Algorithmic Logic

for
Software Construction and
Analysis

Grażyna Mirkowska Andrzej Salwicki

24 May 2009
ii
Contents

Preface v

1 Introduction 1
1.1 Logic? What for? . . . . . . . . . . . . . . . . . . . . . . . . . 1
1.2 Which logic? . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

2 Data structures 11
2.1 On algebraic structures . . . . . . . . . . . . . . . . . . . . . . 11
2.2 Algebraic systems for the representation of finite sets . . . . . 20
2.3 Formal language & semantics . . . . . . . . . . . . . . . . . . 24
2.4 Expressibility problems in the first-order language . . . . . . . 31

3 Deterministic Iterative Programs 35

3.1 Programs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
3.2 Semantics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
3.3 Semantic properties of programs . . . . . . . . . . . . . . . . . 46
3.3.1 The halting problem . . . . . . . . . . . . . . . . . . . 46
3.3.2 Program correctness . . . . . . . . . . . . . . . . . . . 47
3.3.3 Strongest postcondition . . . . . . . . . . . . . . . . . 49
3.3.4 Weakest precondition . . . . . . . . . . . . . . . . . . . 50
3.3.5 Invariants . . . . . . . . . . . . . . . . . . . . . . . . . 51
3.3.6 Equivalence of programs . . . . . . . . . . . . . . . . . 52
3.4 Algorithmic language . . . . . . . . . . . . . . . . . . . . . . . 54
3.5 Expressiveness of the AL language . . . . . . . . . . . . . . . 61

4 Algorithmic Logic 69
4.1 Axiomatization . . . . . . . . . . . . . . . . . . . . . . . . . . 69
4.2 On the completeness of algorithmic logic . . . . . . . . . . . . 78

5 Other Logics of Programs 89

5.1 Floyd’s descriptions of programs . . . . . . . . . . . . . . . . . 89

iii
iv CONTENTS

5.2 Hoare’s logic of partial correctness . . . . . . . . . . . . . . . . 95

5.3 Dijkstra’s calculus of weakest preconditions . . . . . . . . . . . 98
Preface

This book is about logic in programming. At present it is a domain call-

ing the interest of many researchers, and covered by many monographs and
papers. Therefore we had to choose among many topics. Logic is today a
tool used in many fields of computer science: in software engineering, in data
bases, in expert systems, in robotics, in the theory of parallel computations
and almost everywhere. Does exist one logic which enables formulation and
solving questions that come from such diverse fields? Obviously not. One can
find in use: classical logic (logic of first-order formulas), intuitionistic logic,
modal logics, logics based on resolution principle, temporal logic, various
logics of programs (here we find: algorithmic logics, dynamic logics, Floyd-
Hoare logic), multimodal logics, infinitary logics, logics of higher orders etc.
One can foresee the appearance and development of new logical calculi. For
example, in order to describe the phenomena of integrated circuits (abbr.
VLSI) a completely new, two-dimensional logical formalism is needed, which
will differ from the present, linear formalisms. Classical predicate logic and
the resolution method lie at the foundations of PROLOG programming lan-
guage. Various non-standard logics e.g. logic of defaults, logic of beliefs,
have to find applications in the future systems of artificial inteligence. It is
widely believed that various dialects of temporal logic are the appropriate
tools for the analysis of concurrent programs. Number of papers devoted
to Logic In Computer Science is so big that it justified the organization of
annual conferences LICS.
Our practice as programmers motivates us to think of the tools needed
in software engineering. In our opinion production of software requires a
logical apparatus proper for the process of specification, analysis and im-
plementation of software systems. It turns out, that the classical logic is
not quite appropriate for the description of phenomena which appear in the
software production. For it is from its very nature static and therefore it
does not reflects the dynamics of algorithmic processes. Hence, we decided
to present yet another logical calculus, which, in our opinion can help the
programmers in their everyday work. We offer the algorithmic logic of the

v
vi PREFACE

simplest programs and its applications in the specification of data structures

and algorithms, in analysis of semantical properties of programs and in the
definition of semantics of programming languages.
We do not assume that the reader has any specific knowledge of topics
discussed in the book. We assume only the acquaintance with the basic
facts of logic on the level of high school. A minimal practice in program-
ming and algorithmics is desirable. Well, we would like to believe, that the
present book can introduce the reader into the problems of programming,
but the acquisition of personal experience in design and running programs is
indispensable.
We do not develop neither the classical propositional calculus nor the
classical predicate calculus. Both the systems are included into algorithmic
logic. Moreover, the literature devoted to classical logics is rich and every
library has many valuable positions. We would like to recommend: the
compact monograph of Lyndon [33], the book by A.Grzegorczyk [21] and the
book of H.Rasiowa [44], which is especially recommended for those who came
to computer science without any mathematical background.
The book is addressed to the students of computer science, to program-
mers having the ambition to improve their working environment, to the de-
signers of big software systems and new programming languages. We can not
promise that after reading the book you will write better programs (more
effective, more ingenious etc.). Certainly, the reader will have better under-
standing how intellectual his work is and which tools can be used in need.
Let us hope that the knowledge of problems discussed in the book will lead
to improvement of the way of documenting your work. This would be your
substantial success, measurable in economic terms.
Beside algorithmic logic we present certain modal logic and its semantics
patterned on Kripke models. Modal logic may inspire the reader to his
own research. It found many diverse applications. In the book we present
one such application in construction of a mathematical model of concurrent
computations. The algorithmic logic itself can be viewed as a variant of
modal logic.
The material contained in the book may be helpful during various courses
in computer science departments. It may serve as a textbook for the lectures
on theory of programming. It may be an auxiliary reading to the courses on:
introduction to computer science, logic with elements of set theory for com-
puter science, methods of programming (!), algorithms and data structures,
semantics of programming languages. The book was used by us as a textbook
for the lectures on theory of programming. During a one semester course one
can present almost all material here contained. It is suggested to make more
exercises in proving properties of programs. It was remarked that students
 vii

find a lot of satisfaction of their own successful attempts to axiomatize data

structures. For those who will became interested in problems presented in
this book we would recommend the more complete monographs on logic of
programs and logic in general [3, 21, 23, 25, 29, 33, 40, 45].
viii PREFACE
Chapter 1

Introduction

1.1 Logic? What for?

The design and analysis of software systems must be based on inference
methods which are independent of experiment, of the person creating an
algorithm. The methods should, in a reliable way, enable to derive valid
properties of algorithms.
Certainly, many programmers sense the necessity to base their work on
solid theoretic foundations. Yet, before we shall try to justify our belief that
logical methods are indispensable for the majority of programmers, we would
like to remark, that we know personally a few excellent programmers and we
know they do not use any formal methods. Inconsistency, you may say, the
authors encourage us to read a completely useless book. However, the prob-
lem is not so simple, as it would like to seem at the first glance. These experts
in programming, intuitively apply the formal laws that rule the behavior of
programs, their computations. One can make, in this moment, an analogy
with the mathematics. Many outstanding mathematicians lead fruitful re-
search and obtain fascinating results, not knowing about mathematical logic
nor the subtle results of metamathematical considerations. Still, every pro-
fessional mathematician applies logical methods of inference, because they
are tightly connected with all his work. Let us remark, that the mathe-
matics develops itself since thousands of years and that it was mathematical
research which stimulated the research in logic. The computer science had
not this time. It appeared less then fifty years ago and it develops dynami-
cally, its applications are even quicker, more dynamic. This situation creates
new demands. Many researchers with serious achievements in the field of
programming (to mention just two names C.A.R.Hoare and E.Dijkstra) re-
marked the necessity of creation of logical tools proper for computer science.

1
2 CHAPTER 1. INTRODUCTION

Let us remark that the amount and the importance of software grows
steadily. On the market the transfer of software is bigger than this of hard-
ware. One can gain a lot producing quickly programs of quality. On the
other hand the price of software is high. It is caused by diverse factors. We
did not reached yet the ability to produce the software in an industrial way.
Many believes that an appropriate theory is needed. At the foundations of
technology one can find various physical and mathematical theories. For the
development of an industrial technology of software production a theory of
programming is necessary. The price which we pay for using programs with
errors in them (i.e. the bugs) is very high. Compare it with the price of a
bridge that crashed because the engineer disregarded the laws of mechanics.
The price of using wrong software is multiplied because of diversity and the
of mass scale of applications of the computer technology in a nowadays world,
and also because we are introducing the innovations in a hurry. The wish
to base the production of programs on a formalized mathematical calculus,
in order to eliminate (dangerous and costly) errors, should be in our opinion
the minimal goal.
There is a lot of discussion on the necessity of acceleration of software
production, on its automatization. We can not judge in this moment whether
the work of programmers is possible to automatize. Let us remark, however,
how little tools exists which help in the labor of programming. It is, sui
generis, a paradox that there exist many programs which help in the work of
designers of machines or electronic circuits, architects, physicians, composers,
creators of almost all professions, and there are not tools addressed to the
profession of programmer.
The quick design and testing of effective algorithms does not cover the
whole problem. It is not the solitary work of an ingenious programmer which
decides about the results. The work on software is more and more the collec-
tive, or social, work. Apart of the author(s) of a program, and obviously of
computer, we meet the users, the people maintaining the software et al. The
process of using software requires a language to communicate. This language
is not a programming language, nor an ethnic language of a certain human
group. The production of software leads to creation of texts. Texts have
to meet certain requirements (specifications). Hence we have a problem in
which at least three elements can be distinguished.
Fig.1.1
This are the arguments, their strength, correctness and quality, which
decide whether programmer will convince user or commissioner that his pro-
gram meets the requirements. The language in which the process of software
production takes place must assure the possibility of formulating the re-
quirements a program is to meet, the possibility of writing programs and the
1.1. LOGIC? WHAT FOR? 3

Fig1_1.pdf
0.416000in3.143600in

Figure 1.1: Algorithm & Specification

possibility of formulating the arguments as well as the results of analysis.

REMARK

Remark 1.1.1 We are not going to force the people involved in the process of
software use and production, to formalize all their work. We are appealing to
the imagination of the reader. The work on software should be formalizable.
(Very much like mathematics: the papers published by mathematicians are
not formal proofs they are communiques about the possible formalization of
proofs). On the other hand we would like to make a remark on the more
and more distributed computer systems which help lawyers in their work. If
the work of lawyers can be supported by the formalized systems (for every
computer system is formal), why the programmers can not profit from the
tools they are working with?

