T S

The aim of this section is to generalize some results obtained in algo­

rithmic logic.
T heorem 5.1 (Downward Skolem-Lowenheim Theorem). I f a non-
deterministic algorithmic theory has a model, then it has an enumerable
model. □

This is an immediate effect of the construction presented in the proof

of the Model Existence Theorem (cf. Theorem 4.2).
As a consequence of the Completeness Theorem we have the fol­
lowing fact:

T heorem 5.2 (on deduction). I f a is a closedformula o f non-determin-

istic algorithmic language, then for an arbitrary set o f formulas A and
a formula (3
A f- (a => /?) iff A u {a} b- /?. □

L e m m a 5.3 For an arbitrary formula < x which does not contain any
whil^-instruction or quantifiers there exists an open formula y such that
(1) 91,v\=:y iff 9 l,flf= a
for an arbitrary valuation v and an arbitrary data structure 91.
P roof . The lemma holds trivially for open formulas. Let us assume
that (1) holds for all formulas which are submitted to the formula a
(see Appendix B) and let us consider the formula a = DAf/?.
If M is an assignment instruction (x w), then by the induction
hypothesis there exists an open formula p such that for an arbitrary
data structure 91
a i=G5' = /?).
(a =s> p )
Hence bv the rule-, we have 91 }= (DM/?' = DM/?)-
( □ M a => U M p )

Thus by the axioms of NAL,

911= □ (* := w)p ~ (x : = w)P'
which completes the proof since (x : = w)P' is an open formula obtained
from ft' by the simultaneous replacement of all occurrences of x by
the expression w.
If M is of the form either M 1 or M 2 ro, then by the Completeness
 5. CERTAIN METAMATHEMATICAL RESULTS 287

Theorem we have
31 h: □ either M i or M 2 ro /? = ( C W ^ a □ M 2jS).
By the induction hypothesis there exist open formulas y 1 and y 2 such
that for an arbitrary data structure 3t,
W ^ n M lp = yl and M 2fi = y 2.
Hence
3t \=z □ either M t or M 2 ro ft = (yt a y 2).
We shall omit the easy next steps of induction. □

T heorem 5.4. Let K be a program without the while-operation and

let y be an open formula.
(i) The formula \J K y is a tautology iff there exists a natural number n
such that the formula \ J <$Kly is a tautology.
i<n
(ii) The formula U Ky is a tautology iff there exists a natural number n
such that the formula \ / \f\Kly is a tautology.
i n

P roof . Since the proofs in cases (i) and (ii) are essentially the same
we shall discuss case (ii) only. Moreover one implication is obvious
by the definition of semantics.
Let Hmdenotes the formula \ / □ and suppose Hm is not a taut-
i^ m
ology for arbitrary m e N. For arbitrary natural number /, the formula
□ Ar*y is equivalent to an open formula, say cf. Lemma 5.3. Let us
put H'm = V ft, Hence for an arbitrary data structure 31
i^m

31 [nHm = Hm for every m e N .

For every m e N , let H'„ be the formula obtained from H'm by the
simultaneous replacement of all elementary formulas of the form
that occur in H'm by the corresponding propositional
variables which do not occur in any formula H'm (different
propositional variables correspond to different elementary formulas).
The formulas satisfy the following condition:
implies |—H'm for m e N .
By the assumption, H " is not a tautology for arbitrary m, hence the
set W m of all valuations which do not satisfy the formula H " restricted
to the set V(H") is a finite non-empty set. Moreover, it follows easily
288 VI NON-DETERMINISM IN ALGORITHMIC LOGIC

from the construction that, if n > m then for every v e W" there exists
a valuation v' e W m such that v — ©' off(F —V{H”)), i.e. v(z) = v'(z)
for z e V ( H The set ( J W"‘ creates a tree such that the elements
meN
of Wm are on the (m + 1) level of the tree and a valuation v on the
(m + 1) level is a son of the valuation v on the m level if and only if
v = i off(F—V(H„)).
Since the degree of any vertex in the tree is finite (the set Wmis finite
for every m e N), then by Konig’s Lemma (cf. Kuratowski and
Mostowski, 1967) there exists an infinite path 0 , v o, v l9 ... such
that Vj e WJ, j e N. Let us denote by v ^ a valuation such that
v ^ = v moff (V —V(H")) for every m e N .
Thus for every natural number m, H 'Jfvf) = 0.
Let 91 be a data structure in the set of all terms such that
(t i , tw) e iff ®oo($Q(Tt 0rt)
i ? •••> r B) tyfai ? •••?
for an arbitrary ^-argument predicate q and an arbitrary ^-argument
functor y).
Let v be a valuation in 91 such that
v(x) = x for all individual variables x,
v(q) = v^(q) for all propositional variables q.
From the above construction we have
non 91, v |n H'm for every m e N

and therefore
non 91, F [~ H m for all m e N .
By the definition of semantics.
l.u.b = 0.
ieN

Hence 9t, v |= ~ LJ Ky, and therefore U Ky is not a tautology. C

As a result of Theorem 5.4 we have the following.

T heorem 5.5. I f a program M o f the form

begin ; while y do M 2 od end,

 6. ISOMORPHISM OF DATA STRUCTURES 289

w h e re M 1, M 2 d o n o t c o n ta in a n y w h ile -in s tr u c tio n , d o e s n o t d iv e r g e

in a n y d a ta s tr u c tu r e , th en th e r e e x is ts a c o m m o n u p p e r b o u n d on th e
le n g th o f a ll c o m p u ta tio n s o f th a t p r o g r a m .

For the proof see Lemma 3.6 from Chapter III. □

6. ON ISOMORPHISM OF DATA STRUCTURES

Let 31 and © be arbitrary data structures for the language L ,

— ^ ^ 4 ) {yp <& )(pe<l> j © == {9^23}<pe0 5

Let h be an isomorphism of data structures 31 and ©, i.e., let h be

a one-to-one mapping such that

and for every ^-argument functor

(1) h (<pu{at = ?>®(/2O 1) , •••» K a „ ) )
and for every ^-argument predicate ,
(2) ( e ti, a n) e q® iff (h (a t ) , ...,h { a „ ) ) e qs ,
where a l9 . - - , a n are arbitrary elements of A .
For an arbitrary valuation v in the data structure 31 we shall denote
by hv a valuation in S such that
hv(x) = h(v(x)) for every individual variable x,
hv(q) = v(q) for every propositional variable q.

L emma 6.1. I f h is an is o m o r p h is m o f 31 a n d ©, th en f o r e v e r y te r m r,
e v e r y o p e n f o r m u la y a n d an a r b itr a r y v a lu a tio n v in th e s tr u c tu r e 31
(3) h (T n { v j) = r* {h v ),

(4) 91, ~y if f 93, t e l ~ y .

The proof is by induction on the length of term r and formula y
and is an easy consequence of definitions ( 1) and (2). □

Let Comp( M , v , 31) be a tree of all possible computations of the

program M starting from the valuation v in the data structure 3t and
let Comp(M, hv,3S) be a tree of all possible computations of the
program M starting from the valuation hv in the data structure S (cf. § 1).
290 VI NON-DETERMINISM IN ALGORITHMIC LOGIC

We shall denote by k a mapping which to every configuration <v ; Rest)

of the tree Comp(M, v, 31) assigns a configuration <Jw' ; Rest).

Lemma 6.2. I f h is an isomorphism from 31 onto 33, then h' is an iso­

morphism from the tree Comp(M, v, 31) onto the tree Comp(M , h v, 58).
P roof. Let us denote by D a tree which is an image of Comp(M,
v, 31) under the mapping h \ We shall prove that D = Comp(M, h v, 33).
Let us note first that the configuration <hv ; Af> is a root of both trees.
Suppose that the trees D and Comp(M, /re;, 33) are both identical
to the level n.
Let on be a configuration on the level n in the tree D and on = (h(v„);
K, Rest). We shall now consider the different forms of the program K.
1° If K is an assignment instruction (x : = r) then the unique son
of oR in D is a configuration o' = (h(vn+1); Rest), where vn+l is the
result of performing K at the valuation vn, by the construction of the
tree Comp(M , v , 3t) and by the definition of h! .
By the induction hypothesis on e Comp(M, h v ,i8 ). Hence the unique
son of on is configuration a' such that o' = (v '\ Rest) and v'
= (x := r)%(hvn). However, by (3) hvn+1 = v' and therefore o' = o',
i.e., o e Comp(Af, hv, 33),
2° If K is of the form if then K r else K2 fi, then the next configuration
depends on the value of the formula at the valuation vn. Suppose
3t, vn \—y. The configuration a = <hvn; K l9 Rest) is then an element
of the (« + l) level of the tree D. By the induction hypothesis o„ is in
the tree Comp(M, h v, 33) and the configuration <hvn; K i , Rest) is its
unique son whenever 58, hvn j= y. However, 58, hvn 1= y iff 31, v„ \=: y,
by (4). Thus a e Comp(M, h v, 58),
3° The remaining forms of the program K can be discussed anal­
ogously.
As a consequence it follows that all configurations that occur
on the (« + l) level of the tree D are on the (« + l) level of the tree
Comp(M, hv, 58).
Conversely, we can prove that all (n+ 1) level vertices of Comp(Af,
fe,58) occur on the (« + l) level of D.
Thus
D = Comp(M, h v, 58),
by the induction principle. □
 7. EQUIVALENCE OF PROGRAMS 291

As a corollary of Lemma 6.2 we obtain the following fact:

L emma 6.3. I fh is an isomorphism from onto 23, then for an arbitrary

program K and an arbitrary valuation v in 21
(i) v' e K*(v) iff hv' e K%(hv),
(ii) there exists an infinite computation o f K starting from the valu­
ation v in the structure 21 iff there exists an infinite computation o f K
starting from hv in the structure 23. □

T heorem 6.4. I f h is an isomorphism from 21 onto 23, then for every

formula cc o f the language L
21,^}=: a iff S&,hv\yz a,
where v is an arbitrary valuation in 21.
The proof is by induction on the length of formula a and follows
immediately from Lemma 6.1 and Lemma 6.3. □

D efinition 6.1. We shall say that the two data structures 21 and 23
are algorithmically equivalent ifffor every formula a
2I[=: a iff SBt=a. □

The following corollary is a consequence of Theorem 6.4.

C orollary. Every two isomorphic data structures are algorithmically

equivalent. □

7. ON THE EQUIVALENCE OF NON-DETERMINISTIC PROGRAMS

D efinition 7.1. We shall say that two non-deterministic programs

are equivalent, K ~ M for short, whenever they determine the same
relations in every data structure. □

E xample 7.1. The following programs M, K are equivalent:

0)
either K: if y then
if y then M ’ else M " fi either M ' or K' ro
or else
if y then K' else K" fi either M " or K" ro
ro, fi;
292 VI NON-DETERMINISM IN ALGORITHMIC LOGIC

00
either K : begin
begin K M ' end either K' or K" ro;
or Mf
begin K" \ M ' end end.
ro, □

From the practical point of view the above definition is not very
useful, since two programs which in fact compute the same function
are not equivalent if they make use of different auxiliary variables.

E xample 7.2. The following programs are not equivalent in the sense
of Definition 7.1:
M : either
while y do K od
or
while y' do K' od
ro,
M ' : begin
either q := true or q :— false ro;
while ( y A q ) v (y' v ~ q) do
if q then K else K' fi
od
end,
where q is a propositional variable not occurring in K, K' and y.
Moreover, let us note that Definition 7.1 does not capture the differ­
ence if one program has infinite computation and the other has not.
The programs
K: x: = 1;
M : either
x := 1
or
while x > 1 do x := x + 1 od
ro
are equivalent in the sense of relation ~ although M has an infinite
computation, while the unique computation of K is finite. □
 7. EQUIVALENCE OF PROGRAMS 293

Hence we shall modify Definition 7.1 to avoid the disadvantages

mentioned above.

D efinition 7.2. The two programs K and M are equivalent up to the set
o f variables X, K ~ M off X for short, iff for an arbitrary data structure
31 and an arbitrary valuation v:
(i) there exists an infinite computation o f Kfrom the valuation v in 31 iff
there exists an infinite computation o f M from the valuation v in 31.
(ii) K% = M% off X , i.e.,
(v, v') e K% implies
(3v")(v,v") g M% and v' = v ” off X
and
(v, v') e M% implies
(lv)(v, v) g Kw and v' = v off X. □

L emma 7.1. Let X , Y be arbitrary sets o f variables and ~ K2 off X

and M 1 ~ M 2 off Y. The following properties are then valid:
(i) I f V(y)nX = 0 , then
if y th e n Ki e ls e Mi fi ~ if y th e n K2 e l s e M 2 fi off (X^j Y).
(ii) I f X is a set o f variables inessential (c f Chapter III, § 6) for
M { and M 2, then
b e g in K l ; M l e n d ~ b e g in K2 ; M 2 e n d off (X u Y).

(iii) I f V(y)nX = 0 and X is a set o f variables inessential for

K x and K2, then
w h ile y do Kl od ^ w h ile y do K2 od off X.
(iv) e it h e r Kx or Mv ro ^ e it h e r K2 or M2 ro off (XuY).
P roof . We shall consider case (iv) since the proofs of the remaining
cases are similar to those presented in Chapter III, § 6.
Suppose there exists an infinite computation of the program e it h e r K ,
or r o from the valuation v in the structure 31. Hence there exists
an infinite computation of Kx or of M t starting from v in 31. By the
assumption there exists an infinite computation of K2 or of M 2 starting
from v in 31 and therefore there exists an infinite computation of e it h e r
K2 o r M 2 r o from the valuation v.
Suppose (‘v , v') g ( e it h e r K t o r M 1 r o ) ^ . By the definition of semantics
( v , v r) g or (v,v') g M ^ . Thus, by the assumption, either there
 294 VI NON-DETERMINISM IN ALGORITHMIC LOGIC

exists a valuation such that v' = v i off X and (v, v t) e K2% or there
exists a valuation v 2 such that v 2 = v f off 7 and (v , ?;2) e Hence
there exists a z/' e(either K2 or M 2 ro)^ (v) and v" = z;' off (Xu 7).
The converse implications are abviously true also. □

L emma 7.2. For arbitrary sets o f variables X, 7 and for arbitrary

programs K , M , M \ i f K ~ M off X and M - M ' off F then
K ~ M ' off (Xu 7)
For the proof see Lemma 6.2 from Chapter III. □

Let us adopt the same definition of the normal form of programs

as in the deterministic case. Hence, we shall say that a program M is in
the normal form iff.
M = b e g in ; w h ile y do M2 o d en d

where y is an open formula and M 1 and M 2 are programs in which

the while-operation does not occur.
The following theorem is a generalization of the theorem on the
normal form of deterministic programs (cf. Chapter III, § 6):
T heorem 7.3. For every program M we can find in an effective way
a program M ' in the normal form such that M ~ M ' off X, where X is
a set o f inessential variables for M and for M \
P ro o f . The proof is by induction on the length of the program.
It proceeds analogously to those presented in Chapter III, § 6.
In the case of an either-program the theorem follows immediately
from the fact that the programs M and M ' are equivalent up to {q},
where q $ V { M 1)uV{M 2)KjV(Kl)KjV{K2).
M : e it h e r

b e g in
Mx;
w h ile yi do M2 od
en d
or
b e g in
Kt ;
w h ile y2 do K2 od
en d
ro,
 7. EQUIVALENCE OF PROGRAMS 295

M': begin
either q := true or q := false ro;
if q then M x else K x fi;
while (q/\yx) v ( ^ ^ A y 2) do
if q then M 2 else K2 fi
od
end. □
Let I b e a set of variables inessential for K and for M and let Fx
denote the set of all formulas a such that V(oc)nX = 0 .

Lemma 7.4. I f K ~ M off X, then for an arbitrary formula oc e Fx

(1) b- $Mcc = §Koc and (- [JMoc = [JKoc.
Proof. Let us observe first that condition (1) is equivalent to
h- §Mcc = §Kcc and b- D M true = D ir true.
By the completeness result the latter condition is equivalent to
[=: QMcc = QKcc and fn true = DAT true.
Since the results of K and M may differ in at most X and since by the
assumption we consider formulas which do not contain variables X,
then for an arbitrary data structure 21 and for an arbitrary valuation v
21, v (= QKoc iff 21, v t= QMoc
and
21, v\=z \2K true iff 21, v 1= Q M true.
This completes the proof of Lemma 7.4. □

Lemma 7.5. I f K ~ M off X then for an arbitrary formula oceFx

b- §Moc iff b- $Kcc,
b- Q M a iff b- DKoc.
This follows immediately from Lemma 7.4. □

For any program K, let PC*(iT) denote the partial correctness theory
of K such that
PCX(K) = {(oc, (S) e F2: b- ((a a 0 ^ true) => OAJS)}.
As the next consequence of Lemma 7.4 we find that if two programs
are equivalent then their partial correctness theories are equivalent.
296 VI NON-DETERMINISM IN ALGORITHMIC LOGIC

L em m a 7.6. I f K ~ M off X, then for arbitrary formulas <x, e Fx

b- ((a a $K tr u e ) => $K{1) iff
h- ( ( a a t r u e ) => Q M f f ) ,

i.e.9 PCX(K) = PCX(M).

P r o o f . Suppose that (a, /?) $ PCX(M) and K ~ M off X. By the
definition we have
non f- (( oca t r u e ) => QMj}).

This implies by the completeness theorem that there exists a data struc­
ture 21 and a valuation © such that
non 21,© |= ( ( oca tru e) =>
Hence
(2) |= oc and 21,© [n (^ M tr u e a ~ QM/?).
Thus, by the Completeness Theorem and Lemma 7.4, 21, v t= ~ o w ,
and therefore, by (2) non 21,^ |= ((a a t r u e ) => Hence
((a a t r u e ) =^> QM/?) is not a theorem of NAL and moreover
(a, /?) £ PC*(X). As a consequence PC*(X) cz PC*(M).
Analogously it can be proved that PCX(M) c PCX(K), □

A similar reasoning can be followed for some other versions of partial

and total correctness theories. Let us assume the following notation:
CorAT0 (tf) = {(a, (J) e F\ : | - (a => $ K p )}9
CorX U(K) = {(a, /?) e F\ : I- (a => U W },
P C X 0 0 (K) = {(a, P) e F} : I- ((a a 0* true) => 0*0)},
P C X D<> (X) = {(a, fj) e Fff. \~ ( ( a a D X true) => 0*0)},
P C X ^ n (X ) = {(a , fl) eF f f . y - ( (a a <>X true) =* Q A /S)},
P C X nn (X ) = {(a, fi)e Fx : |- ( (a a D X t r u e ) => D X /? ) } .

L emma 7.7. Pbr arbitrary programs K, M and for an arbitrary partial

or total correctness theory Th as defined above, if K ~ M off Th then
Th (K) = Th(M). □

The last problem we shall consider in this section is the following:

Is it possible to express by a formula that two programs are equivalent
with respect to a set of variables X I
The answer is positive in the case where the non-deterministic lan­
guage L contains the predicate = (cf. Chapter III, § 7).
 BIBLIOGRAPHIC REMARKS 297

Assume that V(K) = {zt , ..., zn, qt , ..., qm}, V(M) = V(K)uX and
Xc\V(K) = 0 , where zf is an individual variable for / ^ « and qj is
a propositional variable for j ^ ra. Let K{yp) be a copy of the program K
which is obtained by the simultaneous replacement of all occurrences
of Zj by j; for i ^ n and all occurrences of by p} for j ^ m. Moreover, let
{yi — y n> P i , ..., p m}r\X = 0 .