Our beliefs, listed below, are in connection with the above considerations:
- Before passing an algorithm or a programming system to the user(s) one
should make an analysis concerning the quality of the software product of-
fered. To neglect it, is hazardous in economic aspects and sometimes it can
be hazardous to a humans life.
- How to solve this dilemma? To convince the buyer of our products
that the program has been constructed in accordance to the state of art
and the present state of knowledge. It is obviously a program minimum.
Our proposal goes beyond this minimum and offers the possibility of deeper
analysis of software,(c.f.chapter 5).
- An algorithm is only an expression, it is the interpretation of signs which
appear in it that decides about the meaning of the expression, (c.f.3.2.4)
- The interpretation can be precisely characterized assuming certain ax-
ioms (cf. chapter 5)
- An analysis of programs can be done on a formal base, proofs of seman-
tical properties of programs can be given (cf. chapter 4)
What are the questions which appear during the work on software? We
think that the problems encountered can be classified into one of the three
groups:
(1) Is the problem solvable at all? It is an economical nonsense to spend
money on squaring the circle, construction of perpetuum mobile. Frequently
4 CHAPTER 1. INTRODUCTION

we heard the promises of that type, e.g. when a company promised to sell a
program which was going to answer whether any other program given as a
data is correct or not. In other words: avoid inconsistent specifications.
(2) Is the program we constructed or obtained (bought, stolen...) com-
puting the correct solution of the problem. Again an answer to a question of
that kind has economic consequences. In other words: should we pay? is it
worth its price?
(3) Is the given program the best solution to the problem? In other words
shall we pay again for a better product?
It was pointed several times that the answer to the questions (2) and (3)
can be obtained only by proving. A proof is also required for a negative
answer to the question (1). It is obvious that in the case (1) an appropriate
construction i.e. an appropriate experiment, is of importance. Neither the-
oretical considerations nor experiments can pretend to be the one and only
one method of work on software. The role of experiment is caused by the
fact that our programs are to work, are to be applied in someone’s job. The
importance of theory follows from the mass application of software and from
the fact that no one experiment can decide that the program in question is
error-free, and will work in a reliable manner in all possible situations. An
experiment can help in detection of an error, but it can never be used as
an argument that a program is correct. Coming back to our example with
the construction of a bridge, we think that in a similar way one should do
with programs: during the design and construction one should use all the
accessible theoretical knowledge and prove that it has specified properties,
and later one should experiment with it. For it is the experiment which can
help us to learn the complexity of algorithm, e.g. to estimate the coefficients
of a polynomial describing the time needed to compute the solution (if it is
a polynomial).

1.2 Which logic?

The expressions which appear during the analysis of programs can not be
limited to first-order formulas only. They require special tools to express the
properties of programs.
There exist deductive systems appropriate for conducting considerations
about semantical properties of programs: logics of programs. Here we shall
propagate the algorithmic logic, created and developed in Poland since 1968.
The reason for doing this is simple, it is better studied and has more appli-
cations than others, younger theories.
The deductive system of algorithmic logic can be used in specification of
1.2. WHICH LOGIC? 5

data structures and modules of programs that correspond to them. This ap-
plication of algorithmic logic seems more important than proving properties
of algorithms.
Algorithmic logic, its axioms and inference rules are helpful in defining
the semantics of a programming language.
We claim that for work with programs the tools offered by the first-order
logic are not satisfactory. First-order logic is not able to express properties
of programs. It turns out that certain properties of algorithms are equiva-
lent to mathematical properties known to be expressible in the language of
first-order logic. The list of these properties is long and one can find in it the
properties basic for mathematics, e.g. “to be a natural number“, “to be an
archimedean ring“ etc. In the sequel we present these properties and show
that they are in fact algorithmic properties. Mathematical logic developed
many non-classical variants, e.g. infinitary logic which admits enumerable
disjunctions, logics of higher orders etc. These logics are strong enough to
express all the properties not expressible in first-order logic. The majority of
interesting properties of programs can be studied in these logics. For exam-
ple, the property “program while g do K od has no infinite computations“
can be expressed as an infinite disjunction of formulas, each formula (they
increase their length!) saying the computation will have n iterations of the
instruction K. Similarly, one expresses this property of programs using quan-
tifiers that operate on finite sets (it is the weak second order logic). It seems
to us that the application of such formalisms is not especially attractive to
programmers. For it would imply the necessity of, first, translation of soft-
ware problems into the language say, second-order logic, next, to conduct the
analysis of problem, and finally, to translate the results back to the program-
mer’s language. Even if all the steps of the described procedure were fully
mechanizable it would be something unnatural, artificial for a programmer.
Therefore we propose algorithmic logic. The algorithmic logic plays for com-
puter science the role which the mathematical logic plays for mathematics.
The expressions of algorithmic logic are constructed from programs and
the logical formulas. There is no need to use infinitary disjunctions nor the
second-order quantifiers. The formulas of algorithmic logic have the power
to express all semantical properties of importance in programmer’s practice.
Algorithmic logic AL supplies the tools needed to perform deductive rea-
sonings. This makes possible to analyze properties of programs, a priori,
before a computational experiment.
The present authors think that the importance of proposed tools lies more
in the area of documentation (specification), of discourse between program-
mer and the user or commissioner of software than in the area of proving
programs. In chapter 5 we give a detailed example of such an application
6 CHAPTER 1. INTRODUCTION

of algorithmic logic. We show that in the phase of design of a program one

can distinguish modules. That the goals the modules are to achieve, can be
described axiomatically. That the analysis of such axiomatic theories has in
many cases a positive impact for the process of programming. The statement
says simply, one can build algorithmic theories of data structures. We are
also pointing to the connection between the notion of interpretation of one
algorithmic theory in another theory with the notion of implementation of
corresponding data structures.
We have heard the critical voices that algorithmic logic is not for men, for
it contains the rules with infinitely many premises? How to respond? First,
let us ask the critic: is it possible to construct any deductive system which
will describe the behavior of programs, and will be complete and finitary?
The answer is, no. Secondly, after closer examination most of proposed
finitary systems turns out to be infinitary (c.f. discussion in 8.3). Thirdly,
certain researchers say we shall avoid the rules with infinitely many premises
taking as axioms all formulas valid in a given data structure (or in a given
class of data structures). Well, formally everything is o.k. One can play with
definitions at his discretion. But let us ask what we gain? What we loose?
It seems that in this trade we loose something. Do we have any method
of recognizing which formulas of first-order logic are valid in a given data
structure? It is the goal of mathematicians to increase our knowledge, to
add new facts to the thesaurus of already known theorems. And it seems
that this work will have no end at all. Stated in other words the set of
all formulas of first order arithmetic valid in the standard model of natural
numbers is hyperarithmetical.
We think that one should find the arguments for validity of formulas. It
is not worthwhile to assume all valid formulas as axioms. One could add the
remark that the set of valid formulas asserting correctness of programs w.r.t.
quantifier-free formulas lies much lower in the Kleene-Mostowski hierarchy
of undecidable sets.
Let us try to express our doubts in another way. Various abstract data
types are studied on the base of algebraic (mostly equational, sometimes
first-order logic) theories. Certain sets of equations are assumed as axioms
to define the structures. Then it turns out that axioms are not enough to
define precisely the class of data structures we had in mind. This fact holds
for the most of data structures of interest in computer science and is well
known from the studies on the classical predicate calculi. There is no finite
set of first-order formulas which would constitute a precise enough axioma-
tization of the structure of natural numbers. Similar statements hold for the
other data structures important in computer science. In this situation we
should search such tools which enable to reach both goals: a definability (i.e.
1.2. WHICH LOGIC? 7

axiomatization) of data structures and an ability to analyze computations in

the structures. Proposal of algorithmic logic unifies work in both directions
in a harmonious way. Many other proposals seem to miss the most important
goal which is the analysis of programs with the possibly simplest tools used
in it.
It could happen that a reader expected from us a book on mathemati-
cal logic in its classical shape. In such case we can advise quite numerous
literature [44,33,41,21], see also the short introduction in chapter 2.
To the following two arguments justifying our choice:

1. (a) Proofs in classical logic are also proofs in algorithmic logic.

(b) The language of first-order logic has too little expressive power to
be used in work with programs and their semantical properties.

2. we would like to add one more remark:

(a) The metatheory of algorithmic logic differs essentially from the

metatheory of classical logic. This sentence is true both with re-
spect to the model theory ( logics of programs do not enjoy the
popular properties like: the “upward“ Skolem-Lövenheim theo-
rem, Loś’ theorem on ultraproduct et.al. cf.[44]) as to the the-
ory of proof (properties like Craig’s interpolation theorem, Beth’s
theorem on elimination of definitions, theorem of Robinson etc
cf.[33]).

We would like to stress the similarities among various logics of programs.