L emma 7.8. L be a non-deterministic language with equality.

Then
K ~ M off X iff h- [JK true — □ M true and
I- A 0 K (yP) <>M(ji = z,)A A OK(yp) 0M( Pj = qj ). □
i <n j^m

BIBLIOGRAPHIC REMARKS

For the motivations of non-determinism in logics of programs see Harel

and Pratt (1978c). The results of this chapter concerning the NAL were
proved in Mirkowska (1980, 1980b). Dynamic logic, cf. Harel (1979),
is another approach to the non-deterministic programs.
 CHAPTER VII

PROBLEMS AND THEORIES INSPIRED BY THE LOGLAN

PROJECT

This chapter differs in character from those preceding it. It presents

problems of semantics which grow up during work on the design and
implementation of modern, very high level programming languages
like SIMULA, ADA, LOGLAN and others. A sample of current re­
search into the semantics of LOGLAN is presented below. The sections
also vary in the degree of descriptive details. Some contain theories
which are almost complete, others present problems which are still open.
The reader will find a new mathematical model of concurrent compu­
tations, a theory of the notion of reference and a few remarks on other
semantic problems. As we said earlier the content of this chapter reflects
the status of present (1982) work on the formal specification of LOGLAN
semantics.
The chapter presents a method for the formal specification of a very
high level programming language. The method may be called axioma­
tic since it brings in axioms; it may be also called algorithmic because
of the form of the axioms. It may be called modular since we factorize
the semantics of the programming language into modules (or subsys­
tems), then give every module a theory describing its properties and
finally put all the constructed theories together in order to give a theory
of the system of modules under consideration. This method is exemplified
in the sections devoted to the notion of reference.
In 1976 a group working on the design of the LOGLAN program­
ming language had to define the semantics of parallel processes. The
models known from the literature did not seem to be adequate for
the description of computational processes generated by statements
of a very high-level programming language. Consequently, a new math­
ematical model of concurrent computations called the MAX model
was invented. The model facilitates the analysis of programs, since
for a given program K and initial state s of a computing system it
defines the set of all possible computations which have their origin in
 1. CONCURRENT PROGRAMS 299

the initial configuration K ) The model is not a scheduler’s design,

and it is not meant as a concept of implementation. The description
of the model might give this impression, but the reader should not
be mislead—this is an analytical model. It is easy to observe that
the MAX model presented here differs from the ARB model
consisting of arbitrary interleavings of atomic actions.

1. CONCURRENT PROGRAMS

A language of concurrent programs is determined by its sets of atomic

instructions and open formulas. Informally, by a concurrent program
we shall mean an expression constructed from atomic instructions
and open formulas by means of the program connectives: compo­
sition, branching, iteration, non-deterministic choice, and parallel
execution.

D efinition 1.1. By a set o f concurrent programs we shall understand

the least set which contains all assignments and such that:
1. If K x, ..., Kn are programs then b e g i n K±\ ...; Kn e n d , e ith e r Ki
o r ... or Kn r o , c o b e g i n || . . . ||Kn c o e n d are programs.
2. If y is an open formula and K, M are programs, then if y th e n M
e ls eK f i , w h ile y d o M o d , are programs. □

Example. Assume that + , —, / are two-argument functors and > ,

= are two-argument predicates. The expression
c o b e g in
w h ile x > eps do x := b —a ; a := a + x /2 od ||
w h ile x > eps do x := b —a; b := b —x/2 od
coend

is then a program. □

R emark. In this and in the subsequent examples we shall omit the

superfluous parentheses b e g in . . . e n d . □
300 VII PROBLEMS INSPIRED BY LOGLAN

D efinition 1.2. By a process we shall mean a maximal instruction

contained in a concurrent program M o f the form
cobegin K x 11 ... \\ Kn coend,
i.e., every program Kl9 K2, ..., Kn is a process o f the program M. □

2. MAX SEMANTICS

In this section we shall present the definition of MAX-semantics of the

programming language introduced above.
The meaning of a concurrent program can be determined by means
of the notion of computation. As in the sequential case, a computation
is a sequence of configurations such that the consecutive configurations
are in the relation of direct successorship. The definition of this relation
is the most important point in the presentation of the semantics.
We assume that each process has a processor assigned to it. It is
possible to imagine that the nature of these processors is not important
and especially that we should ignore the real and the relative speed
of the processors. Our main assertion is quite the opposite. In our view
it is the nature of the processors which should be taken into consider­
ation. The definition of a computation given below makes use of the
assumption of eagerness of processors, that is, processors cannot refuse
to make the next step in the computation. However, we cannot predict
how long it will take to execute a step.
One of the most important notions in this section is the notion of
a conflict set. We shall use the following definition.

D efinition 2.1. Let I be a finite set o f instructions which consists

o f a set A o f assignment instructions, a set C o f conditional instructions
and a set W o f iteration instructions.
We shall say that the set I is a conflict set iff there exists a variable
x occurring on the left-hand side o f an assignment instruction o f A which
also occurs in another instruction o f the set A or in a test formula in an
instruction belonging to the set CuW. □

Example 2.1. Let I l9J2 be sets of instructions such that

A = {x := y + z; while x > 0 do y := r od},
I 2 = {x := y + z, while y > 0 do x := r od}.
 2. MAX SEMANTICS 301

The set f is a conflict set and the set / 2 is a non-conflict set. □

The notion of a state of a computation, i.e., a configuration, is differ­

ent from the analogous notion for sequential computations.
By a configuration of a concurrent computation we shall mean
an ordered pair consisting of a valuation of variables and a list of pro­
grams in which certain instructions are indicated by an asterisk or
circle o. The intuitive meaning of these symbols is:
o—the instruction is under execution,
*—the instruction is ready, not yet started.
The initial configuration of a computation of a concurrent program K
has the form <£>; *K}. To describe the notion of computation we shall
give another definition of the notion of direct successorship (see Chap­
ter II).

D efinition 2.2. Let % be a fixed data structure. The configuration

(v'; M'} is a direct successor o f the configuration A/) in the data
structure 31 iff the configuration <V; M ') is obtained from (v; M> by
means o f the following non-deterministic algorithm:
1. Each mark * which precedes the symbol b e g i n , c o b e g i n or e it h e r
moves inside the program according to the following rules:
* b e g in K x ; . . . ; Kn e n d -> b e g in * Kx ; . . . ; * Kn e n d ,
* c o b e g in K x 11. . . 11 Kn c o e n d c o b e g in * 11. . . 11 *K„ c o e n d ,

* e it h e r o r . . . o r K„ r o — ►*Ki for arbitrary i ^ n.

Repeat the first step until each mark * precedes an assignment, condi­
tional instruction or iterative instruction. Let I be the set o f instructions
marked o or * and let 10 c I be the set o f instructions marked ° .
2. Choose the maximal non-conflict set J (a non-deterministic choice)
such that
I0 a J a I
and denote by ©all instructions from the set J —l 0.
3. Choose an arbitrary non-empty set J' a J (a non-deterministic
choice). Let J' = A u C u W , where A is a set o f assignments, C is the
set o f conditional instructions and W the set o f iterative instructions.
4. Replace by v' the result o f the simultaneous execution o f all assignments
from the set A, and replace instructions from set J' by their successors
as in Table 2.1.
302 VII PROBLEMS INSPIRED BY LOGLAN

Table 2.1

the instruction replace by iff

o if y then else M 2 f i *M1 | 31, v \ = y

o If y then M 1 else M 2 f i *M 2 ! % v\-

o while y do M od * begin M; while y do M 31, v t y
od end !
o while y do M od 31, V fz: ~ y
o (x : = r)

5. Mark out all empty instructions, i.e., all occurrences o f begin * end,
cobegin *|| ... ||* coend, replace by *. □
Let us recall that a direct successor of a configuration (v\ M ) is
any configuration <V; M 'y which can be obtained by the following
operations:
(1) moving marks * inside,
(2) choosing a maximal non-conflict subset J of instructions (which
retains a remainder of previous choices),
(3) choosing a subset / ' c= J of instructions that are to be com­
pleted in this step,
(4) execution of instructions from
(5) deleting empty instructions.

Example 2.2. Consider the following configuration:

v : —--------- ; * cobegin x : = r\ \ y : = rj \ \
v v x iv v

Let us assume that the variable x does not occur in the expression
rj and that the variable y occurs neither in the term r nor in the formula y.
Suppose that 31, v 1= y.
This configuration has six different successors:

/X V
( .., — ; cobegin * ||* if y(x) then M 1 else M 2 fi H
 2. MAX SEMANTICS 303

' x y c o b e g in * |j * if y(x) th e n Mt e ls e M2 fi|

'T(w) tj(v)

* c o e n d ),

/x_
c o b e g in °x :== r || * if y(x) th e n e ls e M2
\ v x n(v)

fill * coend
\
/’
( v ; c o b e g in * x : = r || * f| o y : = rj c o e n d ),

y
( - r){v) ; c o b e g in * x : = r 11 o i f y (x) t h e n A fj e l s e M2 fi |

* c o e n d ^ ),

/_x
; c o b e g in *x := r|| || * coen d ) • □
rj(v)

D efin itio n 2.3. The tree o f possible computations o f a program K at

the valuation v 0 in a data structure 21 is defined in the following way:
The root o f the tree is labelled by the configuration ( v 0 ; *K), i.e., the
initial configuration.
I f the tree contains the node labelled by configuration ( v ; M>, then
this node has as many direct successors as the configuration ( v ; M>
has and they are labelled by the successors o f this configuration.
Any node labelled by <V ; *> is a leaf
Every maximal path o f the above tree is called a possible computation
o f program K at valuation v 0. □

In this way the semantics MAX is defined. The conflicts are ascer­
tained at the level of instructions and a maximal non-conflict set of
instructions is initialized at every step.

3. COMPARISON WITH SOME OTHER CONCEPTS OF CONCURRENCY

The main ideas of MAX semantics are

(i) Double non-deterministic choice (we do not assume that all
instructions which start execution will finish in the same step).
304 VII PROBLEMS INSPIRED BY LOGLAN

(ii) The maximal set of non-conflict actions are taken into consid­
eration in each step (we do not admit lazy processors).
Let us now call the reader’s attention to the second non-determin-
istic choice in the definition of MAX semantics. One may think that
this choice is not essntial; however, this is not the case. We shall discuss
this problem briefly below.
Let us consider a modification of MAX semantics which is obtained
by omitting step (3) of the definition (cf. Definition 2.2), i.e., all in­
structions chosen for execution will finish in this step (observe that
marks are not necessary in this case). Thus, the relation of direct suc-
cessorship is determined by the following steps:
(1) putting marks * inside,
(2) choosing a maximal non-conflict set J of instructions,
(3) execution of all instructions from /,
(4) deleting empty instructions.
Let us call a semantics with the above direct successorship relation
simple MAX semantics, or SMAX semantics for short. Below we shall
indicate the difference between MAX and SMAX semantics.

E xam ple 3.1. Let M denote the program

cobegin x : = 1; x : = 2; x := y \\ y := 3; y : = 4 coend.
Let v be an arbitrary valuation in the data structure of natural num­
bers 91. The only possible computation of the program M in SMAX
semantics is as follows:
<v ; cobegin * x := 1; x : = 2; x : = y \\ * y : = 3; y 4
coend),
/x y
- y ; cobegin * x :— 2; x
\
y || * y := 4 coend/,
\T
/x_ y \
— ; cobegin * x : = y || * coend/,
\ 2

/*_ L . *\
\ 4 4 5 */*
One of the possible computations in MAX semantics is the following:
( v ; cobegin * x := 1; x := 2; x := y || * y := 3; y := 4
coend),
 3. OTHER CONCEPTS 305

H JL_ ; cobegin *x := 2; x : = y ° y := 3; J := 4
\ 1 j *;<>)

coend ^,
/_x J
; cobegin : = y || : = 4 coend\/
\ 2 3'
J . cobegin * |l :== 4 coend
\ 3
/x ^ y_
\ 3 4 7-
As a conclusion from the above we can observe the different algo­
rithmic properties of program M in MAX and in SMAX semantics.
!■—s m a x D M (x = y) and ^RS^max §M( x ^ j). D

To complete these considerations, let us observe that any computation

of a program in SMAX semantics is one of the possible computations
in MAX semantics. Thus any result obtained for a program in SMAX
semantics is also a result of that program in MAX semantics starting
from the same valuation. We shall express our observation shortly as
(5) SMAX c MAX,
One of the simplest models of concurrency is known as ARB sem­
antics. The relation of direct successorship differs from the analogous
relation defined for SMAX semantics in the second step. We take an
arbitrary set of non-conflict instructions instead of the maximal one.
To obtain the next configuration of a computation in an ARB sem­
antics we ought to proceed by the following steps:
(6) putting marks * inside the program,
(7) choosing an arbitrary set of non-conflict instructions /,
(8) execution of all instructions from /,
(9) deleting empty instructions.
It is a straightforward consequence of the definition that
(10) SMAX c ARB and MAX c ARB.
To see the difference between MAX and ARB semantics, let us
consider the following example.

Example 3.2. Let p and q be propositional variables and let K be

the program
cobegin p := false || q := true; p q coend.
306 VII PROBLEMS INSPIRED BY LOGLAN

In Figures 3.1 and 3.2 we present the set of all possible computations
of K in MAX semantics and in ARB semantics.

ARB semantics

(v; * c o b e g in p := fa ls e j| q tru e; p \ — q coend)

( v x: ^ J'- : cobegin * || * q:

l
r, . p q . \
3' T F ’ V

4 :- j - ; c o b e g in * /? : = fa ls e || * p : — q coen d \

<v2\ c o b e g in *||’* p:= q coend) ( v 3 ; c o b e g in * p:= fa ls e ||* coend)

l
<a3; *>
I
<v2\ *>
Fig. 3.1

Thus in ARB semantics it is possible that after the execution of K

the formula p holds and it is possible that this formula does not hold
after another execution of K, i.e.,

I^arb ( a <>K~p).
In MAX semantics, however, it is necessary that after every execution
of K the formula p holds, i.e.,

{—■MAX U\Kp. C
 3. OTHER CONCEPTS 307

MAX semantics

(v \ * cobegin p := false q := true; p := q coend)

<V\ ; cobegin * j| o q := true; p : = q coend)

<V>'> cobegin * || * /? ; — q coend) cobegin * || * p : — q coend)

1*> I
<V2\ *>

<£>4; cobegin o p : — false || * p q coend)

<^2; cobegin * * p := q coend)

I
<^3; * >
Fig. 3.2

R em a rk . One may think of an ARB' semantics with two non-de-

erministic choices:
(i) The first choice of arbitrary non-conflict instructions which
start execution in one step.
(ii) The second choice of an arbitrary subset (of the previously
chosen set) of instructions which will finish execution in this step.
Thus the only difference between MAX and ARB' semantics would
be in the word maximal (cf. Definition 2.2). However, as can easily
be seen, in this case we can replace the two non-deterministic choice s
by only one. Hence ARB' = ARB. □

In all the semantics discussed above we have not assumed any restric­
tions on the set of processors, i.e., the number of processors was po­
tentially infinite. Obviously in practice any computer has a bounded
308 VII PROBLEMS INSPIRED BY LOGLAN

number of processors. We shall discuss the consequences of this assump­

tion below.
Suppose that the computer we are talking about has only n processors.
Thus in all kinds of semantics we can consider at most n instructions
to be executed simultaneously. Let us call such semantics ARB(«),
SMAX(«), MAX(«), respectively.

L emma 3.1. For every natural number /, ARB(/) — ARB(/+1).

P roof .It is obvious by definition that every computation of an ar­
bitrary program K in ARB(/) semantics is also a computation of the
program K in ARB(/+1) semantics. Hence ARB(/) <= ARB(/+1).
Conversely, every computation of a program K in ARB(/+1) sem­
antics can be simulated in ARB(/) semantics.
Suppose / i , 1 are instructions which have been chosen for
execution in a configuration <v ; M> of some computation in ARB(/+ 1)
semantics. Let <v ' ; M'> be the direct successor of <’v; M>,

<w; M'>-

By the definition of semantics, the instructions create

a non-conflict set, hence the result v' can be obtained in two steps:
1. By the execution of / 1? ...,/* in the first step, and
2. by the execution of Ii+1 in the second step.
Thus, for an appropriate valuation v" and an appropriate program M"
we can replace the above-mentioned fragment of computation by the
following:

Such a transformation applied to an ARB(/+1) computation results

in an ARB(/) computation with the same result. Hence A R B (/+ 1)
C ARB(/). □

As a conclusion from the above simple observation we have, for

every natural number /,

ARB(l) = ARB(/),
Thus the semantics ARB(l) also called multiplexing and ARB sem­
antics are not essentially different.
 3. OTHER CONCEPTS 309

Observe that
ARB(l) = MAX(l) = SMAX(l).
The same problem has a different solution for SMAX(n) semantics
from the one it has for MAX(«) semantics.

E xam ple 3.3. Let p be a propositional variable and a data structure

of natural numbers. The behaviour of the following program M is differ­
ent in SMAX(« + 1) semantics from that in SMAX(«) semantics.
M: cobegin
p : = false 11
x i : = Xi + 1; while p do := Xj + 1 od 11...11
x n : = x n+ 1; while p do x n : = x n+1 od
coend.

SM A X f/i+n semantics

IP Xn .
M)
\\ 0_ 0 ;
/P X X \
\0 1 ’ cobegin * while ... || ... || * while ... coend^},

/ P X l ••• . \
No t ~ Y 9 */•
Let v be a valuation in such that v(xD = 1 for / ^ n. Hence we have
the following properties: for every / ^ n>

V f~~SMAX(n + 1 ) n \ M ( X i = 1)

and
|—
-smax(/i+ i> O M true.

SMAX(«) semantics
One of the possible computation of the program M in the data struc­
ture is as follows:

\ ^ —y ; cobegin * p : = false 11 * while p do x t : = x 1+1

od 11 ... 11 * while p do x n : = x n+1 od coend^),

310 VII PROBLEMS INSPIRED BY LOGLAN

/ D X X

^1 I * ' \ ’ cobeg*n “ ^ se I! *x i : == *1 +1; while p do

Xj := Xj + 1 ||... || * x„ := xn4-1; while ... coend^,

*2 " ’ cobeg*n * P [z=z fa*S811* while p do x t : = x x+1

od 11 ... 11 * while p do xn : = x„ +1 od coend^,
Hence, for every natural number /
9t, v [—SM AX (rt) § M { X i = ... = Xn = /)

9t t--smax(n>(P => ~ D M true).

MAX(w) semantics
One of the possible computations of the program M in the structure
is the following
<v ; * M y
/p x. x2 ... x„ , .
\ i ~ o i — P cobegin * P :== false
o jci : = x x+ 1; while p do
Xi := x x+ l od ||
* while p do x2 : = x2 +1 od 11 ... 11
* while p do x„ : = x n+1 od coend^

(n T T ™ ? ’ cobegin * p : = false j|
o x x := Xj +1; while ... ||
* x2 : = x2+ 1; while ... || ... ||
* xn := x n+ 1; whUe ... coend^

\ f ~ i ; cobegin * p : = fa,se 11
* while/? do x x := x x-f 1 od|| ...||
* whilep do x : — x + 1 odcoend^},

It is easy to see that every ^-element sequence of natural numbers is

a possible result of the program M in MAX(«) semantics. □

The conclusion is
MAX(«) ^ SMAX(«) and MAXfo) ¥> MAX(n+\),
SMAX(n) # SM AX(/i+l).
 4. MAX VERSUS ARB 311

4. A COMPARISON OF MAX AND ARB SEMANTICS IN THE CASE

OF PETRI NETS

The previous section has indicated the differences between MAX and
ARB semantics. Now we shall discuss the same problem on the basis
of Petri nets, to show that the distinction is deeper than could be seen
from the examples given. We shall start with the necessary definitions.

D efinition 4.1. By a Petri net we understand a quintuple

PN = <PL, TR, BACK, FOR, m0},
where PL and TR are finite disjoint sets, and BACK, FOR, and m0
are functions such that
BACK: P L x T R - + N ,
FOR: TR x PL iV,
m0 : PL-+N. □

Each Petri net PN can be regarded as a bipartite graph

G = (PLuTR, E ),
where PL uT R is the set of all vertices and the set of edges is equal
to {(p,t): BACK(p, 0 > 0}u{(/,/?): FOR{t,p) > 0}. The elements of
the set PL we shall call places and the elements of the set TR—tran­
sitions. An edge of the form (p , t) will be called an in-arrow of the tran­
sition t. The function BACK determines the capacity of in-arrows.
An edge of the form {t,p) will be called an out-arrow of the transi­
tion t. The function FOR determines the capacity of out-arrows. The
function mQ is called the initial marking of the net PN.

Example 4.1. The graph shown in Figure 4.1 (p. 312) is a Petri net
in which p u .. . , p 5 are places and tu ..., tA are transitions. The initial
marking is described by dots at the corresponding places and the values
of functions BACK and FOR are indicated on the arcs.

D efinition 4.2. We shall say that transitions t1, . . . , t n can fire

simultaneously at a marking m in a Petri net PN = (PL, TR, BACK,
FOR, m0) iff for every place p e PL the following condition holds:

m(p) > E ba C K (> ,

312 VII PROBLEMS INSPIRED BY LOGLAN

Jf the condition does not hold, then we say that transitions {tl9 ..., tn}
are in conflict at the marking m. □

D ef in itio n 4.3. Let m9 m' be arbitrary markings. We shall say that

the marking m' is the result o f the simultaneous firing o f transitions
t i9 ..., tn at the marking m in a Petri net PN iff
(a) the set t l9 ..., tn o f transitions can be fired simultaneously at the
marking m,
(b) for an arbitrary p e PL,

m \p ) = m(p) - £ BACK(p, t,) + J T FO R(t„p). □

i^ n i^ n

D efinition 4.4. A sequence o f pairs {(mj9 Cj)}jej9 where J c N,

will be called a firing sequence in SMAX semantics (ARB semantics) iff
(i) for every j e J the set Cj is a maximal {an arbitrary) set o f tran­
sitions that can fire at marking mj9
(ii) the marking mj+l9 is the result {if it is defined) o f firing Cj at m j. □

E xam ple 4.2. Let us return to Figure 4.1. Let m0 be the initial mark­
ing described on the graph. There are three possible non-conflict sets
of transitions in marking m0 :
{t2}9 {t3} and {t2, t 3}.
Observe that the transitions tx and /4 cannot be fired at m0.
 4. MAX VERSUS ARB 313

Below we present three firing sequences in ARB semantics. The first

example is a finite sequence:

/P i P i P i Pa P ± . u A
\0 2 2 0 1 ’ i h } / ’

/Pi Pi P 3 P a Ps . ft A
\0 1 T O 1 ' * ^ 2V ’

(Pi Pi Pi P a P s . \
X T O' 0 0 1 ’ / '

Clearly, after two repetitive firings of the transition t2 the net is dead—no
transition can be fired.
The second example shows an infinite firing sequence such that the
values of the marking functions are not bounded
< m 0 , {ti}>, < « ! , {*a < m 3 , { '* } > , •••

The sequence of consecutive markings is defined as follows:

m . Pi Pi P3 Pa Ps
2i+1 * 0 i+2 i+\ 2 1 ’

m . Pi Pl_ P3 Pa P s

2 i ' 0 i+ 2 i+ 2 0 l ’
where i is an arbitrary non-negative integer.
The third example presents an infinite cyclic firing sequence
( m 0,{t2, t3}>, {m0,{t2, t 3}'), / m 1, {U}}, ■■■,
where
^ . P i PiP s Pa P s |—i
m‘ ' n ' D

We observed earlier (cf. § 3 of this chapter) that the semantics MAX

and ARB are different. Now we shall mention observations showing
that this difference is essential.
Consider a net in Figure 4.2 (p. 314).
In SMAX semantics the net behaves as follows:
(1) if p > 0 then tl else t2 fi.
The meaning of the same net in ARB semantics would read
if p = 0 then t2 else either t l or t2 ro fi.
314 VII PROBLEMS INSPIRED BY LOGLAN

A small modification of the net mentioned in Figure 4.2 gives a net

(Figure 4.3) which analysed in SMAX semantics behaves as follows:
(2) begin while p > 0 do tt od; t2 end.

As a consequence of the above observations, every partial recursive

function can be computed by a Petri net with SMAX semantics. Hence,
the stop problem for Petri nets with SMAX semantics is undecidable.
On the other hand, it was proved by E. Meyr that the reachability
problem, and therefore also the stop problem for Petri nets interpreted
in ARB semantics are decidable. This suggests that the constructions
(1) and (2) cannot be interpretations of any Petri net with ARB
semantics. More generally, we can conjecture that there exists a Petri
net with SMAX semantics which cannot be simulated by any Petri
net with ARB semantics. An example of such a net was given by
H. D. Burkhard (1983). The result is, that using the constructions (1)
and (2), we can construct a net which interpreted in SMAX seman-
 5. CRITICAL REMARKS ON MAX SEMANTICS 315

tics, describes the set X presented in Figure 4.4. This example is very
important since, by the Pumping Lemma (cf. Burkhard, 1981b), any set
computable by a Petri net in ARB semantics contains an infinite linear
subset. Obviously, the set described in Figure 4.4 does not contain an
infinite line.

5. CRITICAL REMARKS CONCERNING MAX SEMANTICS

In this section we would like to consider the question of whether the

MAX model adequately captures the phenomena of parallel distri­
buted computations. We shall start our analysis with examples which
shows an unexpected power of MAX semantics.

E xam ple 5.1. Consider the following program in the data structure
of natural numbers 9t:
K : begin
p : = true;
cobegin while p do x x+ 1 od || p false coend
end.
Considered within ARB semantics, the program has the following
properties:
! = a r b (Vfc 6 to) (§K(x > k) a ~ [JK true).
316 VII PROBLEMS INSPIRED BY LOGLAN

Analysed in MAX semantics the program behaves fairly, i.e., both

processes are active and therefore the program terminates.
9 1 {—m a x (k = X => □ # (* = k v x = k + 1)). □

One can compare this example with the remarks of Dijkstra and
Lamport (1980) that the termination of the program K means exactly
the fairness property of the semantics.

Example 5.2. Let us modify our previous example slightly:

Kx : begin
p := true;
cobegin while p do x : = x 4 - 1 od 11 y : = f { y ) ;
p := false coend
end.
We have as before
91 {^ a r b (Vfc e co) ( o Kx(x > k) a ~ □ Kl true),
and a similar behaviour can be observed in MAX semantics. The pro­
gram K l admits an infinite computation in both semantics.
In ARB semantics there is a possibility of unfair choice: the second
process can be delayed for ever.
In MAX semantics the second process will begin execution of the
instruction y : = However, the completion of the instruction
can be postponed ad infinitum by the second non-deterministic choice
(cf. Definition 2.2). □

This minor disadvantage of the model can easily be overcomed.

Suppose that with the initiation of an instruction one can associate
a non-negative integer /, with the intention that, each time we make
the second non-deterministic choice, the number / should be decreased
or the instruction should be terminated. The instruction must be ter­
minated (chosen) when / equals zero. The range of choice for the num­
ber / can reflect certain information about the executing system. If there
is no limit for /, i.e., if / can be any non-negative integer then the formula
(Vfc) 0 K (jc > k)
will be satisfied in MAX semantics.
 5. CRITICAL REMARKS ON MAX SEMANTICS 317

Another possibility, that / is taken from a finite set of non-negative

integers, seems closer to physical hardware. The number / then corre­
sponds to the number of time units which are necessary in order to com­
plete the instruction.

Example 5.3. Suppose we wish to limit the class of computing sys­

tems only to those where the relative speed of processors is comparable.
Assuming the formula
(p a x = k ) => □ c o b e g in w h ile p d o jc : = x + 1 o d ||
y := y • y ip : = f a l s e c o e n d ( jc < k + 5 )

to be valid, we arrive at the conclusion that the formula expresses

the following fact:
One multiplication takes no more than five additions. □

We can end up with the following remark. Formulas like those

in the above example can be regarded as axioms about computing
systems. Such axioms can accept certain systems and reject others.
Another unexpected aspect of MAX semantics can be seen from
the following discussion of the well-known case of the philosophers
(cf. Figure 5.1).

Phi

Five philosophers are sitting around the table. There are five forks
and a fish. Each philosopher alternately ‘thinks’ or ‘eats’. We assume
that eating is possible only when the philosopher has involved two forks.
When passing from thinking to eating each philosopher must synchron­
ize his actions with his two neighbours since the forks are shared.
318 VII PROBLEMS INSPIRED BY LOGLAN

Let us regard the system as a concurrent program written informally

as follows:
cobegin
5
| ! Phf : do ‘think’; ‘take one fork’; ‘take another
1=1
fork’; ‘eat’ od
coend.
We have used instructions which are not totally defined (e.g., ‘take one
fork’) in order to leave more freedom in the system. Anyway, there is
a possibility that each philosopher will take the fork on his left, and
consequently no one will be able to continue. In the next section we shall
discuss such cases.
The situation changes completely if we consider a slight modification
of the program and analyse it in MAX semantics:
cobegin
5
I|
j! Phf : do ‘think’; ‘take forks f i_ l , f imod5’;‘ eat’ od
i =i
coend.
The change consists in treating the operation ‘take forks /;_ i, /*mods’
as an atomic one. Due to this fact the analysis of the possible compu­
tations will show that no deadlock situation will occur. For every
configuration there is a next one. This example might satisfy supporters
of the MAX model, but in fact it can be regarded as a source of deep
criticism of MAX semantics: it seems that our model is stronger than
the system it is modelling.

6. LIBERAL SEMANTICS

In accordance with the criticism of § 5 of this chapter we are now going

to change the structure of concurrent programs and their semantics
to make them more natural. Moreover, the new semantics will be closer
to that of the LOGLAN programming language.
The most important modification is that the semantics itself does
not take care of conflicts. We allow all processes to work simultaneously
if they are ready. However, it may appear that two processes will try
to change the value of the same shared variable. We assume that the
 6. LIBERAL SEMANTICS 319

result is then undefined, i.e. the processes put a value in the shared
variable but we do not know which value.

Example 6.1. If two processes try to execute simultaneously x : — l

and x : = 2, then as a result the value of x may become 1, 2, or any
possible integer. □

Obviously such a situation is not a desirable one. Hence, the language

will be equipped with control variables, called semaphores, and special
atomic actions on them, called lock and unlock, which allow us to solve
conflicts properly. We assume that the programmer himself will take
care of conflicts to avoid undefined results.
Let us study the picture presented in Figure 6.1. The semaphore
keeps watch over one or more variables to exclude possible conflict
actions.

F ig. 6.1

The intuitive meaning of the action lock(SEM) is to close the

semaphore SEM, so that the other process cannot change the vari­
ables guarded by this semaphore. The meaning of the other action,
unclock(SEM), is just the opposite—to open semaphore SEM when
the previous process has finished its action.
The strict definition of the new concurrent language is as follows:
Let L be an algorithmic language with the sets Vt and V0 of individual
and propositional variables. We assume that the language L contains
the set of control variables Sem.

D efinition 6.1. By the atomic program o f the language L we shall

understand:
320 VII PROBLEMS INSPIRED BY LOGLAN

(i) every assignment instruction and

(ii) every expression o f the form
lock(SEM), unlock(SEM),
where SEM is an arbitrary contr l variable. □

D efinition 6.2. By a set o f concurrent programs we shall understand

the least set o f expressions which contains all atomic instructions and is
closed with respect to the same formation rules which appear in Defi­
nition 1.1. □
E xample 6.2. The following expression is a concurrent program,
where x is an individual variable, SEM is a control variable and 1, 2
are constants:
cobegin lock (SEM); jc : = 1; unlock (SEM) || lock(SEM):
x :== 2; unlock(SEM) coend. □
Let 31 be a data structure for the language L. The valuation in 31
consists of three parts: the valuation of individual variables, the valu­
ation of propositional variables and the valuation of control variables.
The values of control variables will be ‘open’ and ‘closed’.
By a configuration o f a concurrent computation we shall mean an or­
dered pair consisting of a valuation of all variables and a list of programs
in which certain instructions are marked by *, o or <g>. The intuitive
meaning of these marks is:
o —the instruction is under execution,
* —the instruction is ready for execution,
<8>—the process is passivated (this sign will appear only before
control instructions).

D efinition 6.3. We shall say that the configuration (v'; M'} is a di­
rect successor o f a configuration ( v ; M } in LIBERAL semantics iff
<V; M 'y is obtained by means o f the following non-deterministic al­
gorithm :
1. Each mark * moves inside the program as long as it precedes the
basic instructions according to the rules mentioned in Definition 2.2.
Let L be the set o f all instructions marked with *, but not control
actions; Let IC* be the set o f all control actions marked with * and let /_
be the set o f all instructions marked with o. I f the set I^.kjIC*\j I 0 is empty
then the configuration (v; M y does not have any direct successor.
 6. LIBERAL SEMANTICS 321

2. Change the marks o f all instructions from the set I* into °; {all
instructions, except control actions, star? execution). For every SEM e Sem
take from the set IC* only one instruction lock(SEM) or unlock(SEM)
and change its mark into o . Let / ' be the set o f all control instructions
marked with o .
3. Choose an arbitrary subset /" o f the set /* u /0 {the set o f instructions
which will finish execution).
4. Execute all instructions from the set F and I".
The resulting configuration (v'\ M ') is obtained by the simultaneous
execution o f all modifications displayed in Table 6.1 {p. 322). □

E xample 6.3. Let us consider the following program

M: cobegin
lock(SEM); x := 1; unlock(SEM)|| lock(SEM);
if y{x) then else M 2 fi;
unlock(SEM)|| y := 2
coend.
The reader is asked to compare this with Example 2.1.
The configuration <v\ *M> has four direct successors:

(v: ~ c lo ^ X^ >cobegin *x := 1; unlock(SEM)||

<g>lock (SEM); if y{x) then ... 11
o y : = 2 coend^.
/ SEM x y
\ v ' : c|QSCj 2 ; co^e^ n * x : = 1; unlock(SEM)||
(g>lock(SEM); if y{x) then...||
* coend/,
<v\ cobegin (g lock(SEM); x := 1; unlock(SEM)||
* if y{x) then M t else M 2 fi; unlock(SEM)||
o y : = 2 coend),
( v f; cobegin g lock(SEM); x := 1; unlock(SEM)||
^ if y{x) then M x else M 2 fi; unlock(SEM)||
* coend). □
D efinition 6.4. A sequence n ^ co, is a computation o f the
program M at the valuation v in a data structure 91 in LIBERAL
semantics iff
322 VII PROBLEMS INSPIRED BY LOGLAN

iff the set o f instructions marked by

And the valuation

t/(S E M ) = open
II II

*£

<g> is not empty .

w
If}
I

choose non-deterministically one instruction marked by <g>

'S
©
s;
§

.V) £
%"§
Is replaced by

s*
o g5 1V ^
13
§ JL ■a ^
*

Q - *> II II
>1 S
i-i
C ^ *
^ -a -5 £S mS
o o
and replace it by *

§ ^ i 't »
* ■» 3
^ ®§ ll * *
$=5 S3 * w
cft
=
n a £
S5 s *
! !g J? £* 1 ^* *£ * s1
1 * *
|

j «*H j1 1
j
j j ss
>
instruction

0
I ifi 1 o
11
! ii i *3 1! v«
^
H
^ i £ © 1
c ■° |
a ^ 1 W
w
a O
o
*
! o
°
 6. LIBERAL SEMANTICS 323

(i) c0 = <v0; *M}9 where v 0(x) = z;(x) for x e V ivV 0 and z;(SEM)
= open for SEM e Sem;
(ii) for all /, ci+1 is a direct successor o f ct or ct has no direct successor. □

E xample 6.4. Let M be the following program:

cobegin
lock(SEM); p := false; unlock(SEM)||
x := x + 1 ; lock(SEM); while p do x := x + 1 od;
unlock(SEM)|j
y : = v + 1; lock(SEM); while p do y y + 1 od;
unlock(SEM)
coend.
Below we shall present an example of a computation of the program M
in LIBERAL semantics in the data structure of natural numbers.

/ SEM p x y
; cohegin * p := false; unlock(SEM)||
\closedT 10" ’
* lock(SEM); while... ||
o y : — y+ 1; lock (SEM); while ...

/ SEM p x y
; cohegin * unlock(SEM)||
\ closed 0 1 1 ?
0 lock(SEM); while ... ||
* lock(SEM); while ... coend),
/ SEM p x y m
; cohegin * unlock(SEM)!|
\ closed O i l ’
0 lock(SEM); while ...||
lock(SEM); while ... coend),
/ SEM p x y
; cobegin * j| ❖ lock (SEM); while ... ||
\ open O i l ’
0 lock(SEM); while ... coend) ,
SEM p x v
; cobegin * 11 * while p do x : = x+ 1 od;
closed O i l ’
unlock (SEM) | i
0 lock (SEM); while ... coend),
324 VII PROBLEMS INSPIRED BY LOGLAN

/ SEM p x y
cobegin * || * unlock(SEM)||
\ closed 0 1 I
0 lock (SEM); while p do
y := y + l od ... coend^},

/ SEM p x y
cobegin * || * || * lock(SEM); while p do
\ open O i l
y : = y + 1 od ... coend
/ SEM p x y
cobegin * || * || * while p do y : = y + 1 od;
\ closed 0 1 1
unlock(SEM) coend^,
SEM p x y \
( open O i l ’ / * □

A computation of a concurrent program can, as usual, be finite

or infinite. However, in LIBERAL semantics, one can observe several
other phenomena which could not be observed previously.
One of the most important problems is whether a conflict appears
during the execution of the program. Due to LIBERAL semantics
a computation in which a conflict has occurred cannot be an object
of analysis. We cannot foresee, in general, the behaviour of the whole
program. We shall call such computations conflict ones. Observe that
a conflict computation can be either finite or infinite.
By the definition of the LIBERAL semantics a process can be passiv­
ated during the execution of the program. Thus it may happen that
in a configuration all processes are passivated, waiting for some sema­
phores. Obviously such a configuration has no direct successor.
We shall call this situation a deadlock. Observe that the computation
in this case is finite but is not successful. Below we shall present an
example of a program with a deadlock computation.

E xam ple 6.5. Let I l , l 2, l [ ^ I 2 be programs and let SEMI, SEM2

be semaphores. Let us consider the following configuration:
(v; cobegin * lock (SEMI); lock (SEM2); I2\\
* lock (SEM2); I [ ; lock (SEMI); V2 coend).
If programs I t and I[ do not contain the instructions unlock(SEMl)
 6. LIBERAL SEMANTICS 325

and unlock(SEM2) and have finite computations then one of the

next possible configurations is deadlock
(v'; cobegin® lock(SEM2); I2 || ® lock(SEMl); I'2 coend). □

The next property we should like to mention is starvation. This is

a property of infinite computations. We shall say that the /-th process
of a concurrent program is starved if during infinite computation there
appears a configuration in which the /-th process is passivated waiting
for a semaphore, say SEM, and in the subsequent configurations of this
computation the semaphore SEM is opened infinitely many times.