This, what is common to all logics of programs, is more or less universal
ability to express semantical properties of programs by formulas of the corre-
sponding language and deductive tools which enable to trade the process of
semantical verification of program properties for the process of proving the
formulas expressing these properties. Obviously, there are also differences.
In the volume presented to the reader we deal with many questions which
arise in a natural way. We begin with discussion of certain simple program-
ming language, or more precisely from a class of languages. Each language
will be conceived as a pair consisting of an alphabet and of a set of well
formed expressions. The alphabet contains subsets of signs: variables, func-
tors, predicates, signs of logical operations, signs of program operations,
quantifiers and auxiliary signs. In the set of well formed expressions we
distinguish three subsets: set of terms, set of formulas, set of programs. By
analyzing the examples we shall see that program is an expression without
a determined meaning, its meaning does not follow just from its syntactical
8 CHAPTER 1. INTRODUCTION

structure. One program can have many different meanings depending of the
interpretation which is associated to the signs occurring in the program. If
an interpretation is fixed we can talk of a data structure in which program
computes. The remark that one program can be interpreted in various data
structures is important not only to those who wish to learn about the na-
ture of things. It has also practical aspect. It enables, namely, to use one
algorithm in various contexts to achieve quite different goals. In this way
we make a liaison to the advanced methodology of programming, to abstract
data types, to object-oriented programming etc.
How to describe the meaning of a program? We are convinced that the
majority of us connects its own intuitions with the concept of a computational
process. Here we use a definition of computation determined by a program,
a data structure (i.e. an appropriate algebraic system) and a valuation of
variables. Valuation of variables is a formal counterpart of the notion of a
memory state. Data structure is a formal counterpart of an ALU arithmetic-
logical unit of computer. This notion is more general, more abstract and
therefore we can analyze the behavior of programs written in modern pro-
gramming languages as well as assembler programs. A computation can be
finite of infinite, successful or not i.e. aborted, correct or not. These or
others semantical properties can be enjoyed by computations. The seman-
tical properties are of most interest to a user of a program. We mentioned
already that reducing the analysis of algorithms to the experiments only is
erroneous from the methodological point of view. Experiments, often called
debugging, can help to detect certain facts. They can not be the evidence
for a conclusion of the type: “all computations of a program will be correct“.
How to solve the dilemma? We propose to express semantical properties of
programs by formulas. Then by studying the validity of formulas we will
be able to analyze semantics. We shall say that a semantical property SP
is expressible by a formula a, if the formula is valid if and only if when the
semantical property SP takes place. In the sequel we shall construct a lan-
guage in which one can find programs and formulas expressing semantical
properties of programs. In a natural way we shall come to the next problem
of finding a deductive system which enable to prove validity of formulas. The
logical calculus we are going to build, will be determined by two sets: set of
axioms and set of inference rules. The sets must be chosen in the way which
guarantees the consistency. That is, no a false statement can be proved in
the system. Moreover, for every valid formula should exists a proof. This will
allow us to replace the job of analysis of semantical properties of programs by
a job of analyzing whether a formula is true or not, which in turn is replaced
by a job of proving formulas.
The constructed calculus finds diverse applications: in the analysis of
1.2. WHICH LOGIC? 9

program’s properties, in specification of software that is to be prepared, in

eduction of programmers etc. It turned out that algorithmic formulas ade-
quately describe initial and terminal conditions of programs. Therefore they
can form an appendix to agreements on construction of software. The formu-
las can be also used in specifications of software systems as well. It turned
out that the language is suitable in construction of theories of data struc-
tures. It is possible to develop programming systems together with their
specifications. The specifications will have the form of systems of axioms
that describe the modules of a designed software. Then the implementation
of a system can be viewed as a problem of finding a model for a theory. On
the other hand the axioms can be used as a criterion of correctness of an
implementation.
The book could not cover many topics, even if they seem important. Our
choice was following our private taste. We were preferring the questions
important to the programmers practice. First part of the book contains
general informations, basic notions of universal algebra and logic (chapter
2), presentation of algorithmic logic (chapters 3 and 4), applications of the
logic (chapters 4 and 5). Also chapter 8 should be included into this part.
The second part of the book is, sui generis, invitation to research. We would
be happy to hear of more applications of axioms of procedures which are
presented in chapter 6. In chapter 7 we present mathematical models of
concurrent computations. We are not satisfied with the axiomatic systems
describing these models.
Outside the scope of the book remains extremely interesting and im-
portant problem of axiomatic definition of modern programming tools like:
classes, coroutines, inheritance, exception handling etc. Nevertheless, we
hope that the future research will bring an answer to the question whether
it is possible to build programming systems helping to produce software. We
offer algorithmic logic as an element of this future construction.
10 CHAPTER 1. INTRODUCTION
Chapter 2

Data structures

The meaning of programs, their computations, depends on the data struc-

ture on which the program is evaluated. The properties of functions and
of relations within the data structure determine the properties of programs.
The same program realized on two different structures may behave differently
(e.g. when computed in 16- or 32-bit arithmetic). On the other hand, two
different programs may behave similarly due to the properties of the data
structure on which the computations are performed (e.g. if an operation is
commutative, and the programs differs only by the order of arguments).
In this book we present an opinion, that data structures are just algebraic
structures, stressing in this way their abstract character and their algebraic
and algorithmic properties. For programmers the notion of data structure is
usually associated with the practical representation of data in the computer
rather than with the abstract operations and the algebraic properties. In the
sequel we will show that both approaches can be smoothly combined.

2.1 On algebraic structures

Let X1 , X2 , ..., Xn be nonempty sets and let X1 × X2 × ... × Xn denote the
n-argument cartesian product
X1 × X2 × ... × Xn = {(x1 , ..., xn ) : xi ∈ Xi for 1 ≤ i ≤ n }.

Definition 2.1.1 A subset of the cartesian product X1 × X2 × ... × Xn will

be called an n-argument relation (two-argument relations are called binary
relations).
Let Y be a nonempty set, let f be a subset of X1 × X2 × ... × Xn × Y
such that for any xi ∈ Xi 1 ≤ i ≤ n, y, y ′ ∈ Y , (x1 , ..., xn , y) ∈ f and
x1 , ..., xn , y′) ∈ f implies y = y ′ , then f will be called an n-argument partial
function, written usually as f : X1 × X2 × ... × Xn −→ Y

11
12 CHAPTER 2. DATA STRUCTURES

When f is a partial function and (x1 , ..., xn , y) ∈ f , then we write, following

the standard notation, y = f (x1 , ..., xn ).
The set Dom(f ) is called the domain or the set of arguments of the function
f , i.e.
Dom(f ) = {(x1 , ..., xn ) ∈ X1 × X2 × ... × Xn : (∃y ∈ Y ) (x1 , ..., xn , y) ∈ f }.
The set Rg(f ) is called the codomain or the set of values of the function f
Rg(f ) = {y ∈ X : (∃ x ∈ X1 × X2 × ... × Xn ) f (x) = y }.
If Dom(f ) = X1 ×X2 ×...×Xn , then we shall say that f is a total function or
simply a function. Functions and partial functions will be called operations.
n is the arity of the function f .

Obviously each n-argument operation is an n+1-argument relation. Con-

versely, each n-argument relation r determines certain total function fr ,
called the characteristic function of the relation r, and defined as follows
n
fr (x1 , ..., xn ) = {.1 if (x1 , ..., xn ) ∈ r0 if (x1 , ..., xn ) ∈
/r

Definition 2.1.2 By an algebraic structure of type < n1 , ..., nk ; m1 , ..., ml >

we shall mean any system of the form
A = < A, f1 , ..., fk ; r1 , ..., rl >
such that
- A is a nonempty set,
- for each 1 ≤ i ≤ k, fi is an ni -argument operation on the set A,
- for each 1 ≤ j ≤ l, rj is an mj-argument relation on the set A.
The set A is called the universe of the algebraic structure A. The sequence
of natural numbers < n1 , ..., nk ; m1 , ..., ml > is the type of the system A. An
algebraic structure without relations is called an algebra.

Example 2.1.3 The simplest example of an algebraic structure is a graph.

This is the system of the form < V, E > where the set V is the set of vertices,
and the relation E is the set of edges. Figure 2.1 shows a simple graph, whose
set of vertices is {1,2,3,4,5,6}, and whose set of edges is {(1,2), (1,3), (1,4),
(1,1), (4,5), (4,6)}.

Example 2.1.4 The two-element Boolean algebra B0 is the algebraic struc-

ture of the form
< B0 , ∪, ∩, −, 1, 0 > of type < 2, 2, 1, 0, 0 > such that B0 = {1, 0} and the
operations ∪, ∩,- are defined for arbitrary a, b ∈ B0 as follows
a ∪ b = 1 iff a = 1 or b = 1
a ∩ b = 1 iff a = 1 and b = 1
2.1. ON ALGEBRAIC STRUCTURES 13

− a = 1 iff a = 0.
Elements of the set B0 are usually interpreted as the values truth (1) and
false (0). The operations ∪, ∩, − are known, respectively, as disjunction,
conjunction and negation.

Example 2.1.5 Let suc denote the successor function on the set of natural
numbers N . Let 0 be a constant, i.e. a zero-argument operation on N and
= the equality relation on N .The system N =< N, suc, 0; = > is the well
known algebraic structure of type < 1, 0; 2 >. We call this structure the
standard structure of arithmetic of natural numbers.

Definition 2.1.6 Two algebraic structures A and B will be called similar iff
their types are the same, i.e. structures
A =< A, f1 , ..., fk ; r1 , ..., rl > and B =< B, f1′ , ..., fs′ ; r1′ , ..., rt′ >
are similar if and only if
(a) k = s, l = t,
(b) fi′ is an ni -argument operation on B iff fi is an ni -argument operation
on A, for each 1 ≤ i ≤ k , and
(c) rj′ is an mj -argument relation in B iff rj is an mj -argument relation on
A , for each 1 ≤ j ≤ l.
If algebraic structures A and B, defined as above, are similar, then fi and fi′ ,
for 1 ≤ i ≤ k, are corresponding operations, and rj and rj′ , for 1 ≤ j ≤ l,
are corresponding relations in A and in B, respectively .

Example 2.1.7 Let A =< A∗ , ◦ ; ≺ > be an algebraic structure such that A∗

is the set
S of all words over the alphabet A including the empty word ε
∗
A = An
n∈N
◦
is the two-argument operation of concatenation (i.e. if w1 , w2 ∈ A∗ , then
the word w1 w2 , which is obtained by writing the word w2 after w1 , is the
result of applying operation ◦ to the words w1 and w2 ),
≺ is the binary relation such that w1 ≺ w2 iff w2 = w1 w3 for some w3 ∈ A∗ .
The system A =< A∗ , ◦ ; ≺ > is similar to the system < R, +; ≤>, where
14 CHAPTER 2. DATA STRUCTURES

R denotes the set of real numbers, + is addition on R, and ≤ is the or-

dering relation on R, since both systems are of type < 2; 2 >. The system
A =< A∗, ◦ ; ≺ > is similar neither to the system < R, +, ∗; ≤> nor to
the system < R,−1 ; =>, where * denotes multiplication and −1 is the one-
argument reciprocal operation.

Let h be a function such that Dom(h) = A and Rg(h) ⊆ B, then we

shall say that h is a mapping of the set A into the set B, and denote it by
h : A −→ B. If for any elements a, b ∈ A, a̸=b implies h(a) ̸= h(b), then h
is called a one-to-one function. If each element of the set B is a value of h,
i.e. Rg(h) = B, then h is a mapping onto the set B.

Definition 2.1.8 Let A and B be similar algebraic structures

A = < A, f1,..., fk; r1,...,rl > , B = < B, g1,...,gk; s1,...,sl > .
Any function h : A −→ B such that the following three properties hold is
called a homomorphism from A into B :
(1) for each ni -argument operation fi on A and for all a1 , ..., ani ∈ A,
if (a1 , ..., ani ) ∈ Dom(fi ), then (h(a1 ), ..., h(ani )) ∈ Dom(gi ),
(2) if (a1 , ..., ani ) ∈ Dom(fi ), then h(fi (a1 , ..., ani )) = gi (h(a1 ), ..., h(ani )),
(3) for each mj -argument relation rj on A and for all a1 , ..., amj ∈ A,
if (a1 , ..., amj ) ∈ rj , then (h(a1 ), ..., h(amj )) ∈ sj .

Example 2.1.9 Let us consider the algebraic structure < A∗, ◦ ; ≺ > (cf.
example 2.1.4 ) and the system < N, +; ≤ > with the natural interpretation
of + and ≤. The function h : A∗ −→ N such that such that h(ε) = 0 , where
ε denotes the empty word,
h(x) = 1 for x ∈ A
h(w◦ x) = h(w) + h(x) for any w ∈ A∗ and x ∈ A
is a homomorphism which maps A∗ into N .
Conditions (1) and (2) of the definition 2.1.4 are satisfied in the obvious way.
For the proof of property (3) let us take any w1 , w2 ∈ A∗ . We then have
w1 ≺ w2 =⇒ (∃w3 )w2 = w1 ◦ w3 =⇒ (∃w3 )h(w2 ) = h(w1 ) + h(w3 ) =⇒
h(w1 ) ≤ h(w2 )
which ends the proof.

Definition 2.1.10 If h is a homomorphism from A onto B and h is one-to-

one function such that
(1) for any elements a1 , ..., ani of the structure A and for each ni -argument
function fi in A,
(a1 , ..., ani ) ∈ Dom(fi ) iff (h(a1 ), ..., h(ani )) ∈ Dom(gi ) and
(2) for any elements a1 , ..., amj of the structure A and for each mj -argument
2.1. ON ALGEBRAIC STRUCTURES 15

relation rj in A,
(a1 , ..., amj ) ∈ rj iff (h(a1 ), ..., h(amj )) ∈ sj ,
then h is called isomorphism.
If there exists an isomorphism from A onto the structure B, then A and B
are called isomorphic structures, abbreviated to A ≊ B.

Example 2.1.11 Let +m be addition modulo m in the subset of the set of

natural numbers Zm = {0, 1, ..., m − 1}. Consider the algebraic structure of
remainders modulo m,
Zm =< {0, 1, ..., m − 1}, +m >,
and also the algebraic structure A of 0-1 sequences of length n + 1 with the
two-argument operation + , < {0, 1}n+1 , + >, where + is defined as follows
: given sequences a = {a0 , ..., an } and b = {b0 , ..., bn }, the result of the oper-
ation + on arguments a and b is the sequence {c0 , ..., cn } such that for j ≤ n
cj = (aj + bj + pj−1 ) mod 2, where the sequence of remainders (pj ) 1 ≤ j ≤ n
is defined by p−1 = 0 and for j ≥ 0

1 if (aj + bj + pj − 1) ≥ 2
pj =
0 otherwise

Let m = 2n+1 and let h be the function

P i which maps the set n+1 {0, 1} n+1 into
the set Zm and such that h(f ) = 2 ∗ f (i) for f ∈ {0, 1} . Obviously,
0≤i≤n
n+1
Panyi f ∈ {0, 1}n+1 the following inequality holds
for
2 ∗ f (i) < 2 i.e. h(f ) ∈ Zm . Thus h is a mapping into the set Zm .
0≤i≤n
Moreover, for every number k ∈ Zm there exists a uniquely defined sequence
f ∈ Zm such that h(f ) = k. In fact, it is enough to take f (i) = (k div 2i )
mod 2 where div denotes the operation of integer division. h is a one-to-
one function, since, for different sequences f, g, if i is the greatest natural
number such that f (i) ̸= g(i), then for f (i) = 1 and g(i) = 0, we have
P j ˙
h(f ) − h(g) = 2i +
P j
2 f (j) − 2 g(j ) > 0.
j<i j<i

zle nie powinnam uzywac odejmowania!!!!!!!!!!!!!!!!!!!!!!

Moreover, if f + g = (c0 , ..., cn ) , then
X X
h(f + g) = 2i ∗ ci = 2i (ai + bi + pi−1 )mod2 =
i≤n i≤n

X
2i (ai + bi + pi−1 − 2(ai + bi + pi−1 ))div2 =
i≤n
16 CHAPTER 2. DATA STRUCTURES
X X X
2i ai + 2i bi + 2i ∗ (pi−1 − 2 ∗ (ai + bi + pi−1 )div2)
i≤n i≤n i≤n

Notice that for each 0 ≤ i ≤ n, pi − (ai + bi + pi − 1) div 2 = 0 and

2i ai + 2i bi ) ≥ m
( P P
1 if (
(an + bn + pn − 1)div2 = i≤n i≤n
0 otherwise

Finally,

h(f + g) = h(f ) + h(g) − 2n+1 (an + bn + pn−1 )div2 = h(f ) + h(g).

Thus h is an isomorphism which maps the system A onto Zm

Definition 2.1.12 By a congruence on an algebraic structure A we mean

an equivalence relation ∼ on A such that
(1)for each ni -argument operation fi in A and for all elements a1 , ..., ani , a′1 , ..., a′ni
∈ A, if aj ∼ a′j for 1 ≤ j ≤ ni , then (a1 , ..., ani ) ∈ Dom(fi ) iff (a′1 ..., a′ni ) ∈
Dom(fi ) and for (a1 , ..., ani ) ∈ Dom(fi ) fi (a1 , ..., ani ) ∼ fi (a′1 , ..., a′ni ),
(2) for each mj -argument relation rj and for all elements a1 , ..., amj , a′1 , ..., a′mj ∈
A, if ai ∼ a′i for 1 ≤ i ≤ mj , then (a1 , ..., amj ) ∈ rj iff (a′1 , ..., a′mj ) ∈ rj′ .

Example 2.1.13 Consider the algebraic structure < N, +, ∗, 0 > and for
some fixed number k a binary relation ≈k on N such that
m ≈k n iff m mod k = n mod k, for all n, m ∈ N .
The relation ≈k is reflexive, symmetric, transitive and therefore is an equiv-
alence relation on the set N . The very simple verification of this fact is left
to the reader. The relation ≈k is a congruence on the system < N, +, ∗, 0 >.
Let us briefly check this. Suppose that m1 ≈k n1 and m2 ≈k n2 , then there
are natural numbers i1 , i2 , j1 , j2 , r1 , r2 , such that
m1 = i1 ∗ k + r1 m2 = i2 ∗ k + r2 ,
n1 = j1 ∗ k + r1 n2 = j2 ∗ k + r2 .
Thus m1 + m2 = (i1 + i2 ) ∗ k + r1 + r2 ,
n1 + n2 = (j1 + j2 ) ∗ k + r1 + r2 .
The last two equations imply that (m1 + m2 ) mod k = (n1 + n2 ) mod k.
Analogously, for multiplication *,
m1 ∗ m2 = (i1 ∗ i2 ) ∗ k + (r1 ∗ i2 + r2 ∗ i1 ) ∗ k + r1 ∗ r2 ,
n1 ∗ n2 = (j1 ∗ j2 ) ∗ k + (r1 ∗ j2 + r2 ∗ j1 ) ∗ k + r1 ∗ r2 .
Dividing m1 ∗ m2 by k we obtain the same remainder as dividing r1 ∗ r2 by
k, which is equal, according to the above remarks, to the remainder obtained
from dividing n1 ∗ n2 by k. Hence (m1 ∗ m2 ) mod k = (n1 ∗ n2 ) mod k.
2.1. ON ALGEBRAIC STRUCTURES 17

Example 2.1.14 Consider the system < A∗, ◦ ; ≺ > and the homomorphism
h : A −→ N defined as in example 2.1.5. Let ≈be the equivalence relation
defined as follows: for any u, w ∈ A∗ , ,u≈w iff h(u) = h(w) .For u≈u′ and
w≈w′ we have h(u◦ w) = h(u) + h(w) = h(u′ ) + h(w′ ) = h(u′◦ w′ ) , hence
u◦ w≈u′◦ w′ . Nevertheless, ≈ is not a congruence relation when A contains
more then one element. Indeed, if x, y are different elements of A, then
although x≈x,xx≈yy and x ≺ xx, it is not the case that x ≺ yy.

Definition 2.1.15 Let A be an algebraic structure

A =< A, f1 , ..., fk ; r1 , ..., rl >
of type < n1 , ..., nk ; m1 , ..., ml > and let ≈ be a congruence on A. The system
A/ ≈ =< A/ ∼, f1′ , ..., fk′ ; r1′ , ..., rl′ >
is called a quotient structure, if
(1) A/ ≈ is the set of equivalence classes of the relation ≈, i.e.
A/ ≈= {[a] : a ∈ A}, where [a] = {b ∈ A : a ≈ b},
(2) fi′ is ni -argument operation on A/ ≈such that for all a1 , ..., ani ∈ A,
([a1 ], ..., [ani ]) ∈ Dom(fi′ ) iff (a1 , ..., ani ) ∈ Dom(fi )
and for all ([a1 ], ..., [ani ]) ∈ Dom(fi′ ),
fi′ ([a1 ], ..., [ani ]) = [fi (a1 , ..., ani )]
(3) rj is mj -argument relation on A/ ≈ such that for all a1 , ..., amj ∈ A,
([a1 ], ..., [amj ]) ∈ rj′ iff (a1 , ..., amj ) ∈ rj .

Example 2.1.16 Let us consider a congruence ∼m from the example 2.1.7.

The quotient structure < N/ ∼m , ⊗ > is isomorphic to the structure Zm
defined in the example 2.1.6. The only operation ⊗ of the system is defined
according to the following definition: for all a, b ∈ N
[a] ⊗ [b] = [a + b].
Putting h([a]) = a mod m, we define a one-to-one function h from N/ ≈ m
onto Zm , which is an isomorphism between the two systems.