Example 6.6. Let x, y be individual variables and let SEM be a sem­

aphore. In the data structure of real numbers with the usual inter­
pretation of functors and relations, we have the following computation
of the program M in LIBERAL semantics:

/v ; ;cobegin
cobegin**lock
lock(SEM);
(SEM);xx : =
: = xx++1;1;
\ 1 1 open
unlock (SEM) while x > 0 ... ||
* lock(SEM); x := 0 \ y : = 0;
unlock(SEM) 11
*lock(SEM); y := y + 1;
unlock(SEM); while y > 0... coendy,

/ x y SEM
; cobegin * unlock(SEM); while x > 0 ...
\2 1 closed ’
0 lock(SEM); x : = 0; ...||
326 VII PROBLEMS INSPIRED BY LOGLAN

® lock(SEM); y := y + l ;
unlock(SEM); while y > 0... coend/,
/ x y SEM
; cobegin * while x > 0 do lock(SEM); ...||
^2 1 open
® lock(SEM );x : = 0; ...||
* lock (SEM); y := y + 1; ... coend^,

\2 2 closed ’ cobe8in ® lock(SEM); x := x + 1; ... H

0 lock(SEM); x := 0; ... ||
* unlock (SEM); while y > 0 do ...
coend / ,
/ x v SEM _ . , , ,
V2~^~open ’ c0^e8in * l°ck(SEM); x := x + 1 ;
unlock (SEM); while ... I!
<g> lock(SEM); x := 0; ... ||
* while y > 0 do ... coend/.
In all the next configurations of this computation the second process
is awaiting for semaphore SEM while the first and the third process
occupy the semaphore in turns alternately.

/ x y SEM ; cobegin * unlock(SEM); while x > 0 do... j'

\ / + ! i closed
0 lock(SEM); x : = 0; ...||
® lock(SEM); y := y + l ;
unlock(SEM); while ... coend^),

/ x y SEM ^
cobegin * while x > 0 do...||
\ / + 1 i open ’
® lock(SEM); x := 0; ...|!
* lock(SEM); y := y + 1;.. coend
 6. LIBERAL SEMANTICS 327

/ x y SEM
; cobegin <g>lock(SEM); x : = x + \ ; . . . \ \
\ / + l i+1 d o sed ’
<g>lock(SEM); x := 0; ...||
* unlock(SEM); while y > 0
do ... coend^,
/ x y SEM
; cobegin * lock (SEM); x: = x~b 1; ... j|
\ / +1 / + 1 open
<g> lock(SEM); x := 0; ... ||

* while y > 0 do ... coend/,

□
It is fairly evident that LIBERAL semantics does not assume exis­
tence of a central scheduler. We are going to show that under certain
assumptions on the form of programs LIBERAL semantics and MAX
semantics are equivalent. Hence, MAX semantics does not always
require a central synchronizing tool for choosing maximal non-con­
flict sets.
Let us consider a program K such that for every of its processes
and for every atomic instruction At at most one non-local variable
of the process occurs in At (i.e. one shared variable). Without loss
of generality we can assume that non-local variables do not occur
in tests after if or after while. Let us modify the program K in the fol­
lowing way: for every shared variable x associate a semaphore variable
SEM*, atomic instruction At which contains a shared variable x
replace by the three instructions
loc(SEM*); At; unlock(SEM*).
The program obtained in this way will be denoted by K'. Let v be a valu­
ation in A such that values of all semaphore variables are ‘open’.
With these assumptions we have the following lemma.

Lemma 6.1. Trees o f all computations o f program K' from the initial
valuation v in MAX and in LIBERAL semantics are equal.
Proof. Every MAX computation of K' is equal to a LIBERAL
computation of K f. Consider a configuration c of the form
(v \ m ia1R l i! ... jjmnanRn},
328 VII PROBLEMS INSPIRED BY LOGLAN

where v is a valuation of variables, m i , ...,m „ are marks, al9 . . .,a n

are atomic instructions, R l9 Rn are the remaining instructions of
processes.
Let / = } be the subset of atomic instructions con­
taining all non-passivated instructions.
Every maximal non-conflict subset of I can result, by Definition 6.3
of LIBERAL semantics, and, vice versa every set of instructions J c /
initiated by LIBERAL semantics is a maximal non-conflict set. This
is almost self evident. All non-control instructions of / are not con­
flict, and among the others, i.e. control instructions, one instruction
for every semaphore is selected. Thus a maximal non-conflict set will
have marks o (under execution).
Observe that every maximal non-conflict set can be defined as a result
of the corresponding step in LIBERAL semantics. The remaining
details of the proof are straightforward. □

7. AN ALGORITHMIC THEORY OF REFERENCES

We now proceed to other questions connected with the LOGLAN

project; namely, the problems related to the notion of reference and
to concatenate declarations of modules.
In Chapter IV we developed algorithmic theories of data structures.
In spite of progress made by the application of algorithmic logic, the
theories are abstract ones. In § 8 of this chapter the reader will find
examples of programming phenomena which cannot be explained
on the ground of axiomatic, abstract theories of data structures. In order
to understand these phenomena fully, one needs a knowledge of the
notion of reference and its properties.
To conclude this chapter, we wish to indicate the rich variety of prob­
lems inspired by the concatenation rule of module declarations (also
called prefixing). Introduced for the first time in SIMULA-67, this has
found full, unrestricted and efficient implementation in LOGLAN.
Problems with the implementation of this concatenation rule are richer
than those of the copy rule for elimination of procedure calls (cf.
Langmaack, 1979). The numerous applications of prefixing also make
it a valuable object of study.
A reference is to be understood as an element of a system in which
the following operations: reserve a portion of memory cells (frame).
 7. ALGORITHMIC THEORY OF REFERENCES 329

release a portion reserved earlier, check whether a frame is reserved,

are admissible. These operations lead from one state of memory man­
agement to another. Hence, a system of memory management is a two-
sorted system with Fr being the sort of frames and St the sort of memory
states. On closer examination we see that the reserve operation splits
into two parts: newfr—find a free frame, and insert—an operation
which reserves a frame by inserting it into the set of reserved frames.
The data structure for memory management is any system with the
following signature which satisfies the postulates listed below:
< F r u S t; insert, delete, newfr, none, allfree, member, = >,
where
insert: (Fr —none) x St -> St.
Given a frame / and a state insert ( /, s) gives the new state in which
frame / is reserved;
delete: Fr x St -> St.
The value of delete (f, s) is the state s' in which / is freed;
newfr: St -> Fr.
newfr(^) brings a frame free in the state
none e Fr—a distinguished frame called empty fram e;
allfree e St—a distinguished state of memory in which all
frames are free;
member: Fr x St -> B0.
Relation member(/, s) is satisfied iff frame / is free in state s.

Postulates

PI. For every state s e St the set of reserved frames is finite.

P2. Operation insert reserves at most one frame / in a given state.
Moreover, for every f ' ^ f the status of / ' in ^ remains unchanged
in s' = insert(/, ^).
P3. Operation delete frees at most one frame / in a given state s.
Moreover, for every the status of / ' in s remains unchanged
in S' = delete(f9s).
P4. For every state ^ the value newfr(^) is a frame free in s.
P5. In the state allfree every frame is free.
P6. Frame none is not free in any state.
P7. For every frame / = none there exists a state ^ such that
newfr C?) = /.
330 VII PROBLEMS INSPIRED BY LOGLAN

P8. The set of memory frames Fr is denumerable.

P9. The operation insert does not admit frame none as an argument.
The specific axioms of the algorithmic theory of reference ATR
contain some postulates, while others can be deduced as theorems
of ATR.
ATR1. begin s' ailfree;
while ^ = ailfree do
fi = newfr(V);
if member(f, s) then 5 := delete(/, d) fi;
s’ : = insert(/, s')
od;
end true
in every state s only a finite number of frames satisfies the member (/, s).
ATR2. (.v7 : = delete(f, s)) (~ member ( /, 5') a
a ( / ' # / = ► (member ( / ' , s ) = member ( / ' , / ) ) ) ) ,

ATR3. ( / # none => (s' : = insert( / , s) ) (member( / , / ) a

a ( / ' 76 /= > (mem ber(/', s) = m em ber(f, s'))))),
ATR4. newfr(s) ^ none,
ATR5. ~ member (newfr(s), s)
(for every state s, newfr(s) is a free frame in 5),
ATR6. ~ member(/, ailfree),
ATR7. ~ member (none, s).

T heorem 7.1. Theory ATR is consistent.

P roof . The following system is a model of ATR:
(N kj Fin (A —{0}), in, del, nfr, 0, 0 , mb, =>,
where A is the set of natural members, Fin (A —{0}) is the family of finite
subsets of N —{0}, 0 have an obvious meaning and the operations are
defined as follows:
| iu{i} if i # 0,
in(/, s) | undefined if i = 0,
del(/, s) = 5 —{/},
nfr(s) = min (N —s —{0}),
mb(/, s) = i e s.
By simple verification we observe that all the axioms ATR1-ATR7
are valid in the above system. □
 7. ALGORITHMIC THEORY OF REFERENCES 331

In the sequel we shall consider an arbitrary model 9JI of ATR. We

shall study the properties of the set Fr of all frames of the model.

Theorem 7.2. For every non-empty frame f ^ none there exists a state
s such that newfr(s) = f i.e. the formula

( / # none => (s :== allfree) (while newfr(^) ^ / do

5 : = insert(newfr(s), 5) od) true)
is a theorem o f ATR.
Proof. Let f =£ none. Let 5' = insert(/, allfree). By axiom
ATR1 it follows that after a finite iteration of the instruction 5'
:= insert(newfr(V), / ) , newfr(V) = /. □

Theorem 7.3. The set Fr o f frames is infinite.

Proof. Suppose the contrary, i.e. that Fr = { / l9 none} for
some n. Define s = insert ( f l9 insert(/2, ... insert(/„, allfree) ...)).
By ATR3 and ATR6 it follows that
(1) (V/ # none) member(/, 5).
Consider the element newfr(V). By ATR4 we have newfr(s) ^ none
and by ATR5 we obtain ~member(newfr(.9), s), which contra­
dicts (1). □

D efinition 7.1.
/1 < f 2 = (fi = none v
begin s : = allfree; bool : = false; rel : = false;
if f 2 ^ none then
while bool do
/ := newfr(^);
if/ = f i then rel : = bool : = true else
if / = f i then bool : = true else
s insert (f, s) fi
fi
od
fi
end rel). □

Lemma 7.4. Relation ^ is a linear order. □

332 VII PROBLEMS INSPIRED BY LOGLAN

L emma 7.5 The set Fr with ^ is o f order type a).

P ro o f . The first element in Fr is none since (V/) (none ^ / ) . We shall
define the successor operation /* in Fr as follows:
none* = (s : = allfree) newfr^).
For / # none we put
f* = (s : = allfree; while newfr^) ^ f do
51:= insert (newfr(s), s) od ; s := insert(/, s)) newfr(^).
The operation * is defined correctly (cf. Chapter IV, § 2). Consider
the set X = {[': / < f ' a f ' ^ /}. The reader will verify that / * is the least
element in the set Z. To complete the proof we should check the fol­
lowing property:
if none e F and for every elem ent/of F, Y contains successor
of the element f then F = Fr.

Suppose F # Fr, f 0 e Fr, / 0 £ F. By Theorem 7.2 we have

(3/ ^ 0) (s := allfree)
(.y := insert (newfr(.s), .s))l(newfr(.y) = f 0).

Since none e Y we obtain none* = (s : = allfree) newfi/s) e F. By the

definition of a successor it follows that all elements
0? := allfree) (s := insert(newfr^), 5,))-/newfr(5'), for j < i
are in F. Hence f 0 also belongs to F, a contradiction. □

C o r o lla r y . For every model o f ATR theory the ordered set (Fr, ^ )
is isomorphic with (N , ^ ). □

8. REPRESENTATION THEOREM FOR ATR THEORY

In this section we shall justify our choice of axioms by proving that

the set of reference can be identified with the set of natural numbers—the
addresses of frames.

8.1. By a standard model o f ATR theory we shall under­

D efin itio n
stand any model
( N v Fin (A—{0}), in, del, nfr, 0, 0 , mb, =>
 8. REPRESENTATION THEOREM FOR ATR THEORY 333

as described in the previous section (p. 330) which can differ in the
interpretation o f an nfr operation. □

D efinition 8.2. Let M = <Fr u St, insert, delete, newfr, member,

none, allfree, = ) be a model o f ATR. By a redact o f M we understand
the system which results from M by omitting operation newfr, i.e.
M ' = <Fr u St; insert, delete, none, allfree, member, = ) . □

Observe that all reducts of standard models are identical.

D efinition 8.3. We define

s = sts' = (V/) (member(/, s) == member(/, s')).
We shall say that states s and s' are equal whenever s = st s'. □

Theorem 8.1 (on the Representation of References). Let 9JI be

a model o f ATR. Consider the quotient system 9JT = 9Jt/(=, = St)
which results from 9JI by identification o f equal states. The reduct o f the
model SCR is isomorphic with the reduct o f a standard model. □

The question of reducts may seem strange. First of all let us remark
that there are other standard models, e.g. the one in which operation
newfr is defined as follows
newfr (,s) = m ax(j)+ l.
The standard model defined above and the standard model of the pre-
ceeding section are not isomorphic. On the other hand it is hard to
argue about the advantages of one model as compared to the other.
One can observe a similarity between the theory of references and the
theory of dictionaries. Our remarks concerning the effectiveness of the
amember operation of dictionaries may be repeated here. Operation
newfr is a selector and in general proofs of the existence of this selector
are not constructive. All of them have to use the axiom of choice.
The theory described above can be used to explain the semantics of those
programming languages whose frames are reusable and where at the
same time the construction of a language assures safety, e.g. no attempt
will be made to access a variable local for a block when the block itself
is closed. Moreover for languages like PASCAL, SIMULA, ADA,
334 VII PROBLEMS INSPIRED BY LOGLAN

LOGLAN one can apply the notion of reference in order to explain

why new node(e) # new node(e) (cf. Chapter IV, § 15), or why
(a := new node(e); (b := a; a.e := r) (b.e = r).
The abstract theories of data structures in Chapter IV can now be
expanded by introducing references. Suppose we are given a formalized
algorithmic theory T which specifies the properties of “abstract” static
objects, i.e. elements of a model of T. Making use of the notion of ref­
erence, we shall deal with “dynamic” objects to be conceived of as the
ordered pairs
(reference, static object).

E xample . For nodes of binary trees (cf. Chapter IV, §15) we have
static objects as triples
v \l \r
e j nx ' n2
/ / v | / Ir \ \
and dynamic objects in pairs ^ref, □

Let us consider a few simple properties of dynamic objects and

states of computation:
1. Every state of a computation contains a finite number of dynamic
objects.
2. If every state ^ of a computation of two dynamic objects have
equal references then they are identical.
3. No operation can update a reference in an existing dynamic object.
In LOGLAN the only operations dealing with references are the
operation new 1 which creates a new dynamic object of type t, and
the operation kill(x) which deletes the dynamic object x.
For every algorithmic theory T of an abstract data structure we can
construct another dynamic theory by “putting together” theories T and
ATR (the algorithmic theory of references). An example of this approach
can be found in Oktaba (1981).
We shall classify programming languages into two groups; ALGOL
and SIMULA belong to the first group, PASCAL, ADA, and LOGLAN
to the second. In the case of a language of the first group we observe
that objects created during computation exist until there exists a block
 8. REPRESENTATION THEOREM FOR ATR THEORY 335

containing a type declaration for these objects. For these languages the
theory of references is adequate, and the treatment of objects is safe.
In languages of the second group there exist instructions disposing
an object like kill(x) in LOGLAN. The effect of the kill instruction
is to delete the frame associated with an object from the set of occupied
frames. Consequently, such a frame can be allocated for another object.
This situation is not safe. Let us consider the following example:
block
unit A: class . . . ;
unit B: class . . . ;
variable ,41, A2: A, B 1: B ;
begin
01) A 1 : = new A ;
(i2) A2 := A 1;
03) kill(^l);
04) Bi := new B;
end.
Let us try to interpret this piece of program in ATR theory. Execution
of instruction (il) results in: finding a free frame / i n memory (newfr),
reservation of this frame for the object new ,4 (insert), assigning the
frame / to the variable A 1. The second instruction (i2) assigns the
f ra m e / to the variable ,42. The situation might look like Figure 8.1.

Fig. 8.2
336 VII PROBLEMS INSPIRED BY LOGLAN

The execution of kill(^l) would lead to the situation in Figure 8.2.

Observe that frame / is no longer reserved but is still accessible via
variable A2. This could be the conscious decision of the designer of our
language but is in contradiction with the assumption that all frames
accessible via variables are under the control of the storage manage­
ment system.
After execution of the subsequent instruction B 1 : = new B the
situation would be shown in Figure 8.3.

It is now obvious that the proposed solution is not safe. Frame / is

accessible via the two different variables A2, B 1, and in different mean­
ings. Since objects of types A and B admit different sets of operations,
it is disastrous if one object is interpreted at one point as an object
of type A , and at another as an object of type B. We shall not develop
this argument, the reader will see all the consequences of such a solution.
In this way we have touched on the problem of 'dangling reference’.
Work on LOGLAN has produced another safe solution for the stor­
age management system invented by A. Kreczmar and studied and
axiomatized by H. Oktaba. We shall outline it below. The system
consists of three sorts: Fr—frames, St—states of reservation and
U—univocal references. Variables have references assigned to them.

Fig. 8.4
 8. REPRESENTATION THEOREM FOR ATR THEORY 337

A reference points to a frame. In every state references split into three

subsets: S x—the set of accessible references, S2—the set of used ref­
erences, S3—the set of fresh references to be used in the future. Let us
investigate the four instructions once again.
After the first two instructions the picture is as shown in Figure 8.4.
After the kill statement we have the situation in Figure 8.5.

Frame / is not reserved (i.e. it can be used again). The variables A 1,

A2 both point to none, a specific frame. It is easy to check that none
is the value of A2 and to activate handler of exceptional situation, or to
program an appropriate test. The execution of B := newf? instruction
would lead to the picture in Figure 8.6.

Fig. 8.6
338 VII PROBLEMS INSPIRED BY LOG LAN

9. SPECIFICATION OF UNIVOCAL REFERENCES

By a system o f univocal references we shall understand a system of the

following signature:
< UR u H ; newu, into, out, empty H , notused, usable, used, = )
where UR is a non-empty set called the set o f univocal references, H is
a non-empty set of reference accessibility states disjoint with UR:
newu: H U R ; brings a notused reference,
into: URx H -» H; converts the status of a notused reference to
a usable one,
out: UR x H - > H ; converts the status of a usable reference to
a used one,
empty H e H; distinguished state, all references are notused,
notused: U R x H -» B0 ; notused(w, h) iff the reference u is notused
in the state A,
usable: UR x H -> B0 ; test if the reference u is usable in the state h9
used: U R x H -> B0 ; test if the reference w is waste in the state h.
Moreover the system should satisfy the following specific axioms of the
theory of univocal references ATUR.
ATUR1. notused(w, h) v usable(w, h) v used(w, h).
ATUR2. notused (newu(h), h).
ATUR3. notused(w, empty H).
ATUR4. ~((notused(w, h) a usable(w, / i ) ) v (notused(«, h) a
a used(w, h)) v (usable(«, h) a used(w, / i ) ) ) .