In the sequel, when the names of relations and functions are not important
we shall write, for short A =< A, ΩF ; ΩR >, to denote algebraic structure
with a sequence of functions WF and a sequence of relations ΩR in A.
Most of applications deal with algebraic structures which are many-sorted
structures. A structure is many-sorted if its universe is the union of disjoint
subsets called sorts. Different arguments of a function or of a relation in such
a system may belong to different sorts. As an example, consider the vector-
space, in which we have two kinds of sets: Vectors and Scalars (components
of vectors). The operation of scalar multiplication is then defined on the
cartesian product V ectors × Scalars
When specifying functions in a many-sorted structure with elements of
different sorts, we must declare not only the arity of an operation but also
18 CHAPTER 2. DATA STRUCTURES

the sorts of its arguments. This will be called the type of the operation (or
relation). In our example the type of scalar multiplication is (V ectors ×
Scalars −→ V ectors).

Definition 2.1.17 Let A be a set such that, for some number t,

A = A1 ∪...∪At and Ai ∩Aj = ∅ for i ̸= j, 1 ≤ i, j ≤ t.
Let type (ΩF ) denote the sequence of types of the functions in ΩF and let
type(ΩR ) denote the types of the relations in ΩR .
A system A =< A, ΩF ; ΩR > is called a many-sorted algebraic structure of
type < t, type(ΩF ), type(ΩR ) >, or a t-sorted structure, iff
(1) for each operation f ∈ ΩF of type (i1 × ... × in −→ in+1 )
Dom(f ) ⊆ Ai1 × ... × Ain and Rg(f ) ⊆ Ain+1 ,
(2) for each relation r ∈ ΩR of type (j1 × ... × jm ), r ⊆ (Aj1 × ... × Ajm ).

Examples of many-sorted structures will be presented in the next section.

For the moment, we note simply that every many-sorted structure is an al-
gebraic structure in the sence of definition 2.1.2. If f is an operation of type
(i1 × ... × in −→ i(n + 1)) in some many-sorted system,then writting for all
x1 , ..., xn
n
f (x1 , ..., xn ) = {.f (x1 , ..., xn ) for (x1 , ..., xn ) ∈ Dom(f )undefined
defines an n-argument partial function f .
Let A =< A, ΩF ; ΩR > and B =< B, Ω′F ; Ω′R > be two many-sorted
structures with sorts A1 , ..., At and B1 , ..., Bt′ , respectively.

Definition 2.1.18 We shall call two many-sorted structures A, B similar if

(1) A, B are similar algebraic structure in the sense of definition 2.1.3,
(2) t = t′ and
(3) for each function f ∈ ΩF (relation r ∈ ΩR ) the corresponding function
in B (corresponding relation in B) have the same type.

The notions of homomorphism and isomorphism of many-sorted systems

are almost identical to the corresponding notions for algebraic systems. The
minor changes required are a consequence of the partition of the universe
into different sorts.

Definition 2.1.19 A mapping h which maps a t-sorted system A into (onto)

a similar system B is called a homomorphism (isomorphism), if h is a ho-
momorphism (isomorphism) from the algebraic structure A into (onto) the
algebraic structure B (cf. Definition 2.1.4) and, moreover, for each i ≤ t,
h(Ai ) ⊆ Bi .
2.1. ON ALGEBRAIC STRUCTURES 19

Lemma 2.1.20 For any three similar many-sorted systems A, B, C, if h1 is

a homomorphism from A into B and h2 a homomorphism from B into C, then
the function h such that h(a) = h2 (h1 (a)) for all a ∈ A (the composition of
functions h1 and h2 ) is a homomorphism from the system A into the system
C.

The important notion of congruence is defined in a slightly more compli-

cated way. We have to ensure that elements of different sorts are not in the
same equivalence class.

Definition 2.1.21 By a congruence in the many-sorted structure A we shall

mean an equivalence relation ≈in A which satisfies the conditions of defini-
tion 2.1.6 and such that, for all a ∈ A, if a ∈ Ai , then [a] ⊆ Ai .

Let A be a many-sorted structure. Let us assume that its sorts are

A1 , ... , At . Let ≈ be a congruence in A. Let Bi denote the set Ai / ≈.
From the definition of congruence we have Bi ∩ Bj = ∅ for any j̸= i. Let f be
an arbitrarly chosen n-argument operation in A of type (i1 × ... in −→ in+1 ).
We shall define the corresponding function f ∗ in B = B1 ∪ ... ∪Bt as follows
Dom(f ∗ ) = {([a1 ], ..., [an ]) : (a1 , ..., an ) ∈ Dom(f )} and for ([a1 ], ..., [an ]) ∈
Dom(f ∗ ), f ∗ ([a1 ], ..., [an ]) = [f (a1 , ..., an )].
For each i ≤ t and for each a ∈ Ai , we have [a] ∈ Bi , since [a] ⊆ Ai Hence,
∗
f ⊆ Bi1 × ... × Bin × Bin+1 and, in consequence, the type of the function f ∗
is the same as the type of the function f .
Similarly, for each relation r of type (j1 × ... × jn ) in A we define the
relation r∗ as follows: for any (a1 , ..., an ) ∈ Aj1 × ... × Ajn ,
([a1 ], ..., [an ]) ∈ r∗ iff (a1 , ..., an ) ∈ r .
It follows, that r∗ ⊆ Bj1 × ... × Bjn , and that r∗ has the same type as r.
Let us denote by Ω∗F the set of all functions f ∗ corresponding to functions
f ∈ ΩF and by Ω∗R the set of all relations r* corresponding to relations r∈ ΩR
.

Definition 2.1.22 The system A/ ∼=< B, Ω∗F ; Ω∗R >, where B = B1 ∪...∪Bt ,
is called a many-sorted quotient structure.

It is obvious that, by the definition, systems A/∼and A are similar. More-

over, the following useful property holds.

Lemma 2.1.23 Let A and A/ ∼ be many-sorted algebraic structures defined

as above.The function
h : A −→ A/ ∼ such that h(a) = [a] for all a ∈ A,
is a homomorphism from A onto A/ ∼.
20 CHAPTER 2. DATA STRUCTURES

The mapping h is a total function from A onto A/ ∼ (It is not a one-to-

one function, however, since for all b ∈ [a], we have h(b) = [a] ). Consider
any operation f of the system A.
Let (i1 × ... × in =⇒ in+1 ) be the type of f and let (a1 , ..., an ) ∈ Dom(f ).
Then, by the definition of a quotient structure, we have ([a1 ], ..., [an ]) ∈
Dom(f ∗ ) and

h(f (a1 , ..., an )) = f ∗ (h(a1 ), ... , h(an )) = f ∗ ([a1 ], ..., [an ]) = [f (a1 , ..., an )]

Consider finally, any relation r of type (i1 × ... × in ) in A. Suppose that

(a1 , ..., an ) ∈ r. Then ([a1 ], ..., [an ]) ∈ r∗ , by the definition of a quotient
system, and therefore (h(a1 ), ... , h(an )) ∈ r∗ . It follows that h is a ho-
momorphism. We shall call it the natural homomorphism induced by the
congruence ∼.

Remark 2.1.24 Each many-sorted system A =< A, ΩF ; ΩR > with t sorts

A1 , ..., At can be treated as a one-sorted structure A′ ,
A′ =< A′ , ΩF ; ΩR ∪{sorti : i ≤ t} >,
in which the signature is extended by t one-argument relations sorti defined
by the logical equivalence
sorti (a) ⇐⇒ a ∈ Ai .
Relations sorti for i ≤ t define types of the structure A. If f is a function of
type Ai1 × ... × Ain −→ Ain+1 , then the necessary condition for the sequence
a1 , ... , an belongs to the domain of function f is
(sorti1 (a1 ) ∧ ... ∧ sortin (an )).
A similar condition can be formulated for relations.
Obviously, if ∼is a congruence in system A, then ∼is a congruence in A′ .

2.2 Algebraic systems for the representation

of finite sets
Definition 2.2.1 By the standard dictionary data structure, we shall under-
stand a two-sorted algebraic structure D =< E∪D, insert, delete; member, empty >
such that
(a) E ∩ D = ∅ and D = F in(E), i.e. D is the set of all finite subsets of E,
insert and delete are functions of type (E × D −→ D),
member is a binary relation of type (E × D),
empty is one-argument relation of type (E) and
Dom(delete) = E × (D\{∅}), Dom(insert) = E × D
(b) for arbitrary e∈E and d∈D,
2.2. ALGEBRAIC SYSTEMS FOR THE REPRESENTATION OF FINITE SETS21

insert(e, d) = d ∪ {e},
delete(e, d) = d\{e}, when d̸= ∅
d ∈ empty iff d = ∅,
(e, d) ∈ member iff e ∈ d .

The structure dictionary is a data structure of importance and is often

used in informatics. We can apply it when dealing with finite sets and when
the operations to be used are the insertion of a new element into a set or the
deletion of an element from a set.

Definition 2.2.2 By the standard stack data structure we shall understand

a two-sorted algebraic structure S =< E ∪ S, push, pop, top; empty, = E >
such that
(1) E is an arbitrary non-empty set, S is the set of all finite sequences with
elements in E, and
push is an operation of type (E × S −→ S),
pop is an operation of type (S −→ S),
top is a one-argument operation of type (S −→ E),
empty is a one-argument relation of type (S),
=E is a two-argument relation of type (E × E) and
(2) for arbitrary e ∈ E and s ∈ S, if s = (e1, ..., en), then
pop(s) = (e2, ..., en),
push(e, s) = (e, e1, ..., en),
top(s) = e1,
If s is an empty sequence then the values of pop(s) and top(s) are not defined.
=E = {(e, e) : e ∈ E}
s∈ / empty iff s is a non-empty sequence
Elements of the set S will be called stacks.

Stacks play a fundamental role in the construction of programming lan-

guages compilers. This structure is very important during the syntactical
analysis of the source text of a program, as well as during execution of a
program. A stack whose elements are activation records, is the fundamental
tool for the realization of recursive procedures.
Another widely used data structure, which also deals with finite sequences
is the structure of queues.