D efinition 9.1.
u < uf == begin h empty H ; bool := false; rel := false;
while ~ bool do un : = newu(/z);
if u" = u then rel := bool := true else
if u” = u' then bool := true else
h into(u"9 h)
fi
fi
od
end rel). □

ATUR5. (usable(w, h) v used(w, /?)) = (u < newu(/z)Aw # newu(/?)).

 10. VIRTUAL MEMORY 339

ATUR6. notused(w, A) => (A' : = into(w, A)) [usable(w, A/) a m ' # u

=>(notused(wr, A) = notused(w', A') a
Ausable(«', A) = usable(w', A') a
Aused(w', A) = used(w', A'))].
ATUR7. usable(w, A) => (A' out(w, A)) (used(w, A') a w' ^ m
=> (notused(w '? A) = notused (w', A') a
a usable(w', A) = usable(w', A') a
a used(w', A) = used(V , A ')))) .
ATUR8. (begin A' := empty H; u := newu(A');
while w < newu(A) do
if usable(w, A) then A : = out(w, A) f i ;
A' := into(w, A'); w := newu(A')
od
end true).
T heorem 9.1. Every two models o f the theory ATUR which are proper
for identity, are isomorphic. Theory ATUR A consistent. □

A model for ATUR can be found in Oktaba (1981).

10. VIRTUAL MEMORY

A formal specification of a memory management system is presented

here as a theory which combines the two latter theories. Access to a
memory frame is via a univocal reference. Moreover, references are
allocated only once for each u e UR, and in contrast with this, memory
frames can be utilized many times over, i.e. one memory frame can be
associated with different references. At any moment one reference
points to at most one frame.
A virtual memory system has three components—a storage manage­
ment system, a system of univocal references and a memory system, Mem.
The latter has a non-empty universe called the set of states of virtual
memory. The operations of the Mem subsystem are as follows:
ref: UR x Mem -> Fr
(Given a univocal reference u e UR and a memory state m e Mem
it gives a frame / e Fr.),
A: Mem H
340 VII PROBLEMS INSPIRED BY LOGLAN

(For every memory state it gives the state of accessibility.),

Mem -> St
(For every memory state it gives the reservation state.),
findu: Mem -» UR
(In every memory state it gives a notused reference.),
reserve: UR x Mem -» Mem
(For a notused univocal reference u the operation reserve associates
with it a free frame / e Fr. The resulting memory state m' = reserve(w, m)
satisfies three conditions: u is usable, / is reserved and ref(w, m')
= /).
kill: UR x Mem -> Mem
(The fram e/ = ref(w, m) is freed, the refeience u is used.),
freem e Mem
(A distinguished memory state in which all references are notused and
all frames are free.),
inmemory: UR x Mem -> B0
(Tests whether the given reference u is usable in a given memory state.).
In order to specify the virtual memory system, we shall combine the
theories of storage management system and univocal reference system
together with the specific axioms of virtual memory.
AVM.l. inmemory(w, m) = usable(w, h(m)),
AVM2. ((ref(w, m) = ref(w', m)Aref(w, m) # none) => u = u')
(Every non-empty frame has exactly one reference.).
AVM3. YQf(u,m) = none = ~ inmemory(w, m).
AVM4. find u{m) = newu (h{m)).
AVM5. undef(w, : = r e s e r v e d , = into(w, h(m) ) a
a s(mr) = insert(newfr(j(w )),s(m)) a ref(w, m') = newfr(^(m)) a ( w' # u
=> ref(i/', m) = ref(z/, m'))]
(The operation reserve admits only notused references and consists
of associating a free frame newfr(.s(m)) to a given reference u and
making u and the frame usable in a newly created state m '. ).
AVM6. {m! := kill(w,5’m))[(^inmemory(w, m) ■=>m' = m )v
v (inmemory(w,m) =>(/z(m') = out(w, a s(mf) = delete (ref(w, m ) ,
^(m) ) a («' # w => ref(w', m) = ref(w', m'))]
 11. CONCATENABLE TYPE DECLARATIONS 341

(Operation kill changes nothing if it has a used reference as its argu­

ment. If it does not, it frees the frame indicated by the reference and
makes the reference a used one.).
AVM7. (usable (u, h(m)) => (3 /)(member ( /, s(m) ) a ref(w, ra) = /) ) •
AVM8. (member (/, s(m)) => (3u) (usable (w, h (m) a ref (w, m) = / ) ) .
(For every memory state operation ref is onto the set of occupied frames).
AVM9. (/z(freem) = empty H a ^(freem) = allfree).
AVM10. (~undef(w, h(m)) => (reserve(w, m) = while true do od m')*
(Operation reserve is undefined for usable and/or used references.)
The theory of virtual memory is consistent since it has a model.
Two of the model’s components are standard models for the ATR theory
of storage management systems and the ATUR theory of univocal
references. The reader can conceive the axioms AVM1, AVM2, AVM6
as definitions of the operations: inmemory, reserve and kill. The system
defined in this way will be called a standard model of AVM theory.
Using methods illustrated in earlier sections one can prove that any
model of AVM theory is isomorphic to a standard one.

11. CONCATENABLE TYPE DECLARATIONS

The designers of SIMULA-67 have invented prefixing, a new and

powerful programming tool which allows one to concatenate type dec­
larations. Concatenation of type declarations plays (or should play)
a similar role to that of procedure call, because of its power in defining
data structures, program-oriented languages, hierarchies of sets and
-systems, etc. Prefixing is not widely accepted as a programming tool,
because of lack of knowledge concerning its properties, the difficulties
involved in proper implementation of concatenation of type declarations,
and also because of irrational prejudice. No one doubts the importance
of the copy rule for computations with procedures. Similarly, the con­
catenation rule deserves the attention of researchers and users.

Remark. It is rare to see a paper describing SIMULA or prefixing

in which the author reports all the important properties of concat­
enation of type declarations. Most authors limit themselves to remarks
on encapsulated data types, which may be the least important of the
properties of the concatenation rule. □
342 VII PROBLEMS INSPIRED BY LOGLAN

This section is intended as an introduction to the concatenation

rule. It is informal in character and far from completeness.
We should like to call the reader’s attention to the potential applica­
tions of prefixing. Here we shall abstract from the dynamics introduced
by the storage management system. We shall concentrate on the prop­
erties of objects of types which correspond to static semantics,
observe that they are full of dynamics.
The central notion is an object. By an object we shall understand
an ordered pair
(valuation of variables, sequence of instructions).
The special object is none = <0, 0 ) . Objects may be values of variables.
(The careful reader will notice in the light of preceding sections that
an object is allocated to a frame and the value of a variable is a univocal
reference to the frame, but we shall abstract from these details.) A re­
striction is posed on valuations, since every variable is declared to­
gether with a type name (called its qualification) and since the value
of the variable has to be an object of appropriate type. There is one
object none which may be the value of any variable.
The definition of a type has the following structure:
unit T : class (m1a1 : Tx, ..., mnan: Tn);
a ti, ...9atk ;
begin
I x (prologue instructions} return;
I2 (instructions 1};
inner;
/ 3 (instructions 2}
end T,
where al9 ..., are names of formal parameters, Tl9 ..., Tn are names
of types, mt is information about the mode of transmission of par­
ameters ( / = l , . . . , n ) , atl 9 ...9atk are declared local attributes and
inner and return are special instructions.
Declaration of type T introduces a data structure, or more exactly
it extends the existing data structure by a new sort \T\ of objects of
type T and corresponding operations. The operations are those in­
herited from the virtual memory system
(newT, kill(x), x is T, x in T ) 9
 11. CONCATENABLE TYPE DECLARATIONS 343

and the operations declared in the declaration of type T. We asso­

ciate two operations, read y and update y, with every variable y in the
list atl9 ...,a tk. Let o be an object of type T. The phrases o.y and
o.y := r are then expressions denoting the operations mentioned
above. In a similar way, simple formal parameters can also be conceived
of as pairs of operations. Other formal parameters and local attributes
also determine operations. This is easy to see if they are functions,
but in other cases also (like declaration of types) we can conceive of them
as operations.
The operation new T creates an object

o: v:
0,
in the following way:
1° Variables x l9 ..., of the object o are formal parameters a1, ..., an
(we simplify considerations by assuming that all formal parameters
are variables).
2° Variables x n+l9 ...9x t are local attributes atl9 ...9atk of T.
3° The object o arises from the initial proto-object o',

*>. A

where the values of variables x i9 ...9x t are initialized in accordance

with the corresponding mode of transmission as values of actual par­
ameters and values of local attributes are initialized in accordance with
the general scheme of initialization. The initial values of types are
Boolean— false, integer, read—zero, character—space,
all other types—none.
Once we have created an proto-object o' it becames a subject, i.e. the
prologue instructions are executed until the return instruction is met.
In this way the attributes of an object can be initialized in a more spe­
cific way.
Objects created by the new T operation satisfy the relation is between
objects and name of type T9 i.e. the relation
new T (act! , , actn) is T
holds.
344 VII PROBLEMS INSPIRED BY LOGLAN

Another type declaration may be written with T as a prefix

lU tlt T . T class (jfln+l&nn*Tn+ i9 ...)YYlr(Xr . T?),
& tk + 1 9 • • • 9 Q ts l

b e g in
; retu rn ;
/ 2 ; in n e r ;

Jz
en d r.
This definition should be viewed as an abbreviation of the full concat­
enated declaration:
unit T : class (m1a1 : Tl9 ...,m nan \ Tn, mn+1an + l: r„ +1, ...
...,m rar : Tr);
a ? ! , + 1 5

begin
hi
hi
J x ; return;
J2 ; inner;

hi
end r .

12. AN IMPLEMENTATION OF RATIONAL NUMBERS

In this section we shall present an example showing that algebraic

operations of structures like product, factorization, etc. have counter­
parts in programming, and that they can be imitated by means of pre­
fixing.

Product

unit pair: class (L, M: integer) begin end pair.

This declaration introduces the structure
<|pair|, newpair, L, .M, .L: = , .M :=>,
where |pair| denotes the set of objects of the type pair:
 12. IMPLEMENTATION OF RATIONAL NUMBERS 345

newpair: |integer| x |integer| -» |pair|,

.L : |pair| -» |integer|,
.M: |pair| -» |integer|,
.L := : jpair| x jintegerj -» |pair|,
.M : = : |pair| x |integer| -> |pair|.
The properties of the structure of pairs are as follows:
.L(newpair(a, b)) = a,
.M(newpair(tf, b)) = b,
.L : = (newpair(a, b), c) = newpair(c, 6),
M := (newpair(flf, 6)c) = newpair(a, c),

Subset
The next step in the construction is to define a subset of proper pairs
unit properpair : pair class
begin if M = 0 then E R R O R f i
end properpair.
The set |properpair| is a subset of |pair| set. ERROR denotes a
never-terminating program, e.g. while true do od.

Quotient structure
unit rational: properpair class
variable gcd, auxl, aux2 : integer;
begin auxl := abs(L); aux2 := abs(Af);
while auxl ^ aux2 do
if auxl > aux2 then auxl := auxl —aux2
else aux2 := aux2 —auxl f i
od;
gcd := auxl;
L := Z ^ g c d ; M := M-Fgcd;
end rational.
The set |rational] corresponds to irreducible fractions.

Extension
unit R A T IO N A L S : class
unit rational: properpair class ... end rational;
346 VII PROBLEMS INSPIRED BY LOGLAN

unit add: function (x, y : rational): rational;

begin result := new rational (x.L * y.M + y.L * x.M ,
x.M * y.M )
end add
unit multiply: function (x, y: rational): rational;
begin result : = rational(x.L * y .L , x.M * x.M )
end multiply;
begin
end RATIONALS'.
In this way we have defined an algebra
<|rational| .addX multiply, ...)
which does not satisfy the axioms of the field of rational numbers since
the operation./. := can destroy them.
It is not difficult to forget about the operations .L, .M, .L : = , .M :=
unit R A T IO N A L S : class
hidden rational;
unit fraction: rational class hidden .M\ end fraction;
unit rational: ...
unit add: ...
unit multiply: ...
begin
end RATIONALS.
The effect of line: hidden rational; is that the type rational is invisible
outside the unit RATIONALS, hence .L, .M, .L: = , .M; = operations
are forbidden. One can create objects of type fraction by object
expressions like, e.g. new fraction (7, 19), the attributes of type fraction
are inaccessible to a user. The structure
(fraction, add, multiply, new fraction)
corresponds to the field of rationals and the axioms of the field are valid.

BIBLIOGRAPHIC REMARKS

MAX model of concurrent computations was introduced in Salwicki

and Miildner (1981b). Axiomatization of the notion of reference was
given by Oktaba (1981). Certain results in the semantics of prefixing
can be found in Bartol et al. (1983) and in Bartol (1981).
 BIBLIOGRAPHIC REMARKS 347

The results presented in this chapter form a part of bigger project

aimed toward formal specification of LOGLAN programming lan­
guage, cf. Bartol et al. (1983b). The present authors believe that the goal
will be reached by the creation of family of algorithmic theories. Each
theory is to describe an aspect of language’s semantics. Moreover,
it is expected that they complement one another and together bring
the complete information about behaviour of LOGLAN programs.
In our opinion especially the operation of concatenation of program
modules (prefixing) deserves more attention. Certain new results in this
field are due to Langmaack, cf. Krause at al. (1984).
 APPENDIX A

B O O LEA N A LG E B R A S

1. A Boolean algebra is an algebra <A , u , n , —) which satisfies

the identities:
(lx) a\jb — bua, anb = bna,
(12) a v (b v c ) = (auft)uc, an(bnc) = (anb)nc9
(13) (anb)ub — b, an(aub) = a9
(14) an(buc) = (anb)u(anc)9 au(bnc) = (aub)n(auc)9
(15) ( a n —a)ub = b9 (a \j—a)rfb = b9
for every a9 b9 c e A.

E xamples .
A. The two-element Boolean algebra B0 = <{0, 1}, u , n , —).
B. Field of subsets of a set A" 0>(X) = <2*, u , n , —>.
C. The Lindenbaum algebra of a theory T (cf. Chapter III, § 1). □

2. Define the relation a ^ b putting for every a9 b e A

a< b iff aub = 6.
Define:
0 = an —a,
11 =df a\j —a9
a =>b = —aub.
3. The relation < is an ordering in A, i.e. for arbitrary a9b9c e A
a ^ a,
if a ^ b and b < c9 then a ^ c9
if a ^ ft and b < a, then a = b.
4. flu i is the least upper bound of the set {a, b }.
In fact

a < auft and 6 < aufe by(/3).

 APPENDIX A 349

H a ^ c and b ^ c then by definition auc = c and b uc = c. Making

use of (lx) and (12) we have ( a u i)u c = (a u b )u (c u c ) = (a u c )u (iu c )
= cue = c, hence aub ^ c.
Similarly, anb is the greatest lower bound of the set {<a, b}.
5. A nonempty set P of elements of a Boolean algebra A is said
to be a filter in A provided that for every element a, b e A the following
two conditions are satisfied:
If a, b e V, then anb e P.
If a e V and a ^ b9 then b £ P.
6. Let v40 be a non-empty subset of A . The set of all elements a e A,
such that a ^ at n ... for some elements al 9 an e A 0, is a filter.
Moreover, this set is the least filter containing A 0.
7. A filter is said to be proper if it is a proper subset of Boolean
algebra A. It is easy to observe that a filter is proper if and only if it
does not contain the zero element 0.
8. A subset A 0 of A is said to have the finite intersection property
if for every elements al9 A
axr\ ... n a n # 0.
9. Every subset A 0 which possesses the finite intersection property
is contained in a proper filter.
10. A filter P is said to be prime provided it is a proper filter and
the condition aub e V implies that either a e P or b e P.
11. A prime filter is maximal, i.e. it is not any proper subset of a
proper filter.
12. By a chain of filters we mean a non-empty family of filters linearly
ordered by the relation of inclusion.
13. The union of any chain of proper filters is a proper filter.
14. Every proper filter can be extended to a prime filter. Consider
the family of all proper filters. By 13 every chain of filters has an upper
bound. By the Kuratowski-Zorn Lemma (cf. Rasiowa and Sikorski,
1968) there exists a maximal element in the family which is a prime
filter.
15. Let A t be an infinite subset of A:
350 APPENDIX A

A t - {®t,s}sGS*
If the least upper bound of the set At exists then we shall denote it by
l.u.b. (attJ.
seS

Similarly, we shall use the notation

g.l.b. ( a ttS)
seS

for the greatest lower bound if it exists.

16. Let T u t/b e a set of indices. By Q we shall denote the set of
infinite operations described below:
at = l.u.b. (attS\ t g T,
seS

(Q) bu = g.l.b. (bu. r), ueU .

rsR

17. A filter V is said to be a Q-filter provided it is a prime filter such

that for every t e T, u e U:
If at g F, then there exists s0 e S such that aftSo g F.
If bu $ F, then there exists r0 e R such that bUtro V.
18. T he R asiow a - S ikorski L emma (Rasiowa and Sikorski, 1968).
I f the set Q is denumerable then every non-zero element a0 e A is contained
in a Q-filter.
P roof . We shall construct a subset C of Boolean algebra such that
it possesses finite intersection property and contains a0. By 9 and
14 the set C will be contained in a Q-filter.
The construction of C will assure us that for every t e T if at e V ,
then there exists s0 e S such that at>So e F. Without loss of generality
we can assume the set U is empty. The set T is denumerable so without
loss of generality we can assume T = 1 ,2 , ... Consider the sequence

a0 $a i , a2? •••
The set C is defined by induction, on t e {0}uT.
a0 g C. (We recall that a0 ^ 0).
Let c be an g.l.b. of all elements already included in C, c ^ 0.
Consider at = l.u.b. (attS), t g T. We shall prove that there exists s0 e S
seS
such that
cn(a, => a,.So) # 0.
 APPENDIX A 351

Suppose, on the contrary, c n ( —atu a tt J = 0 for all s e S,

then cr\ —at = 0 and cnat,s — 0 for all s e S, i.e. c ^ at and
l.u.b. (cnattS) = 0, and consequently cr\at = 0, c ^ —at .
seS
Hence
c ^ atn - a t
i.e. c = 0, which contradicts our assumption. In this way we have
proved that for every t e T there exists st e S such that
a0n {a t => t?i,Sl)n ... cs{at => atfSt) ^ 0.
Hence the set C = {a0, (ai => altSi\ (a2 => a2tSz), •••} has the finite
intersection property. By 9 and 14 it can be extended to a prime
filter V. By the definition of C, V is a 0-filter.
19. T he R epresentation T heorem. Every Boolean algebra is iso­
morphic to a field o f subsets o f a set.
 APPENDIX B

THE PROOF OF LEMMA 2.2 FROM CHAPTER III

Let / be a function which to every formula and every program of an

algorithmic language L assigns an ordinal number in the following way:
/(a ) = 1 for every propositional variable or elementary formula a,
f(s) — 1 for every assignment instruction s.
If a, are arbitrary formulas and K, M — arbitrary programs, then

/ ( ~ a ) =/(<*)+1,
/ ( a v P) =f(ocAfi) = /(a= > )9) = max (/( a ),/(£ ))+ 1 ,
/(M a) = f(oc) +f(K),
/(if y then K else M fi) = m ax(/(y),/(X ),/(M ))*3 + l,
/(begin K; M end) = m a x (/(M ),/(X ))-2 + l,
/(while y do K od) = co * m a x (/(y ),/(/0 )+ 1,
f(\JK oc) = f(P\Koc) = max ( /( a ) ,/(£ ) )+ 1 ,
/((V x)a(x)) = /((3*)a(x)) = / ( a ) + 2.