Definition 2.2.3 By the standard data structure of queues we shall mean a

two-sorted algebraic structure
< E ∪ Q, put, out, f irst; em, = E, = Q >,
such that:
22 CHAPTER 2. DATA STRUCTURES

E is a non-empty set of elements (of queues),

Q is the set of all finite sequences over E (including the empty set ∅),
and the operations and relations of the system are defined as follows
put is a two-argument operation of type (Q × E −→ Q)
out is a one-argument operation of type (Q −→ Q)
f irst is a one-argument operation of type (Q −→ E)
em is a one-argument relation of type (Q)
=E is the identity relation of type (E × E)
=Q is the identity relation of type (Q × Q)
and for any q = (e1 , ..., en ) ∈ Q and e ∈ E we have
put(q, e) = (e1 , ..., en , e) Dom(put) = Q × E
out(q) = (e2, ..., en) Dom(out) = Q\{∅}
f irst(q) = e1 Dom(f irst) = Q\{∅}
′ ′
q ∈ em iff q is the empty sequence ∅

Queues are data structures often used in simulation programs where the
performance of real systems is modelled and analyzed. In operating systems
a queue of processes is created to solve access conflicts to the same port, e.g.
to a line printer.
Below we present two kinds of tree data structures which can be used
for example, in the evaluation of the value of an expression, or for data
management.

Definition 2.2.4 Let At be a non-empty set, elements of which are called

atoms. Let T ree be the smallest set of expressions which contains,
for each a ∈ At, an expression (a),
and contains some special element nil,
and such that, for any two elements t1, t2 ∈ T ree such that t1, t2 ̸= nil, the
expression (t1◦ t2) is also an element of the set T ree.
Elements of the set T ree will be called binary trees.

Definition 2.2.5 By the standard binary tree data structure we shall mean
a two-sorted algebraic structure
< At ∪ T ree, cons, lef t, right; atom, empty >,
such that
cons is an operation of type (T ree × T ree −→ T ree) lef t and right are
operations of type (T ree −→ T ree)
empty and atom are relations of type (T ree), i.e. subsets of the set T ree,
and, for t ∈ T ree and t1, t2 ∈ T ree\{nil},
cons(t1, t2) = (t1◦ t2), Dom(cons) = (T ree\{nil}) × (T ree\{nil})
◦
lef t((t1 t2)) = t1, Dom(lef t) = T ree\{nil}
2.2. ALGEBRAIC SYSTEMS FOR THE REPRESENTATION OF FINITE SETS23

right((t1◦ t2)) = t2, Dom(right) = T ree\{nil}

right(t) = lef t(t) = nil, if atom(t)
t ∈ atom iff t = (a) for some a ∈ At
t ∈ empty iff t = nil

Below we present another type of binary tree which finds wide application
in sorting.
Let Et be a set linearly ordered by some relation ≺. Elements of the
set Et will be called labels. Let T r be the smallest set which contains the
expression ( ) and such that, if e ∈ Et and t1, t2 ∈ T r, then (t1et2) ∈ T r.
Elements of the set T r are called labeled binary trees (trees with information
at their nodes). If a tree t has the form (t1et2), then t1 is called its left
subtree and t2 its right subtree. Element e is called the label of t.

Definition 2.2.6 A tree t ∈ T r is called a binary search tree, if t is of the

form ( ), or of the form (t1et2) and the following conditions are valid
(1) for any label e′ which occurs in t1, e′ ≺ e,
(2) for arbitrary label e′ which occur in t2, e < e′ ,
(3) t1 and t2 are binary search trees.

Let BST be the set of all binary search trees over the set Et. Each element
t of this set is a finite binary tree. Each vertex of the tree is labeled by an
element of the set Et. For every subtree t′ of the tree t, the label associated
with the root of t′ is greater than any label associated with a node in its left
subtree. Similarly for right subtrees, any label associated with a node of the
right subtree is greater that the label of the root of the tree.

Example 2.2.7 Figure 2.2 represents a binary search tree labeled by natural
numbers. The binary tree which is illustrated in Figure 2.3 is not a binary
search tree.

Fig.2.2
Fig.2.3

Definition 2.2.8 By the standard binary search tree data structure (or, for
short, BST structure) we shall mean the two-sorted algebraic structure
< Et ∪ BST, val, lef t, right, new, upl, upr; isnone, ú, =>,
where
val is a one-argument operation of type (BST −→ Et)
val(t1 e t2 ) = e Dom(val) = BST \ {( )}
lef t, right are operations of type (BST −→ BST )
lef t(t1 e t2 ) = t1 ,
24 CHAPTER 2. DATA STRUCTURES

right(t1 e t2 ) = t2 Dom(lef t) = Dom(right) = BST \{( )},

new is one-argument operation of type (Et −→ BST
new(e) = (( ) e ( )) for any e ∈ E,
upl and upr are two-argument operations of type (BST × BST −→ BST )

(tet2 ) if f (tet2 ) ∈ BST
upl(t, t1 et2 ) = ,
undef ined otherwise


(t1 et) if f (t1 et) ∈ BST
upr(t, t1 et2 ) = ,
undef ined otherwise

isnone is a one-argument relation, which is satisfied by the element ( ) only,

≺ is a linear ordering in the set Et, and
= is the identity relation in Et.

2.3 Formal language & semantics

The study of properties of concrete data structures requires a language able to
express properties of the operations and relations of the structure. In math-
ematics we use a (not necessarily formalized) language of first-order logic.
This language will also constitute the base for our work, cf. [44,33,45]. A
short presentation of the formal definition of this language and its semantics
is given below.

Definition 2.3.1 By the alphabet of a first-order language we shall under-

stand a set A which is the union of disjoint sets:
V - of individual variables,
Vo - of propositional variables,
P - of symbols of relations (i.e. predicates), P = (ρj )j∈J ,
Ψ - of symbols of functions (i.e. functors), Ψ = (φi )i∈I ,
{∧, ∨, ¬, =⇒} - of logic symbols, called conjunction, disjunction, negation,
implication,
{∀, ∃} - of symbols of quantifiers, called universal and existential quantifiers
respectively,
{ ) ,( } - of auxiliary symbols, such as parentheses and comma.

In what follows we shall assume that the set of individual variables con-
sists of the non-empty disjoint sets Vi , 1 ≤ i ≤ tt for some natural number
tt. If x ∈ Vi , then we shall say that x is a variable of type i. Each predicate
ρ ∈ P has a defined type t(ρ) of the form (i1 × ... × in → 0), where n is the
2.3. FORMAL LANGUAGE & SEMANTICS 25

number of arguments (arity of predicate), and i1 , ..., in are the types of the
arguments of the predicate ρ, 1 ≤ i1, ..., in ≤ tt. Each functor φ ∈ Ψ has
a defined type t(φ) of the form (i1 × ... × in → in+1 ), where n is its arity,
and i1 , ..., in are the types of its arguments, 1 ≤ i1 , ..., in , in+1 ≤ tt. We shall
assume, moreover, that the alphabet is (at most) a countable set.

Definition 2.3.2 The triple < tt, {t(φ)}φ∈Ψ , {t(ρ)}ρ∈P > will be called the
type of the language.

The set of all proper expressions of a first order language consists of the set
of terms and the set of formulas. Using terms, we can define new functions.
Similarly, formulas can be considered as definitions of new predicates.

Definition 2.3.3 The set of terms T over the alphabet Alph is the smallest
set which contains the set of individual variables V and such that, if φ is a
functor of type (i1 × ... × in → in+1 ) and τ1 , ..., τn are terms of types i1 , ..., in
respectively, then φ(τ1 , ..., τn ), is a term of type in+1 .

Definition 2.3.4 The set of formulas F over the alphabet A is the smallest
set of expressions which contains all propositional variables and all expres-
sions of the form ρ(τ1 , ..., τm ), (called elementary formulas) where ρ is a
predicate of type (i1 × ... × im → 0), and τ1 , ..., τm are arbitrary terms of types
i1 ,...,im , respectively, and such that

- if α, β ∈ F (i.e. are formulas), then the expressions of the form (α ∧ β),

(α ∨ β), ¬α, (α =⇒ β) are also formulas,
- if α is a formula and x is an individual variable, then the expressions of
the form (∀x)α, (∃x)α are also formulas.
Formulas which do not contain any quantifier symbol will be known as
open formulas.

Remark 2.3.5 Throughout this book we use τ (with indices if necessary) to

denote terms, α, β or δ to denote formulas and γ to denote open formulas.

Example 2.3.6 If x, y, z ∈ V and +, ∗ are two-argument functors and > is

a two-argument predicate in a one-sorted language L, then

∗(+(x, y), z) + (∗(x, z),∗(y, z))

are terms and
(∀y)(∃x) > (∗(+(x, y), z),
+(∗(x, z), ∗(y, z)))
¬(> (∗(x, x), ∗(y, y)) =⇒ > (x, y))
26 CHAPTER 2. DATA STRUCTURES

are formulas in this language.

In the usual notation for two-argument relations and functions, the above
expressions have the following, much more readable, form
(x + y) ∗ z(x ∗ z + y ∗ z)
(∀y)(∃x)(x + y) ∗ z > (x ∗ z + y ∗ z)
¬(x ∗ x > y ∗ y =⇒ x > y)
From now on, we shall use this more readable notation to represent two-
argument functions or relations.
For any formula of the form (∃x)α (or (∀x)α), α is known as the scope of
existential (or universal) quantifier. Any occurrence of the variable x in the
expression α is said to be bounded by the existential (universal) quantifier.
If an individual variable y occurs in the formula α and is not bounded by
any quantifier, then we shall say that y is a free variable in α. Writing
α(x1 , ..., xn ) we stress that variables x1 , ..., xn are free in the formula α. The
set of all free variables that occur in a formula α will usually be denoted by
F V (α). The set of all variables that occur in a term τ or in a formula α will
be denoted by V (τ ) and V (α), respectively.

Example 2.3.7 Consider the first-order language over the alphabet described
in example 2.3.1 and the formula α of the form (β ∨ δ), where
β = (∀x)(∃y)((x + y) ∗ z > y), δ = (x > y(x + y)).
The variable z is free in β and variables x, y are bounded in β. All variables
that occur in the formula δ are free variables. In the formula α there are
three free variables x, y, z and two bounded variables x, y. Notice, that the
same variable may occur in one formula as free and as bounded:
((∀x)(∃y)((x + y) ∗ z > y) ∨ (x > y ∗ (x + y)))
| {z } | {z }
bounded occurrences free occurrences

We close this formal definition of first-order languages with the following

definition.

Definition 2.3.8 By the first-order language over an alphabet A we shall

mean a system L =< A, T ; F >, where T is the set of all terms and F is the
set of all formulas over the alphabet A.

Remark 2.3.9 Different alphabets determine different sets of terms and for-
mulas, and hence, different first-order languages. The above definition, thus,
describes the class of first-order languages.

We use the following denotations: true for the formula (p ∨ ¬p) and
false for the formula (p ∧ ¬p), where p is a propositional variable of the
2.3. FORMAL LANGUAGE & SEMANTICS 27

language under consideration. If the predicate = occurs in the language L,

then we stress this fact by writing L= .
Terms and formulas are only formal expressions. Meaning will be given
to them when we interpret all their symbols. The interpretation of all proper
expressions of the language is called its semantics.
Let L be a first-order language of type < tt, {t(φ)}φ∈Ψ , {t(ρ)}ρ∈P >, and
let A be a non-empty set which is set-theoretic union of disjoint sets Ai for
1 ≤ i ≤ tt. For each functor φ ∈ Ψ of type t(φ) = (i1 × ... × in → in+1 ) let
φA denote n-argument partial function in A,
φA : Ai1 × ... × Ain → Ai(n+1)
and for each predicate ρ of type t(ρ) = (i1 × ... × im ), let ρA denote an
arbitrary m-argument relation on A,
ρA ⊆ Ai1 × ... × AiM
In this way we have fixed an algebraic structure A,
A = < A, (φA )φ∈Ψ ; (ρA )ρ∈P >,
of the same type as the language L. The function φA and the relation ρA
will be known as the interpretation of the functor φ and of the predicate ρ in
the structure A. When considering a first-order language L= we will usually
assume that the identity relation on A is the interpretation of the predicate
=. We call such an algebraic system A a data structure of the language L.
Example 2.3.10 Let φ, ψ be binary functors in the language L, and x, y, z
individual variables. Let A be a data structure for L, with the set of real
numbers as universe and with operations + and ∗ as interpretations of the
symbols φ, ψ. With this, the term ψ(φ(x,y),z) can be understood as a three-
argument function φA (ψA (x, y, ), z) defined on the set of real numbers, which
to any triple of real numbers a1 , a2 , a3 associates the real number which is the
value of arithmetic expression (a1 + a2 ) ∗ a3 .
Definition 2.3.11 By a valuation in the data structure A for the language
L we mean any function
v: V∪Vo → A∪Bo
such that v(x)∈Ai for x∈Vi , 1≤i≤tt and v(q)∈B0 for q∈V0 , i.e. valuation is
a function which assigns to each individual variable an element of the same
type, and to each propositional variable an element of the Boolean algebra
B0 .
Let us now generalize the observations from example 2.3.10. Any term
τ with variables x1 , ..., xn , determines for a given data structure an n-argu-
ment partial function which depends only on the values of variables x1 , ..., xn .
28 CHAPTER 2. DATA STRUCTURES

Let us denote this function by τA . For simplicity, we shall consider τA as a

function defined on the set W (A) of all valuations in the structure A. For
every valuation v, τA eventually determines an element τA (v) of A defined
recursively as follows:
xA (v) = v(x) for x ∈ V ∪ V0


 φA (τ1A (v), ..., τnA (v)) if τ1A (v), ..., τnA (v)
φ(τ1 , ..., τn )A (v) = and φA (τ1A (v), .., τnA (v) are defined
undefined otherwise


Let us review
- the value of a simple term of the form x is given by its valuation in the
structure A,
- the value of a term τ = φ(τ1 , ..., τn ) is the element φA (a1 , ..., an ), if the
functions τ1A ,...,τnA have defined values in the valuation v, equal respectively
to a1 , ..., an , and (a1 , ..., an ) belongs to the domain of the partial function φA .
Similarly we can determine the meaning of formulas. The formal defini-
tion is preceded by an example.

Example 2.3.12 Let L and A be the language and data structure defined in
example 2.3.10. Assume moreover, that we have a two-argument predicate ρ
interpreted in A as <. Consider the formula
(ρ(ψ(x, x), ψ(y, y)) =⇒ ρ(x, y)).
Interpreting it in the structure A, we obtain the expression (x ∗ x < y ∗ y =⇒
x < y), which can be understood as a definition
- of a binary relation which holds for real numbers a, b iff a < b or |a| ≥ |b| ,
or
- of a two-argument function f (x, y), which takes on the value 1 ∈ B0 iff
x < y or |x| ≥ |y| .

Each formula α determines a total function αA on a data structure A,

which to every valuation v assigns an element of the Boolean algebra Bo.
For a given argument v the value of the formula a, at the valuation v in the
data structure A, will be denoted by αA (v) and is defined with respect to the
structure of a as follows:
qA (v) = v(q) for q∈ V0 ,
ρA (τ1A (v), ..., τnA (v)) if the values τ1A (v), ..., τnA (v) are defined
ρ(τ1 , ..., τn )A (v) =
0 otherwise
(α ∧ β)A (v) = αA (v) ∩ βA (v)
2.3. FORMAL LANGUAGE & SEMANTICS 29

(α ∨ β)A (v) = αA (v) ∪ βA (v)

(α =⇒ β)A (v) = αA (v) → βA (v)
(¬α)A (v) = −αA (v)
((∀x)α)A (v) = 1 iff for all a ∈ A, αA (vax ) = 1
((∃x)α)A (v) = 1 iff there exists an a ∈ A such that αA (vax ) = 1,
where vax (z) = v(z) for z ̸= x and vax (x) = a.
(in other words, the valuation vax is identical to the valuation v except
that x takes on the value a)
The universal quantifier is interpreted as the greatest lower bound in the
boolean algebra B0 ,
((∀x)a)A (v) = inf {αA (vax ) : a ∈ A},
and the existential quantifier as the least upper bound in B0 ,
((∃x)a)A (v) = sup{αA (vax ) : a ∈ A}.

Definition 2.3.13 We say that a formula α is satisfied by the valuation v

in the structure A if and only if αA (v) = 1, and we write this symbolically
A, v |= α.
If a formula α is satisfied in the structure A by every valuation, then we say
that α is valid in A, and we write A |= α. If the formula α is valid in every
structure, then we say that α is a tautology, which we write as |= α.

Remark 2.3.14 (1) Every formula is a finite expression. Thus its value
depends only on the finite number of values of variables which occur in the
formula.
(2) If we consider a first-order language L= (i.e. the binary predicate = be-
longs to our language) then for any valuation v in any data structure for L=
, the following holds
A, v |= τ = τ iff v ∈ Dom(τ ).
In other words, τ = τ is valid in A only for those valuations for which the
value of the term τ in the structure A is defined.

Example 2.3.15 (1) The formula (∀y)x ≤ y is satisfied in the structure of

natural numbers with the usual interpretation of predicate ≤ by the valuation
v in which v(x) = 0. It is not valid in this structure, since nor all valuations
satisfy it.
(2) The formula (x ≤ y ∨ y ≤ x) is valid in every data structure in which
the symbol ≤ is interpreted as a linear ordering.
(3) The formula (x ≤ y ∨ ¬x ≤ y) is a tautology since it is valid indepen-
dently of the values of the variables and of the interpretation of the relation
30 CHAPTER 2. DATA STRUCTURES

symbol ≤.

Lemma 2.3.16 The following formulas in the first-order language L are

valid in any data structure for L. They are called laws of classical logic.
(α ∨ ¬α) law of the exclusive middle
(¬(¬α) ⇔ α) law of double negation
((α =⇒ β) =⇒ (¬β =⇒ ¬α)) transposition law
((∀x)¬α ⇔ ¬(∃x)α) de Morgan’s law

Definition 2.3.17 Let Z be any set of formulas in the language L. We

say that a data structure A is a model of the set Z, written symbolically as
A |= Z, if every formula α from Z is valid in A, A |= α.

Example 2.3.18 Consider the first-order language L, in which there are

individual variables of two sorts E and S, and there are functors: top, pop
and push of types(S → E), (S → S), (E × S → S) and predicates: empty,
=S of types (S) and (S × S), respectively.
The standard stack structure defined in section 2.2 is a model of the following
set of formulas
(∀e)(∀s)¬empty(push(e, s))
(∀e)(∀s)e = top(push(e, s))
(∀e)(∀s)s = pop(push(e, s))
(∀e)(∀s)(¬empty(s) =⇒ s = push(top(s), pop(s))).
Verification is easy.

Example 2.3.19 Let α(x) denote a formula in the language L= with one
free variable x. Let α(x/τ ) be the formula obtained from α by simultaneous
replacement of all occurrences of x by τ . We shall prove that each data
structure for L= is a model for all formulas of the form

((∀x)α(x) =⇒ (τ = τ =⇒ α(x/τ )),

where τ is any term of the same type as the variable x.

Let us fix a data structure A for L= . Let v be an arbitrary fixed valuation in
A, and τ be any term of the same type as x. Assume thatA, v |= (∀x)α(x)
and A, v |= t = t.
The second condition implies that the value of term τ is defined at the valua-
tion v. By the definition of the semantics of the language, and by the first
condition we have A, va x |= α(x) for α = τA (v). Thus A, v |= α(x/t).
2.4. EXPRESSIBILITY PROBLEMS IN THE FIRST-ORDER LANGUAGE31

2.4 Expressibility problems in the first-order

language
Definition 2.4.1 Definition 2.4.2 We shall say that a property p is ex-
pressible in the language L iff there exists a formula a in the language L such
that, for every data structure A ,

A has the property p iff A |= α.

Example 2.4.3 The property “to be an Abelian group“ is expressible in the

language L= , in which φ is a two-argument functor and 0 is a constant. Let
α denote the conjunction of the following formulas:
(∀x)(∃y) φ(x, y) = 0
(∀x, y) φ(x, y) = φ(y, x)
(∀x, y) φ(x, φ(y, z)) = φ(φ(x, y), z)
(∀x) φ(x, 0) = x
and let β denote the conjunction of the formulas:
(∀x)(x = x)
(∀x, y)(x = y =⇒ y = x)
(∀x, y, z)((x = y ∧ y = z) =⇒ x = z)
(∀x, y)(x = y =⇒ φ(x) = φ(y))
Then a structure A is an Abelian group iff A |= (α ∧ β).