Observe that for every classical formula a of the language L ,/(a ) < a>.
Let us put /(a ) = /(a ) for every classical formula of the language
L (i.e., for every formula in which programs do not appear) and /(a )
= co+/(a) for any other formula.

L emma . For every algorithmic formula a, /?

(*) if a *< p then /(a ) < /(/?).
P roof . W e shall prove that property (*) holds for any pair of for­
mulas from the set Z defined in Chapter III, § 2.
1. Consider a simple formula of the form ( 1 9 . . . , r„), where
s q t q

is an ^-argument predicate, r l9 ..., r„ are terms and s is an assignment

instruction:

f(sQ(r!, T„)) = a )+ /(e (r l5 T„))+/(s) = ft)+ 2.

But = 1 for arbitrary terms r/t , jj„ and therefore

 APPENDIX B 353

/( e ( j* l, < f(sQ (Ti, T„)).

Let a, /?, y denote algorithmic formulas and ^ AT, M denote programs.
2. By the definition of the function /'w e have
7(.S'(«V/?)) = co+/(av/S) +/(.?) = co + max (/(a ),/(/?))+ 2
and
/(sa) ==co+/(a) + 1, /(s/0 = co +/(/?) + 1.
By the properties of the ordering relation ^ in the set of ordinal num­
bers /(F ) we have
f(sa) < /(>(« v f l) , M ) < /(.S'(a v/5)).
3. Consider the pair (sa, s~ a ). It is obvious that (*) holds, since
f(s ~ a) = co+f(~ot)+f(s) = co+/(a) + 2
> co-f/(a) + 1 = f(soc).
4. Let us denote max (/(AT), /(M )) by a. By the definition of the
function / we have;
/fs begin K ; M end a)
= /(*)+/(begin AT; Mend)+l = /(a) + a -2 + 2
f(s ( K ( M a ) )) = f(K (M * )) + l = /( M a )+ /(F )+ l
= / ( a ) + /( M ) + /( /0 + l.
As a consequence o f/(M ) -f/(AT) +1 < a -2 + 2 we have
f(s(K (M oc))) < f ( s (begin AT; M end a)).
5. By definition
/(s if y then K else M fi /3)
= f(p) + m ax(f(y ), f{K ), f ( M )). 3 + 2,
= max (/(y ),/0 3 )+ /(* ))+ 2 ,
f(s ( ~ y A M P )) = m ax(/(y) + 1, /(/?)+ /(M ))+ 2 .
If at least one of the maxima that appear above is equal to its first
argument, then f(y), f(K ), f(M ) are finite and obviously (*) holds. If
ma x (f( y ) ,f( K ) ,f( M ) ) = f( M ) ,
max (f{y) + 1, A 3) + /(A /)) = /(/?) +/(M ),
max { f{ y \ f(J3) + f(K )) = /(/?) +f(K),
then
/(M )-3 + 2 > /(M ) + 2 and f(K ) + 2 < f ( K ) -3 + 2.
 APPENDIX B 354

It follows that
f ( s ( y a K(3)) < f(s ( if y then K else M fi /?))
and
f(s (~ y A M P )) < / ( j ( i f y then K else M fi 0)).
An analogous proof of the remaining cases is omitted.
6. Let us denote max (f(y ), f(K )) by a. By the definition of the
function/ we have:
/(^(while y do A^od /S)) = /(/?)+ co *<z+ 2
and, for every natural number /,
f ( s (if y then K fi)l(J3a ~ y )) = (a •3 + 1) •/+1 < co •a -f 2.
Consider two cases:
(a) a < ay. In this case it is obvious that {a *3+1) */+1 <oo-a + 2.
(b) a ^ co. By the definition of the function f a is less than cow.
So, there exists n < co and bt < oo for j = 1 ,2 , ...,« such that a
= f t A ^ + CO"- 1 ... + 6 0 -
Since i is a finite ordinal number, we have
(a •3 -j-1) *i +1
= (on -(bn -O+ft)"-1 •/)+ ... + (V *'+ 1).
As a consequence
(a *3 +1) */+1 ^ <on+1 + 1 = o) •con+1.
However, con ^ a and thus co *0)"+ 1 ^ co -a+ 1 and finally
(cz *3+ 1) • /+1 < co -a-f 2.
It follows from (a) and (b) that for every natural number /,
f ( s (if y then K fi)l(~yA /?)) < /(^(while y do K od /?)).
7. Consider the pair (s a(r), j(3x)a(x)):
/ (.S'((3x) a(x)) ) = f(sa) + 2 = /(a ) + 3,
/ ( i ’~ a (r ) ) = / ( ~ a ( r ) ) + l = / ( a ) + 2.
T hus,/(«) + 2 < /( a ) + 3. □

L em m a . For every set o f formulas Z there exists a formula which is

a minimal element o f that set with respect to the relation
P roof. Let us consider the set of ordinal numbers/ ( Z ) = { /(a ) : a e Z },

and let a0 be the first element of /(Z ).

355 APPENDIX B

Every formula a e Z such that /(a ) = a0 is a minimal element of Z.

In fact, if /(a ) = a0 and for some /? e Z, /S -< a, then by the property (*)
7(/3) < /(«)•
Hence/(/3) < and therefore a0 is not the first element of/(Z ), contrary
to the assumption. □

An analogous reasoning can be repeated for algorithmic formulas

with non-deterministic programs (cf. Chapter VI).
Let us extend the relation -< as follows:
0A / -< 0 either K or Afro /?, □ Kfi -< neither K or Afro /},
<>Af/5 -< 0 either K or Afro /?, QAf/i -< neither ATor Afro /?,
(y a 0 ATa) -< 0 if y then AC else Af fi a,
( ~ y a <>Afa) ■ < 0 if y then K else M fia,
(yA nAfa) -< n i f y then K else Af fi a,
( ~ y a nAfa) -< n i f y then K else Af fi a,
0 (if y then Af fi)*(a a ~ y) -< 0 while y do Af od a,
for all i e N ,
□ (if y then Af fi)l(a a ~ y) -< □ while y do Af od a,
for all / e A,
0 begin A; Af end a -< <>fC(v)Afa),
□ begin AT; Af end a -< nAT(nAfa),
OA'a -< \ / Afa, nAC*a -< LjAfa,
OAC'a ■< /\Afa, nATla ■< flATa
for an arbitrary natural number /.
Let us put
/(either K or Af ro) = max ( f ( K) , /(A f)) *2 + 1,
/( 0 M«) = /(D A fa) = /(a ) + /W ).
It can be proved now that, for arbitrary formulas a, p of non-deter­
ministic algorithmic language,
(**) if a < p then /(a ) -< /(/?).
As a consequence of this fact we have the following result.

L emma. For every set Z o f non-deterministic algorithmic formulas

there exists an element a such that for every jSeZ , -< a. /.e. a is
a minimal element o f Z. □
 BIBLIOGRAPHY

ABBREVIATIONS

ACM Association for Computing Machinery

Bull PAS Bulletin de l’Acad&nie Polonaise des Sciences
CACM Communications of ACM
FOCS IEEE Symp. on Foundations of Computer Science
IPL Information Processing Letters
JACM Journal of ACM
JCSS Journal of Computer and System Science
LNCS Lecture Notes in Computer Science
POPL Symp. on Principles of Programming Languages
STOC Symp. on Theory of Computing
TCS Theoretical Computer Science
TOPLAS ACM Transactions on Programming Languages and Systems

Aho A., Hopcroft J., Ullman J. (1974), The Design and Analysis o f Computer Algo­
rithms,, Addison-Wesley, Reading, Massachusetts.
Andreka H., Nemeti I. (1981), A Characterization of Floyd Provable Programs,
Proc. Mathematical Logic in Computer Science, Salgotarian 1978, in: Colloquia
Mathematica Societatis Janos Bolyai 26, North-Holland.
Andreka H., Nemeti I., Sain I. (1979), Completeness Problem in Verification of Pro­
grams and Program Schemes, in: Proc. MFCS'19 (J. Becvar ed.), LNCS 74, Springer
Verlag, Berlin, 208-218.
Andreka H., Nemeti I., Sain I. (1979b), Henkin-Type Semantics for Program
Schemes to Turn Negative Results to Positive, in: Proc. FCT'19 (L. Budach ed.),
Akademie Verlag, Berlin, Band 2,18-24.
Andreka H. (1983), Sharpening the Characterization of the Power of Floyd Method,
in: Proc. Logics o f Programs and Their Applications, Poznan 1980 (A. Salwicki ed.),
LNCS 148, Springer Verlag, Berlin, 1-26.
Apt K.R. (1979), Ten Years of Hoare’s Logic: A Survey—Part 1, TO PLAS3,431-483.
Apt K. R., Olderog E.-R. (1982), Proof Rules Dealing with Fairness in Logics o f
Programs (D. Kozen ed.), LNCS 131, Springer Verlag, Berlin, 1-8.
de Bakker J. W. (1976), Semantics and Termination of Non-deterministic Recursive
Programs, in: Automata Languages and Programming, Edinburgh, 435-477.
 BIBLIOGRAPHY 357

de Bakker J. W. (1977), A Sound and Complete Proof System for Partial Program
Correctness, in: Proc. MFCS'79 Olomouc (J. Becvar ed.), LNCS 74, 1-12.
de Bakker J. W. (1979), A Sound and Complete Proof System for Partial Program
Correctness, in: Proc. MFCS'79 (J. Becvar ed.), LNCS 74, Springer Verlag, Ber­
lin, 1-12.
de Bakker J. W. (1980), Mathematical Theory o f Program Correctness, Prentice
Hall, Englewood Cliffs.
Banachowski L. (1975), Modelar Approach to the Logical Theory of Programs,
in: Proc. MFCS'74, LNCS 28, Springer Verlag, Berlin.
Banachowski L. (1975b), An Axiomatic Approach to the Theory of Data Structures,
Bull. PAS 23, 315-323.
Banachowski L. (1977), Investigations of Properties of Programs by Means of the
Extended Algorithmic Logic, Fundamenta Jnformaticae 1, 93-119, 167-193.
Banachowski L. (1983), On Proving Program Correctness by Means of Stepwise
Refinement Method, in: Proc. Logics o f Programs and Their Applications, Poznan
1980 (A. Salwicki ed.), LNCS 148, Springer Verlag, Berlin, 27-45.
Banachowski L., Kreczmar A., Mirkowska G., Rasiowa H., Salwicki A. (1977),
An introduction to Algorithmic Logic, Mathematical Investigations in the Theory
of Programs, in: Math. Foundations o f Computer Science (A. Mazurkiewicz and
Z. Pawlak eds.), Banach Center Publications, PWN, Warsaw, 7-99.
Bartol W. M. (1981), Application o f Static Structure o f Type Declarations and the
System o f Dynamic Configurations in a Definition o f Semantics o f a Universal Pro­
gramming Language (in Polish), Doct. Diss., Dept. Math. Inform., University
of Warsaw.
Bartol W. M., Kreczmar A., Litwiniuk A. I., Oktaba H. (1983), Semantics and Imple­
mentation of Prefixing at Many Levels, in: Proc. Logics o f Programs and Their
Applications, Poznan 1980 (A. Salwicki ed.), LNCS 148, Springer Verlag, Ber­
lin, 45-80.
Bartol W. M. et al. (1983b), Raport o f LOGLAN Programming Language, PWN,
Warsaw.
Barzdin J. M. (1979), The Problem of Reachability and Verification of Programs,
in: Proc. MFCS'79 (J. Becvar ed.), LNCS 74, Springer Verlag, Berlin, 13-26.
Bergstra J., Tiuryn J., Tucker J. (1982), Floyd’s Principle Correctness Theories and
Program Equivalence, TCS 17, 113-149.
Bergstra J., Tiuryn J. (1981), Implicit Definability of Algebraic Structures by Means
of Program Properties, Fundamenta Informaticae 4, 661-674.
Bergstra, J., Tiuryn J. (1981b), Algorithmic Degrees of Algebraic Structures, Fun­
damenta Informaticae 4, 851-863.
Bergstra J., Tucker J. V. (1982), The Refinement of Specifications and the Stability
of Hoare’s Logic, in: Logics o f programs 1981 (D. Kozen ed.), LNCS 131, Sprin­
ger Verlag, Berlin, 24-36.
Bergstra J., Tucker J. V., (1984) Hoare’s Logic for Programming Languages with
Two Data Types, TCS 28, 215-222.
358 BIBLIOGRAPHY

Berman F. (1979), A Completeness Technique for Z)-Axiomatizable Semantics,

in: Proc. 11th A C M STOC, 160-166.
Berman P., Halpern J., Tiuryn J. (1982), On the Power of Non-determinism in Dy­
namic Logic, Proc. ICALP'82 (M. Nielsen, E. M. Schmidt eds.), LNCS 140, Sprin­
ger Verlag, Berlin, 48-61.
Birkhoff G., Lipson J. (1970), Heterogeneous Algebras, Journal o f Combinatorial
Theory 8, 115-133.
Blikle A., Mazurkiewicz A. (1972), An Algebraic Approach to the Theory of Pro­
grams, Algorithms and Recursiveness, in: Proc. MFCS'72, Reports of the Computer
Center of the Polish Academy of Sciences, Warsaw.
Blikle A. (1977), An Analysis of Programs by Algebraic Means, in: Math. Foun­
dations o f Computer Science (Z. Pawlak, A. Mazurkiewicz eds.), Banach Center
Publications, vol. 2, PWN, Warsaw, 167-213.
Burkhard H. D. (1981), Ordered Firing in Petri Nets, Elektron. Informationsverar-
beitung und Kybernetik 17, 71-86.
Burkhard H. D. (1981b), Two pumping lemmata for Petri nets, Elektron. Informa-
tionsverarbeitung und Kybernetik 17, 349-362.
Burkhard H. D. (1983), On Priorities of Parallelism: Petri Nets under the Maximum
Firing Strategy, in : Proc. Logics o f Programs and Their Applications, Poznan 1980
(A. Salwicki ed.), LNCS 148, Springer Verlag, Berlin, 86-98.
Burkhard H. D. (1984), An Investigation o f Controls for Concurrent Systems by
Abstract Control Languages, LNCS 176, Springer Verlag, 223-231
Burstall R. M. (1969), Proving Properties of Programs by Structural Induction,
Computing 12, 41-48.
Cartwright R., McCarthy J. (1979), First Order Programming Logic, in: Proc 6th
A C M POPL, San Antonio, 68-80.
Cartwright R. (1982), Toward a Logical Theory of Program Data, in: Proc. Logics
o f Programs 1981 (D. Kozen ed.), LNCS 131, Springer Verlag, Berlin, 37-51.
Chandra A., Halpern J., Meyer A., Parikh R. (1981), Equations Between Regular
Terms and Application to Process Logic, in: Proc. ACM STOC 1981, 384-390.
Chlebus B. (1982), Completeness Proofs for Some Logics of Programs, Zeitschrift
fur Math. Logic 28, 49-62.
Chlebus B. (1982b), On Decidability of Propositional Algorithmic Logic, Zeitschrift
fur Math. Logic 28, 247-261.
Chlebus B. (1983), On Four Logics of Programs and the Complexity of Their Satisfia­
bility Problems: Extended Abstract, in: Proc. Logics o f Programs and Their Applica­
tions, Poznan 1980 (A. Salwicki ed.), LNCS 148, Springer Verlag, Berlin, 98-109.
Church A. (1936), An Unsolvable Problem of Elementary Number Theory, Amer.
J. Math. 58, 345-363.
Clarke E. M. (1979), Programming Language Constructs for Which It Is Impossible
to Obtain Good Hoare-Like Axioms, JACM 26, 129-147.
Constable R. L. (1977), A Constructive Programming Logic 1FIP'77, North Holland,
Amsterdam, 733-738.
Constable R. L. (1977b), On the Theory of Programming Logics, in: Proc. 9th ACM
STOC, 269-285.
 BIBLIOGRAPHY 359

Constable R. L., O'Donnell M. J. (1978), A Programming Logic, Wintkrop, Cam­

bridge, Massachussets.
Constable R. L., Zlatin D. R. (1982), The Type Theory of PL/CV3, in: Proc. Logics
o f Programs 1981 (D . Kozen ed.), LNCS 131, Springer Verlag, Berlin, 72-93.
Cook S. A. (1978), Soundness and Completeness of an Axiom System for Program
Verification, SIAM J. Comput. 7, 70-90.
Cousineau G., Enjalbert P. (1979), Program Equivalence and Provability, in: Proc.
MFCS'79 (J. Becvar ed.), LNCS 74, Springer Verlag, Berlin, 237-245.
Dahl O.-J., Hoare C. A. R. (1972), Hierarchical Program Structures, in: O.-J. Dahl,
E. W. Dijkstra, C. A. R. Hoare, Structured Programming, Academic Press, 197-220.
Danko W. (1974), Not Programmable Function Defined by a Procedure, Bull PAS 22,
587-594.
Danko W. (1978), Algorithmic Properties of Programs with Tables, Fundamenta
Informaticae 1, 379-398.
Danko W. (1979), Definability in Algorithmic Logic, Fundamenta Informaticae 2,
277-287.
Danko W. (1980), A Criterion of Undecidability of Algorithmic Theories, in: Proc.
MFCS'80 (P. Dembinski ed.), LNCS 88, Springer Verlag, Berlin, 205-216.
Danko W. (1983), Interpretability of Algorithmic Theories, Fundamenta Informa­
ticae 6, 217-233.
Danko W. (1983b), Algorithmic Properties of Finitely Generated Structures, in: Proc.
Logics o f Programs and Their Applications, Poznan 1980 (A. Sal wick i ed.), LNCS 148,
Springer Verlag, Berlin, 118-131.
Dijkstra E. W. (1975), On Guarded Commands, Non-determinacy and Formal D e­
rivation of Programs, CACM 18, 453-457.
Dijkstra E. W. (1976), Discipline o f Programming, Prentice Hall, Englewood Cliffs.
van Emde Boas P., Janssen T. M. (1977), The Expressive Power of Intentional Logic
in the Semantics of Programming Languages, in: Proc M F C S 'll (J. Gruska ed.),
LNCS 53, Springer Verlag, Berlin, 303-312.
van Emde Boas P., Janssen T. (1978), Intensional Logic and Programming, Amster­
dam, preprint No. ZW 98/78.
Engeler E. (1967), Algorithmic Properties of Structures, Math. Systems Theory 1,
183-195.
Engeler E. (1968), Remarks on the Theory of Geometrical Constructions, in: Syntax
and Semantics o f Infinitary Languages, Lecture Notes on Mathematics 72, Springer
Verlag, Berlin, 64-76.
Engeler E. (1971), Structure and Meaning of Elementary Programs, in: Proc. Symp.
Semantics o f Algorithmic Languages, Lecture Notes in Mathematics 188, Sprin­
ger Verlag, Berlin, 89-101.
Engeler E. (1973), On the Solvability of Algorithmic Problems, in: Logic Colloquium 73,
(H. E. Rose and J. C. Shepherdson eds.), Studies in Logic 80, North-Holland,
231-251.
Engeler E. (1975), Algorithmic Logic, in: Mathematical Centre Tracts (J. de Bakker
ed.), Amsterdam, 57-85.
360 BIBLIOGRAPHY

Enjalbert P. (1981), Contribution a Vetude de la logique algorithmique: systemes de

deduction pour les arbres et les schemas de programmes, doct. diss., Universite
Paris VII.
Enjalbert P. (1983), Algebraic Semantics and Program Logics: Algorithmic Logic
for Program Trees, in: Proc. Logics o f Programs and Their Applications, Poznan
1980 (A. Salwicki ed.), LNCS 148, Springer Verlag, Berlin, 132-147.
Enjalbert P., Michel M. (1984), Many-Sorted Temporal Logic for Multiprocesses
Systems, LNCS 176, Springer Verlag, 273-281.
Fischer M. J., Ladner R. E. (1979), Propositional Dynamic Logic of Regular Pro­
grams, JCSS 18, 194-211.
Floyd R. W. (1967), Assigning Meanings to Programs, in: Proc. Symp. Appl. Math.
A M S 19, Mathematical Aspects o f Computer Science (J. T. Schartz ed.), 19-32.
Fraenkel A., Bar-Hillel Y. (1958), Foundations o f Set Theory, North-Holland, Am­
sterdam.
Glushkov V. M. (1965), Automata theory and formal transformation of microprograms
(in Russian), Kibernetika 1, 1-10.
Glushkov V. M., Tseytlin G. E., Yoshchenko E. L. (1978), Algebra Languages,
Programming (in Russian), 2nd edition, Naukova Dumka, Kiev.
Goguen J. A., Thatcher J. W., Wagner E. G. (1977), An Initial Algebra Approach
to the Specification, Correctness and Implementation of Abstract Data Types,
IBM Res. RC 6487.
Goldblatt R. (1982), Axiomatising the Logic o f Computer Programming, LNCS 130,
Springer Verlag, Berlin.
Grabowski M. (1972), The Set of All Tautologies of Zero-Order Algorithmic Logic
is Decidable, Bull. PAS 20, 575-582.
Grabowski M., Kreczmar A. (1978), Dynamic Theories of Real and Complex Num­
bers, in: Proc. MFCS'78 (J. Winkowski ed.), LNCS 64, Springer Verlag, Berlin,
239-249.
Grabowski M. (1981), Full Weak Second-Order Logic versus Algorithmic Logic,
Proc. Mathematical Logic in Computer Science, Salgotarjan 1978, in: Colloquia
Mathematica Societatis Janos Bolyai 26, North-Holland, Amsterdam, 471-483.
Grabowski M. (1983), Some Model Theoretical Properties of Logic for Programs
with Random Control, in: Proc. Logics o f Programs and Their Applications, Poznan
1980 (A. Salwicki ed.), LNCS 148, Springer Verlag, Berlin, 148-155.
Greibach S. (1975), Theory o f Program Structures, Schemes, Semantics, Verification,
LNCS 36, Springer Verlag, Berlin.
Greif I., Meyer A. (1980), Specifying Programming Language Semantics, in: 7th
Proc. A C M POPL 1980, 180-189.
Guttag J. (1977), Abstract Data Types and the Development of Data Structures,
CACM 20, 396-404.
Goraj A., Mirkowska G., Paluszkiewicz A. (1970), On the Notion of Description
of Program, Bull. PAS 18, 499-506.
Habasinski Z .: (1984), Process Logic: Two Decidability Results, in: Proc. MFCS'84
(M. Chityl ed.), LNCS 176, Springer Verlag, 282-290.
Harel D. (1978), First Order Dynamic Logic, LNCS 68, Springer Verlag, Ber^n*
 BIBLIOGRAPHY 361

Harel D . (1978b), Arithmetical Completeness in Logics of Programs, in: Automata,

Languages and Programming, Udine 1978 (G. Ausiello and C. Bohm eds.), LNCS 62,
Springer Verlag, Berlin, 286-289.
Harel D. (1979), Recursion in Logics of Programs, in: Proc 6th A C M PO PL, San
Antonio, 81-92.
Harel D .: (1980), On Folk Theorems, CACM 23.
Harel D. (1982), Dynamic Logic, manuscript
Harel D ., Kozen D., Parikh R. (1980b), Process Logic: Expresiveness, Decidability,
Completeness, in: Proc. FOCS 1980, 129-142.
Harel D ., Meyer, A. R., Pratt V. R. (1977), Computability and Completeness in
Logics of Programs, in: Proc. 9th A C M STOC, 261-268.
Harel D ., Pnueli A., Stavi J. (1977b), A Complete Axiomatic System for Proving
Deductions About Recersive Programs, in: Proc. 9th A C M STOC, 249-260.
Harel D ., Pratt V. (1978), Non-determinism in Logics of Programs, in: Proc. 5th
A C M POPL, Tucson Ariz., 203-213.
Hajek P. (1981), Making Dynamic Logic First-Order, in: Proc. MFCS'81 (J. Gruska,
M. Chytil eds.), LNCS 118, Springer Verlag, Berlin, 287-295.
Hennessy M. C. B., Plotkin G. D. (1980), A Term Model for CCS, in: Proc. MFCS'80
(P. Dembinski ed.), LNCS 88, Springer Verlag, Berlin, 261-274.
Hermes H. (1965), Enumerability, Decidability, Computability, Academic Press,
New York.
Hoare C. A. (1969), An Axiomatic Basis for Computer Programming, CACM 12,
576-583.
Hoare C. A. R. (1972), Proof of Correctness of Data Representation, Acta Infor-
matica 1 , 271-281.
Hoare C. A. R., Wirth N. (1973), An Axiomatic Definition of the Programming
Language PASCAL, Acta Informatica 2, 335-355.
Hoare C. A. R. (1978), Communicating Sequential Processes, C A C M 21, 666-677.
Igerashi S. (1968), An Axiomatic Approach to the Equivalence Problems of Algo­
rithms with Applications, Rep. Comp. Centre o f University o f Tokyo 1 .
Karp R. A. (1984), Proving Failure-Free Properties of Concurrence Systems Using
Temporal Logic, TOPLAS 6, 239-253.
Kawai H. (1983), A Formal System for Parallel Programs in Discrete Time and
Space, in: Proc. Logics o f Programs and Their Applications, Poznan 1980 (A. Sal-
wicki ed.), LNCS 148, Springer Verlag, 155-165.
Kfoury D. (1972), Comparing Algebraic Structures up to Algorithmic Equivalence,
in: Proc. ICALP, North Holland, Amsterdam, 253-264.
Kfoury A. J., Park D . M. (1975), On the Termination of Program Schemas, Infor­
mation and Control 29, 243-251.
Kluzniak F., Szpakowicz S. (1985), Prolog for Programmers, Academic Press, Orlando.
Knuth D. E. (1968), The Art o f Computer Programming, vols 1-3, Addison-Wesley,
1968, 1969, 1973.
Knuth D . E. (1974), Structured Programming with ‘go to’ Statements, Computing
Surveys 6, 261-301.
362 BIBLIOGRAPHY

Kotov V. E. (1978), An Algebra for Parallelism Based on Petri Nets, in: Proc.
MFCS'78 (J. Winkowski ed.), LNCS 64, Springer Verlag, 39-56.
Kozen D. (1980), A Representation Theorem for Models of *-Free PDL, in: Proc.
7th ICALP (J. de Bakker, J. van Leeuwen eds.), LNCS 85, Springer Verlag, Ber­
lin, 351-362.
Kozen D. (1981), On the Duality of Dynamic Algebras and Kripke Models in Logics
of Programs (E. Engeler ed.), LNCS 125, Springer Verlag, Berlin, 1-11.
Kozen D., Parikh R. (1981b), An Elementary Completeness Proof for PDL, TCS 14,
113-118.
Kozen D. (1982), On Induction Versus—Continuity in Logics of Programs, in: Proc.
Logics o f Programs 1981 (D. Kozen ed.), LNCS 131, Springer Verlag, Berlin,
167-176.
Krause M., Kreczmar A., Langmaack H., Salwicki A. (1984), Specification and Imple­
mentation Problems o f Programming Languages Proper for Hierarchical Data
Types, Raport no. 8410, Institut fur Informatik Christian Albrecht Universitat Kiel.
Kreczmar A. (1972), Degree of Recursive Unsolvability of Algorithmic Logic, Bull.
PAS 20, 615-617.
Kreczmar A. (1974), Effectivity Problems of Algorithmic Logic, in: ICALP'74
(J. Loeckx ed.), LNCS 14, Springer Verlag, Berlin, 584-600.
Kreczmar A. (1977), Effectivity Problems of Algorithmic Logic, Fundamenta In-
formaticae 1, 19-32.
Kreczmar A. (1977b), Programmability in fields, Fundamenta Informaticae 1, 195-230.
Kreczmar A., Miildner T. (1983), Coroutines and Processes in Block Structured
Languages, in: Proc. 6 GIDortmund, Jan. 1983, LNCS 145, Springer Verlag, Berlin,
231-243.
Kroger F. (1976), Logical Rules for Natural Reasoning about Programs, in: ICALP'76
(S. Michaelson, R. Milner eds.), Edinburgh, 87-98.
Kroger F. (1977), A Logic of Algorithmic Reasoning, Acta Informatica 8, 243-266.
Kroger F. (1978), A Uniform Logical Basis for the Description, Specification and
Verification of Programs, in : Formal Description o f Programming Concepts
(E. J. Neuhold ed.), North Holland, Amsterdam, 441-459.,
Kuratowski K., Mostowski A. (1967), Set Theory, North Holland, Amsterdam,
PWN, Warsaw.
Lamport L. (1980), “Sometimes” is sometimes “not never”, in: Proc. 7th A C M PO P L,
Las Vegas, 174-185.
Lamport L. (1984), Using Time instead of Timeout for Foult Tolerant Distributed
Systems, TOPLAS 6, 254-280.
Lamport L., Scheider F. (1984), The “Hoare Logic” of CSP and All That, TOPLAS 6,
281-295.
Langmaack H. (1979); On Termination Problems for Finitely Interpreted ALGOL-like
Programs, Rep. 7904, Institut fur Informatik und Praktische Mathematik,
Christian Albrechts Universitat Kiel, Sept. 1979.
Langmaack H. (1982), On Termination Problems for Finitely Interpreted ALGOL-
-like Programs, Acta Informatica 18, 79-108.
Lipton R. J. (1977), A Necessary and Sufficient Condition for the Existence of Hoare
Logics, in: Proc. 18th FOCS'77.
 BIBLIOGRAPHY 363

Liskov B. H., Zilles S. N. (1975), Specification Techniques for Data Abstractions.

IEEE Trans. Software Engrg.
Liskov B. H., Zilles S. N. (1979), Programming with Abstract Data Types, in: Proc.
A CM SIGPLAN Symp. on Very High Level Languages, SIGPLAN Notices 4, 50-59.
Luckham D. C., Park D. M., Paterson M. S. (1970), On formalized computer pro­
grams, JCSS 4, 220-249.
Machtey M., Young P. (1978), An Introduction to the General Theory o f Algorithms,
North Holland, New York.
Malcev A. I. (1965), Algorithms and Recursive Functions (in Russian), Nauka, Moscow,
Malcev A. I. (1970), Algebraic Systems (in Russian), Nauka, Moscow.
Manna Z. (1969), The Correctness of Programs, JCSS 3.
Manna Z. (1974), Mathematical Theory o f Computation, McGraw-Hill, New York.
Manna Z., Pnuelli A. (1979), The Modal Logic of Programs, in: Automata, Language
and Programming, LNCS 71, Springer Verlag, Berlin, 385-405.
Markov A. (1954), Theory o f Algorithms (in Russian), Proc. Steklov Math. Inst.,
Moscow.
Mazur S. (1963), Computable Analysis, Dissertationes Math. 33.
Mazurkiewicz A. (1975), Parallel Recursive Program Schemes, in: Proc. MFCS'75
(J. Becvar ed.) LNCS 32, Springer Verlag, Berlin, 75-87.
McCarthy J. (1963), A Basis for Mathematical Theory of Computation, in: Computer
Programming and Formal Systems, North-Holland, Amsterdam.
Meyer A. R.. Winklmann K. (1979), On the Expressive Power of Dynamic Logic,
in: Proc. 11th ACM STOC, Atlanta.
Meyer A., Halpern J. (1980), Axiomatic Definitions of Programming Languages:
a Theoretical Assessment, in: Proc. 7th ACM POPE, Las Vegas 1980, 203-212.
Meyer A. R., Parikh R. (1980b), Definability in Dynamic Logic, in: Proc. 12th
A CM STOC, Los Angeles 1980, 1-7.
Meyer A., Streett R. S., Mirkowska G. (1981), The Deducibility Problem in Propo­
sitional Dynamic Logic, in: Logics o f Programs, Zurich 1979 (E. Engeler ed.),
LNCS 125, Springer Verlag, Berlin, 12-23.
Meyer A. R., Tiuryn J. (1982), A Note on Equivalences Among Logics of Programs,
in: Proc. Logics o f Programs, Yorktown Heights 1981 (D. Kozen ed.), LNCS 131,
Springer Verlag, 282-299.
Milner R. (1980), A Calculus o f Communication Systems, LNCS 92, Springer Verlag,
Berlin.
Mirkowska G. (1971), On Formalized Systems of Algorithmic Logic, Bull. PAS 19,
421-428.
Mirkowska G., Salwicki A. (1976), A Complete Axiomatic Characterization of Al­
gorithmic Properties of Block-Structured Programs with Procedures, in: Proc.
MFCS'76 (A. Mazurkiewicz ed.), LNCS 45, Springer Verlag, 602-606.
Mirkowska G. (1977), Algorithmic Logic and Its Applications in the Theory of Pro­
grams, Fundamenta Informaticae 1, 1-17, 147-165.
Mirkowska G. (1980), Algorithmic Logic with Non-deterministic Programs, Funda­
menta Informaticae 3, 45-64.
364 BIBLIOGRAPHY

Mirkowska G. (1980b), Model Existence Theorem for Algorithmic Logic with Non-
deterministic Programs, Fundamenta Informaticae 3, 157-170.
Mirkowska G. (1980c), Complete Axiomatization of Algorithmic Properties of Pro­
gram Schemes with Bounded Non-deterministic Interpretations, in: Proc. 12th
STOC, Los Angeles 1980, 14-21.
Mirkowska G. (1981), PAL-Propositional Algorithmic Logic, in: Logics o f Pro­
grams, Zurich 1979 (E. Engeler ed.), LNCS 125, Springer Verlag, Berlin, 12-22,
Fundamenta Informaticae 4, 675-757.
Mirkowska G. (1982), The Representation Theorem for Algorithmic Algebras,
in: Proc. Logics of Programs, Yorktown Heights 1981 (D. Kozen ed.), LNCS 131,
Springer Verlag, Berlin, 300-310.
Mirkowska G. (1983), On the Algorithmic Theory of Arithmetic, in: Proc. Logics
o f Programs and Their Applications, Poznan 1980 (A. Salwicki ed.), LNCS 148,
Springer Verlag, Berlin, 166-185.
Mostowski A. (1948), Mathematical Logic (in Polish), Mathematical Monographs
Series, no 18, Warszawa—Wroclaw.
Miildner T., Salwicki A. (1978), Computational Processes Generated by Programs
with Recursive Procedures and Block Structures, Fundamenta Informaticae 1,
305-323.
Miildner T. (1981), On the Synchronizing Tools for Parallel Programs, Fundamenta
Informaticae 4, 95-134.
Miildner T. (1981b), On Semantics of Parallel Programs, Fundamenta Informaticae 4,
35-82.
Naur P. (1966), Proof of Algorithms by General Snapshots, BIT 6, 310-316.
Nemeti I. (1982), Non-standard Dynamic Logic, in: Proc. Logics o f Programs, York­
town Heights 1981 (D. Kozen ed.), LNCS 131, Springer Verlag, Berlin, 311-348.
Nemeti I. (1983), Non-standard Runs of Floyd-Provable Programs, in : Proc. Logics
o f Programs and Their Applications, LOGLAN 77, Poznan 1980 (A. Salwicki ed.),
LNCS 148, Springer Verlag, Berlin, 186-204.
Nishimura H. (1979), Sequential Method in Propositional Dynamic Logic, Acta
Informatica 12, 377-400.
Nishimura H. (1980), Descriptively Complete Process Logic, Acta Informatica 14,
359-369.
O’Donnell M. J. (1982), A Critique of the Foundations of Hoare-Style Programming
Logics, in: Proc. Logics o f Programs 1981 (D. Kozen ed.), LNCS 131, Springer
Verlag, Berlin, 349-374.
Oktaba H. (1981), Formalization o f the Notion o f Reference and Its Applications
in Theory o f Data Structures (in Polish), Doct. Diss., Univ. of Warsaw.
Orlowska E. (1983), Program Logic with Quantifiable Propositional Variables,
in: Proc. Logics o f Programs and Their Applications, Poznan 1980 (A. Salwicki
ed.), LNCS 148, Springer Verlag, Berlin, 205-212.
Owicki S., Gries D. (1976), Verifying Properties of Parallel Programs: An Axio­
matic Approach, CACM 19, No 5, 279-285.
Parikh R. (1978), A Completeness Result for PDL, in: Proc. MFCS'78 (J. Win-
kowski ed.), LNCS 64, Springer Verlag, Berlin, 403-416.
 BIBLIOGRAPHY 365

Parikh R. (1980), Propositional Logics of Programs: System Models and Comple­

xity, 7th A C M POPL, Las Vegas, 186-192.
Parikh R. (1981), Propositional Dynamic Logics of Programs: A Survey, in: Logics
o f Programs, Zurich 1979 (E. Engeler ed.), LNCS 125, Springer Verlag, Berlin,
102-144. •
Park D . (1969), Fixed Point Induction and Proofs of Program Properties, Machine
Intelligence Workship 5, 59-78.
S. Passy, T. Tinchev (1985), PDL with Data Constants, 1PL 20, 35-42.
Perkowska E. (1972), On Algorithmic m-Valued Logics, Bull. PAS 20, 717-719.
Petermann U. (1983), On Algorithmic Logic with Partial Operations, in: Proc.
Logics o f Programs and Their Applications, Poznan 1980 (A. Salwicki ed.), LNCS
148, Springer Verlag, Berlin, 213-223.
Pnueli A. (1977), The Temporal Logic of Programs, in: Proc. 18th F O C S '7f 46-57.
PnueJi A. (1979), Temporal Semantics of Concurrent Programs, in: Semantics o f
Concurrent Computation (G. Kahn ed.), LNCS 70, Springer Verlag, Berlin, 1-20.
Poythress V. S. (1973), Partial Morphisms on Partial Algebras, Algebra Univer­
salis 3, 182-202.
Pratt V. R. (1976), Semantical Considerations on Floyd-Hoare Logic, in: Proc.
17th FOCS'76, 109-121.
Pratt V. R. (1978), A Practical Decision Method for Propositional Dynamic Logic,
in: Proc. 10th A C M STOC, 326-337.
Pratt V. R. (1979), Dynamic Algebras: Examples, Constructions, Applications, Raport
MIT/LCS/TM.
Pratt V. R. (1979b), Process Logic, in: Proc. 6th A C M POPL, San Antonio, 93-100.
Radev S. (1983), Infinitary Propositional Modal Logic and Program Language,
in : Proc. Logics o f Programs and Their Applications, Poznan 1980 (A. Salwicki ed.),
LNCS 148, Springer Verlag, 253-258.
Rasiowa H. (1972), On Logical Structure o f Programs, Bull. PAS 20, 319-324.
Rasiowa H. (1975), co+-Valued Algorithmic Logic as a Tool to Investigate Pro­
cedures, Proc. MFCS'74 (A. Blikle ed.), LNCS 28, Springer Verlag, Berlin.
Rasiowa H. (1975b), Completeness Theorem for Extended Algorithmic Logic, in:
Proc. 5th Intern. Congress o f Logic, Methodology and Philosophy o f Science, III,
D . Reidel, Dordrecht, 13-15.
Rasiowa H. (1975c), Many Valued Algorithmic Logic, in: Proc. ASL Symp. Kiel 1974,
Lecture Notes in Mathematics 499, Springer Verlag, Berlin, 543-565.
Rasiowa H. (1977), Algorithmic Logic—Notes From Seminar in Simon Fraser
University 1975, Reports o f the Computer Center o f the Polish Academy o f Sciences,
no 281, Warsaw.
Rasiowa H. (1979), Algorithmic Logic, Multiple-Valued Extensions, Studia Logica
38, 317-335.
Rasiowa H. (1979b), Logic of Complex Algorithms, in: Proc. FCT'79 (L. Budach
ed.), Akademie Verlag, Berlin, 371-380.
Rasiowa H., Sikorski R. (1968), Mathematics o f Metamathematics, PWN, Warsaw.
Reif J. H., Peterson G. L. (1980), A Dynamic Logic of Multiprocessing with In­
complete Information, in: 7th A CM POPL, Las Vegas, 193-202.
366 BIBLIOGRAPHY

Reif H. J. (1980b), Logics for Probabilistic Programming, in: Proc. 12th STOC,
Los Angeles, 8-13.
Reiterman J., Trnkova V. (1980), Dynamic Algebras which are not Kripke Struc­
tures, in: Proc, MFCS'80 (P. Dembinski ed.), LNCS 88, Springer Verlag, Berlin,
528-538.
Rice H. G. (1954), Recursive Real Numbers, Proc. Amer. Math. Soc. 5, 784-791.
Rogers H., Jr. (1967), Theory o f Recursive Functions and Effective Computability,
McGraw-Hill, New York.
Salwicki A. (1970), Formalized Algorithmic Languages. Bull. PAS 18, 227-232.
Salwicki A. (1975), Procedures, Formal Computations and Models, in: Proc. MFCS'74
(A. Blikle ed.), LNCS 28, Springer Verlag, Berlin, 464-484.
Salwicki A. (1977), Applied Algorithmic Logic, in: Proc. MFCS'77, (J. Gruska ed.),
LNCS 53, Springer Verlag, Berlin, 122-134.
Salwicki A. (1977b); An Algorithmic Approach to Set Theory, in: Proc. FCT'77
(M. Karpinski ed.), LNCS 56, Springer Verlag, Berlin, 499-510.
Salwicki A. (1977c), Algorithmic Logic, a Tool for Investigation of Programs, in:
Logic, Foundations o f Mathematics and Computability Theory, Part One o f the
Proceedings o f the Fifth International Congress o f Logic, Methodology and Philo­
sophy o f Science, London, Ontario, 1975 (R. E. Butts, J. Hintikka eds.), D. Reidel
Publ., Dordrecht, 281-295.
Salwicki A. (1980), On Algorithmic Theory of Stacks, Fundamenta Informaticae 3,
311-332.
Salwicki A. (1981), On the Algorithmic Theory of Dictionaries, in: Logics o f Pro­
grams, Zurich 1979 (E. Engeler ed.), LNCS 125, Springer Verlag, Berlin, 145-168.
Salwicki A., Muldner T. (1981b), On the Algorithmic Properties of Concurrent
Programs, in: Logics o f Programs, Zurich 1979 (E. Engeler ed.), LNCS 125, Sprin­
ger Verlag, Berlin, 169-197.
Salwicki A. (1982), Algorithmic Theories of Data Structures, in: Proc. ICALP'82
Aarhus (M. Nielsen, E. Schmidt eds.), LNCS 140, Springer Verlag, Berlin, 458-472.
Salwicki A. (1982b), Critical Remarks on MAX Model of Concurrency, in: Proc.
Logics o f Programs, Yorktown Heights 1981 (D. Kozen ed.), LNCS 131, Springer
Verlag, Berlin, 397-405.
Scott D. (1970), Outline o f a Mathematical Theory o f Computation, Oxford Mono­
graphs PRG-2, Oxford University Press.
Scott O. (1976), Data Types as Lattices, SIAM J. Comput. 5, 522-587.
Scott D. (1982), Domains For Denotational Semantics, in: Proc. ICALP'82, Aarhus
(M. Nielsen, E. Schmidt eds.), LNCS 140, Springer Verlag, Berlin, 577-613.
Scott D., Strachey C. (1971), Towards a Mathematical Semantics for Computer
Languages, Technical Monograph PRG 6, Oxford University.
Segerberg K. (1982), A Completeness Theorem in the Modal Logic of Programs,
in: Universal Algebra and Applications (T. Traczyk ed.), PWN, Warszawa, 31-46.
Shepherdson J. C., Sturgis H. E. (1963), Computability of Recursive Functions,
JACM 10, 217-255.
Shoenfield J. R. (1967), Mathematical Logic, Addison-Wesley, Reading, Massa­
chusetts.
 BIBLIOGRAPHY 367

Skowron A. (1983), Concurrent Programs, in: Proc. Logics o f Programs and Their
Applications, Poznan 1980 (A. Salwicki ed.), LNCS 148, Springer Verlag, 258-270.
Skowron A., Radev S., Vakarelov D. (1980), Propositional Computational Logic,
Reports o f the Institute o f Computer Science o f the Polish Academy o f Sciences,
no. 411, Warsaw, 64-66.
Spitzen J., Wegbreit B. (1975), The Verification and Synthesis of Data Structures,
Acta Informatica 4.
Szczerba L. W. (1977), interpretability of Elementary Theories, in: Logic, Foun­
dations o f Mathematics and Computability Theory, Part One o f the Proceedings
of the Fifth International Congress o f Logie, Methodology and Philosophy o f Science,
London, Ontario 1975 (R. E. Butts, J. Hintikka eds.), D. Reidel, Dordrecht.
Thiele H. (1966), Wissenschaftstheoretische Unitersuchungen in algor ithmischen Spra-
chen. VEB Deutscher Verlag der WissenschaLen, Berlin.
Tiuryn J. (1981), Unbounded Program Memory Adds to Expressive Power of First-
-Order Dynamic Logic, in: Proc. 22nd FOCS'81, Nashville, 335-339.
Tiuryn J, (1981b), Logic of Effective Definitions, Fundamenta Informaticae 4, 629-660.
Tiuryn J. (1981c), A Survey of the Logic of Effective Definitions, in: Logics o f Pro­
grams 1979 (E. Engeler ed.), LNCS 125, Springer Verlag Berlin, 198-245.
Trakhtenbrot B. A. (1979), On Relaxation Rules in Algorithmic Logic, in: Proc.
MFCS'19 (J. Becvar ed.), LNCS 74, Springer Verlag, Berlin, 453-462.
Urzyczyn P. (1981), Algorithmically Triviality of Abstract Structures, Fundamenta
Informaticae 4, 819-849.
Urzyczyn P. (1982), On the Unwinding of Flow-Charts with Stacks, Fundamenta
Informaticae 4, 119-126.
Vakarelov D. (1982), Reduction o f Dynamic Logic to Modal Logic, manuscript.
Vakarelov D. (1983), Filtration Theorem for Dynamic Algebras with Tests and In­
verse Operator, in: Proc. Logics o f Programs and Their Applications, Poznan 1980
(A. Salwicki ed.), LNCS 148, Springer Verlag, Berlin, 314-324.
Valiev M. K. (1979), On Axiomatization of Deterministic Propositional Dynamic
Logic, in: Proc. MFCS'79 (J. Becvar ed.), LNCS 74, Springer Verlag, Berlin,
482-491.
Valiev M. K. (1980), Decision Complexity of Variants of Propositional Dynamic
Logic, in: Proc. MFCS'80 (P. Dembinski ed.), LNCS 88, Springer Verlag, Berlin,
656-664.
Valiev M. K. (1983), On Axiomatization of Process Logic, in: Proc. Logics o f Pro­
grams and Their Applications, Poznan 1980 (A. Salwicki ed.), LNCS 148, Springer
Verlag, Berlin, 304-313.
Vaught R. L. (1973), Some Aspects of the Theory of Models, Amer. Math. Monthly 80,
3-37.
Wand M. (1978), A New Incompleteness Result for Hoare’s Systems, JACM 25,
168-175.
Wegbreit B. (1976), Verifying Program Performance, JACM 23, 691-700.
Winklmann K. (1977), Equivalence o /D L and DL+ for Regular Programs without
Array Assignments but with DL-Formulas in Tests, Manuscript, Lab. for Comp.
Sci. MIT, Dec. 1977.
368 BIBLIOGRAPHY

Winkowski J. (1977), A Natural Method of Proving Properties of Programs, Fun-

damenta Informaticae 1, 33-49.
Winkowski J. (1979), An Algebraic Approach to Concurrence, in: Proc. MFCS'79
(J. Becvar ed.), LNCS 74, Springer Verlag, Berlin 523-532.
Wirsing M., Broy M. (1980), Abstract Data Types as Lattices o f Finitely Generated
Models, LNCS 88, Springer Verlag, 673-685.
Wirth N. (1971), Program Development by Stepwise Refinement, C A C M 14,221-227.
Yanov Y. I. (1959), The Logical Schemes in Algorithms, Problems o f Cybernetics 1,
Pergamon Press, New York, 82-140.
Yeh R. (1977), Current Trends in Programming Methodology, v. 1 ,2 , Prentice Hall,
Englewood Cliffs.
 INDEX

Abstract data types 140 Axiomatization 56, 57

Algebra 11 Gentzen type 103
abstract 11, 25, 27 Hilbert type 23, 57, 229, 282
Boolean 11, 348 Axioms
free in a class of algebras 25, 27 of binary search trees 182
Algorithm 2, 3 of dictionaries 142
Algorithmic language 24, 208, 273 of natural number 155
many-sorted 127 of non-deterministic algorithmic logic
propositional 208 282, 283
Algorithmic logic, AL 60 of priority queues 154
many-sorted 127 of propositional algorithmic logic 229,
non-deterministic, NAL 269, 283 230
propositional, PAL 206 of queues 177
with generalized terms 122 of rational numbers 194
with identity 116 of references 330
with partial functions 125 of stacks 162
Algorithmic property 199 of virtual memory 340
Algorithmic theory 60, 232, 283 specific (non-logical) 60, 232
of arithmetic, propositional (Ar) 233
of binary search trees, ATBST 183 Binary search trees 181
of dictionaries, ATD 142 Boolean algebra 11, 348
of links and stacks, ATSL 167 Boolean expression 7
of natural numbers 155 Bounded non-determinism 248, 254, 257
of priority queues, ATPQ 154 Branching (conditional instruction) 9, 26
of queues, ATQ 177
of references, ATR 328 Canonical data structure 89
of stacks, ATS 160 Categoricity 55, 339
of stacks, propositional 236 Church thesis 2
Alphabet 24 Class 140
Annotated program 47 Compactness property 55, 228
ARB semantics 306 Completeness 79, 94, 242
Archimedean ordered field 140, 201 Composition 26
Arithmetic 155 Computation 34, 271, 303, 321
Arithmetical expression 10 of a program scheme 211
Assignment instruction 8, 26 successful 124, 211
Atomic program 319 unsuccessful 124, 211
Axiom (notion of) 56 Concatenable type declaration 341
of fields of characteristic zero 140, 195 Concatenation of declarations (of mod­
Axiomatic semantics 15 ules) 341
370 INDEX

Concurrent program 299, 320 Filter 349

Configuration 34, 210, 271, 301, 320 preserving infinite operations, (9-filter
Conflict set (of instructions) 300 88, 350
Conjunction 7 maximal 349
Consequence operation prime 349
semantic 51, 52, 53, 228 proper 349
syntactic 58, 59, 229 Finite covering condition 198
Consistency 65, 69, 93, 136, 232, 240, Finite degree of non-determinism, prop­
242, 253, 330 erty (FDN) 216, 226
Correctness 16, 46, 75, 274 Finite intersection property 349
partial 46 Firing 312
Flow-diagram 8
Data structure 12, 30, 138 Formal proof 21, 58, 230
constructive 203 Formalized algorithmic theory 60
of arrays 190 Formalized language 5
of binary search trees 181, 182 Formula 10, 27
of binary trees 179 algorithmic 27, 209, 273
of complex numbers 195 closed 95
of dictionary 141 elementary 25
of hashtables 193 open 25
of priority queues 154 satisfiable 37
of queues 176 submitted to another formula 90, 222
of rational numbers 194 valid 37, 212, 239
of real numbers 200 Function
Data structures, algorithmically equi­ algorithmically definable 134
valent 291 programmable 134
Deadlock 324 Functor (functional sign) 24
Definability 131
Definition Greatest lower bound (g.l.b.) 349
of a functor 136
of a predicate 135 Herbrand structure 101
inessentiality of 137 theorem 96
Denotational semantics 15
Deterministic iterative program 8 Implementation 140, 166
Diagram of a formula 105 of dictionaries 166
Disjunction 7 of priority queues 187
of stacks 173
Effectively computable functions 2 Implication 7
Equality 115 Inference rule 57, 58, 230, 283
Equivalence (of programs) 17, 109, 291, conclusion of an 58
293 premises of an 58
Euclid’s algorithm 2 Input-output relation 12
Execution method 97, 98 Instruction
proper for algorithmic logic 98 assignment 26
standard 98 branching 9, 26
Expressiveness 18 composed (begin ... end) 9, 26
 INDEX 371

concurrent (cobegin ... coend) 299, 320 Operational semantics 13

iteration 9, 26 Ordering relation 348
of non-deterministic choice 206
parallel 299, 320 Parallel program 8
Interpretation Partial correctness 46
of ATD in ATQ 177 Partial functions 122
of ATPQ in ATBST 186 Petri net 311
of ATS in ATSL 172 Place 311
of a functor 30 Postcondition 19, 47
of a language 30 strongest 40
of a predicate 30 Precondition 19, 47
of a program 31, 272 weakest 44
of a program scheme 210 Predicate (relational sign) 24
of a theory in another theory 140 Prefixing 140, 328, 341
Invariant 275 Priority queue 154
Iteration 9, 26 Process 300
Program 7, 26, 270, 299
Kleene’s algorithm 10 Programmability 131
Koenig’s lemma 288 Programming constructs 8
Kuratowski-Zorn lemma 253 Proof 21, 58, 75
Leaf o f a tree 58 formal 21, 58
Least upper bound (l.u.b.) 348
0-filter 350
LIBERAL-semantics 318
Quantifier 28
Lindenbaum algebra 79, 82, 237, 238
existential 28
Logic
existential iteration 28
algorithmic 60
iteration 28, 273
dynamic 268
universal 28
propositional algorithmic 206, 230
universal iteration 28
Logical signs 7
LOGLAN 140, 173, 187, 298, 328
Rasiowa-Sikorski lemma 350
Looping 38, 206
Recursive functions 2
Marking (of a Petri net) 311 Reference
Markov's normal algorithm 2 algorithmic theory of 330
MAX semantics 300, 303, 315 notion of (pointer) 329
Memory management, data structure univocal 338
of 329 Relation
Microprogramming 263 algorithmically definable 131
Model 51, 228 programmable 132
of an algorithmic theory 69, 232 strongly programmable 132
Representation theorem
Negation 7, for arrays 192
Non-determinism 269 for binary search trees 184
Non-deterministic program 270 for Boolean algebras 351
iterative 8, 270 for dictionaries 149, 150
Normal form of programs 109, 294 for priority queues 155
372 INDEX

for queues 177 Theorem (notion of) 60, 230, 283

for references 333 on adequacy 68
for stacks 164 completeness 79, 94, 116, 122, 126,
Result of a program 33 131, 242, 247, 254, 285
Rule of inference 21 deduction 95, 286
co-rule 21 downward Skolem-Lowenheim 96, 286
model existence 93, 247, 284
Scheme of program 8, 209
substitution 277, 281
Semantic consequence operation 51
Transition 311
Semantic properties of program schemes
Tree 58
212 binary 179
Semantic properties of programs 16
of possible computations 271
Semantic structure 98, 209 of possible computations of concurrent
functional 239 program 303
normalized 221 Type of language 24
partial functional 243
proper 221
Valuation 30
algorithmically equivalent 224
Value
Semantics (interpretation) 11, 30, 97,
of a formula 33
208, 270
of a term 31
Semaphore 319
Variable 24
Sequent 104
individual 24
axiom 104
individual bounded 29
indecomposable 104
individual free 29
SIMULA-67 140, 204, 298, 328
program 208
Stacks 159
propositional 24
Starvation 325
Verification condition 47, 49
Strongest postcondition 40
proper 49
Successorship relation of configurations
Virtual memory 339
34, 210, 271, 301, 320

Tautology 37, 65, 68, 69, 212 Weakest precondition 44

Term 7, 24 while-programs 26
generalized 119
Termination property 16, 38 Yanov schemes 261
 ERRATA
Page, line For Read

18, cc(x) ~ a (x )
216 u —y u^ y
351 y m(v) = 0 y<n(v) = 1
6718 M ({x := y) <x=>p) (M ((x := y )a ) => 0 )

C2%
679 v' = Mw(v)

II
91,o, 91g M ' ol M ' P

91,o. 918 M " ol M " p

912, 9 1 ,, 925 <x P

979, 9712, 97,o ( ~ 7 A a) ~y

111,3 (v) M«n(v)
1129 M'a(K'A v))
1424 := in(e, 5)) (mb(r, s) (s' : — in(e, s)) (mb(e, s')
1423 (s := del(e, s)) (^ m b ^ , s) (s' := del(e, s)) (^ m b (e, s')
148,, em (5) 'vem(s)
1496 eq(in(e, del(e, s), s) mb(e, s) => eq(in(e, del(e, s)), s)
150s (3e)mb(e, s) a ~ m b fe s') (3e) (mb(r, s) a ~ mb(e, s'))
2631 <7e Car(/Q q $ Car( K )

263s = = v'fei)
11a
ii
£

2773 31, v jz: (y v ~

<
*

282,6 ~ (3 * )a (x ) ~ (3 x ) ~ a ( »
3292 / = none 7 V none
3307 s = allfree s ^ allfree
330® f t = newfr(s') / := newfr(s')
In parts o f the text concerning the Boolean algebra the signs v , a , =>, should be re­
placed by u , n , - respectively.

G. Mirkowska, A. Salwicki, Algorithmic Logic

Algorithmic Logic

Grazyna Mirkowska
Institute of Mathematics, University of Warsaw
"■nd

Andrzej Salwicki
Institute of Informatics, University of Warsaw

The aim o f algorithmic logic (AL) is the study o f the semantic properties o f com­
puter programs. AL plays, for computer science, a role similar to that played by
mathematical logic in mathematics. AL studies those properties of programs which
are valid by virtue o f their syntactical structure, independently of any interpreta­
tion of functional symbols in programs. This leads to the discovery of algorithmic
tautologies and inference rules enabling algorithmic reasoning. AL is a base for
various algorithmic theories of data structures. The significance o f AL lies in its
applications in: specifications o f systems; verification (analysis) o f programs; and
axiomatic definitions o f semantics o f programming languages. The results and
methods o f AL have numerous applications in software engineering (e.g. in seman­
tic problems o f _AN programming language and in systems created in
LOG LAN).
The book offers an original, uniform view on the subject^ studied also in: logics of
partial correctness o f programs, dynamic logic, abstract data types, semantics of
concurrency and denotational semantics.

ISBN 90-277-1928-4

D. Reidel Publishing Company

Do rd rec ht/Boston / Lan caste r/To kyo