Example 2.4.4 Let L be an arbitrary first-order language in which R is the

set of predicates and F the set of functors. Let eq∈R. Consider the following
set of formulas Axeq in the language L:
(∀x)eq(x, x)
(∀x, y)(eq(x, y) =⇒ eq(y, x))
(∀x, y, z)((eq(x, y) ∧ eq(y, z)) =⇒ eq(x, z))
(∀x, y)((eq(φ(x), φ(x)) ∧ eq(φ(y), φ(y)) ∧ eq(x1 , y1 ) ∧ ... ∧ eq(xn , yn )) =⇒
eq(φ(x), φ(y)))
for each functor φ, where n is the number of arguments of φ.
(∀x, y)((eq(x1, y1) ∧ ... ∧ eq(xm, ym)) =⇒ r(x) ⇔ r(y))
for each predicate r∈R, where m is the number of arguments of r. Here
x denotes the vector (x1 ,...,xn ), and y the vector (y1 ,...,yn ).In every data
structure A for the language L the following property holds:
A |= Axeq iff eqA is a congruence in A.
The first three conditions guarantee that eqA is an equivalence relation in A,
the remaining ones express the extensionality property of the relation eqA.
Henceforth the set of formulas Axeq will be known as the axioms of equality.
32 CHAPTER 2. DATA STRUCTURES

Example 2.4.5 (a) Let α denote the following formula in a certain language
L= with equality
(∃x1 )..(∃xn )(∀x)(x = x1 ∨ ...∨ x = xn ).
The formula α has the following property: for every data structure A, A |=
α iff the universe of the data structure A contains at most n elements.
Indeed, consider a data structure A, such that its universe has cardinality
greater than n. Let v be an arbitrary valuation in A and let a be an element
of A, such that v(xi ) ̸= a for 1 ≤ i ≤ n. Then
A, vax |= (x ̸= x1 ∧ ... ∧ x ̸= xn )
and consequently
non A, v |= (∀x)(x = x1 ∨ ... ∨ x = xn ).
The valuation v was an arbitrary valuation, hence
non A, v |= (∃x1 )...(∃xn )(∀x)(x = x1 ∨ ... ∨ x = xn ),i.e. non A |= α. Con-
versely, if non A |= α, then (since α is a closed formula) for every valuation
v, non A, v |= α. Therefore non A, v |= (∀x)(x = x1 ∨ ... ∨ x = xn ) for
every v.In accordance with the definition of quantifiers for every valuation v
there exists an element a such that non A, vax |= (x = x1 ∨ ... ∨ x = xn ).
Finally, for every sequence of values v(x1 ), ..., v(xn ) there exists an element
a such that a ̸= v(xi ), for i ≤ n, i.e. card(A) > n.
(b) Consider the formula β of the form:
(∃x1 )...(∃xn )(x1 ̸= x2 ∧ x1 ̸= x3 ∧ ... ∧ x1 ̸= xn ∧ x2 ̸= x3 ∧ x2 ̸= xn ... ∧ xn−1 ̸=
xn ).
Formula β is valid in those and only those data structures in which the uni-
verse has at least n elements. Hence the formula β expresses the property
“the universe of the system has at least n elements“. The proof of this fact
is left to the reader.

Putting together the two formulas we can define the class of data struc-
tures that have exactly n elements since the conjunction (α ∧ β) expresses
this property.

Theorem 2.4.6 Let A and B be data structures for the language L. Let
h be an isomorphism mapping structure A onto structure B, h : A → B.
Consider a term τ and a valuation v in A, then τA is a mapping defined
for the valuation v iff B is defined for the valuation h(v), and when τA (v),
τB (h(v)) are defined, we have
h(τA (v)) = τB (h(v)) (2.1)
Moreover, for every formula α and for every valuation v
A, v |= α ⇔ B, (h(v)) |= α (2.2)

Proof. The proof of the theorem proceeds by induction with respect to

the structure of terms and formulas.
2.4. EXPRESSIBILITY PROBLEMS IN THE FIRST-ORDER LANGUAGE33

If τ is an individual variable x, then

h(τA (v)) = h(v(x)) = (h(v))(x) = xB (h(v)) = τB (h(v)).
If τ is of the form φ(τ1 , ..., τn ) and if the property (2.1) is satisfied for terms
τ1 , ..., τn , then from the definition of an isomorphism and from the inductive
hypothesis
h(φ(τ1 , ..., τn )A (v)) = h(φA (τ1A (v), ..., τnA (v))) = φB (h(τ1A (v)), ..., h(τnA (v))) =
φB (τ1B (h(v)), ..., τnB (h(v))) = φ(τ1 , ..., τn )B (h(v)).
Thus, by induction, property (2.1) holds for all terms of the language L.
Consider now the formulas of L. Let α be a formula of the form ρ(τ1 , ..., τm ).
A, v |= α iff A, v |= ρ(τ1 , ..., τm ) iff τiA is defined for all i ≤ m and (τ1A (v), ..., τmA (v)) ∈
ρA .
by the definition of an isomorphism and from the above remarks,
A, v |= α iff (h(τ1A (v)), ..., h(τmA (v))) ∈ ρB iff
(τ1B (h(v)), ..., τmB (h(v))) ∈ ρB iff B, h(v) |= ρ(τ1 , ..., τm ).
Assume that property (2.2) is valid for formulas β, β1 , β2 and consider a
formula of the form (β1 ∧ β2 ). We then have
A, v |= (β1 ∧ β2 ) iff A, v |= β1 and A, v |= β2 iff
B, h(v) |= β1 and B, h(v) |= β2 iff B, h(v) |= (β1 ∧ β2 ).
Let α be a formula of the form (∃x)β(x). If a is a variable of the same type
as x, then b = h(a) has the same type as x and, moreover,
A, v |= (∃x)β(x) iff for certain a, A, vax |= β(x) iff
for certain a ∈ A, B, h(vax ) |= β(x) iff
for certain a ∈ A, B, h(v)xh(a) |= β(x) iff
for certain b ∈ B, B, h(v)xb |= β(x) iff B, h(v) |= (∃x)β(x).
The proof of property (2.2) in the remaining cases has a similar form.
By the above theorem, if A |= α and if B is a structure isomorphic to A,
then B |= α. In other words, if the structure A is a model for a certain set
of formulas Z, then every structure isomorphic to A is also a model of Z.
Hence it is impossible to uniquely characterize a structure. We can at most
define a class of isomorphic data structures. We shall see later that even this
goal is not always attainable.

Example 2.4.7 Consider the structure of the natural numbers

N =< N, suc, 0; =>
The property “to be a natural number“ or “to be the structure of the natural
numbers“ cannot be expressed in the language of first-order logic with equal-
ity. Obviously we can characterize the constant 0 and the successor operation
by means of the following formula α:
(∀x)(suc(x) = suc(x))∧(¬suc(x) = 0)∧(∀x, y)(suc(x) = suc(y) =⇒ x = y).
However, from the fact that N |= α it does not follow that the universe of
a model N consists of the natural numbers nor that N is isomorphic to the
34 CHAPTER 2. DATA STRUCTURES

structure of the natural numbers. The validity of the formula α in a structure

N guarantees the following properties of the structure N :
(1) the interpretation of the functor suc is a total function,
(2) the function does not assume the value corresponding to the constant 0,
(3) the function is a one-to-one function.
It turns out that even if we add the so called induction scheme i.e. all for-
mulas of the form
{γ(x/0) ∧ [∀x)(γ(x) =⇒ γ(x/suc(x))]} =⇒ (∀x)γ(x)
as additional axioms then there still exist models which we would not accept
as the standard concept of natural numbers. The axioms given above, the so-
called Peano axioms, are not enough to discriminate non-standard models. It
turns out that there exist non-enumerable models for the Peano axioms (cf.
Grzegorczyk [21]).

Unfortunately, the majority of properties that are of interest to program-

mers cannot be expressed in the language of first-order logic. Among such
properties, we find the following:
(1) to be a finite set,
(2) to be a well founded ordering relation,
(3) to be a natural number (in its standard meaning),
(4) to be a (finite) stack,
(5) to be a (finite) queue,
(6) to be a (finite) binary tree,
and many others.
Pozytywna informacja jaka plynie z twierdzenia 2.4.1 pozwala udowod-
nic istnienie komputera. Obliczenia prowadzone w systemie binarnym dadza
wartosci ktore po przetlumaczeniu na system dziesietny sa rowne wartosciom
jakie otrzymalibysmy wykonuujac obliczenia w systemie dziesietnym. Mow-
imy ze diagram

TU DIAGRAM

jest przemienny. Majac swobode wyboru systemu: binarny czy dziesietny,

wybieramy tanszy w realizacji, ... w eksploatacji.

Nie sa wyrazalne tez wlasnosci programow takie jak

- program P zakonczy obliczenia
- program P zakonczy obliczenia i wyniki spelnia warunek a,
W nastepnym rozdziale zaproponujemy wyjscie z tej sytuacji.
Chapter 3

Deterministic Iterative
Programs

In this chapter we discuss the simplest class of programs which is rich enough
to define every computable function. We call it the class of iterative programs
or the class of deterministic while-programs and denote by it P . For this
class we shall present some logic-oriented methods which allow us to analyze
programs and data structures.
Our considerations are based on a language of first-order logic F OL with
equality. This language is, however, too weak to describe more complicated
properties of programs, e.g. the holting property is not expressible in the
language. Consequently, we shall extend the language by allowing expres-
sions which contain programs as well as classical terms and formulas. These
expressions, called algorithmic formulas, allow us to express all important
properties of programs as well as properties of data structures which are not
expressible in a language of first-order logic.

3.1 Programs
From the very beginning the development of computers was accompanied by
the rapid development of different programming languages concepts. Some
of them are of universal character, whereas others serve as tools for highly
specialized problems. They often differ, not only from a formal point of view,
but also, more essentially, by the tools (instructions) offered to programmers.
Moreover, this process is continuing and will continue. Nonethelees, new pro-
gramming languages are appearing with new programming constructs whose
aim is to make the process of program-construction easier, e.g. processes,
coroutines, signals etc. Within this large population of programming lan-

35
36 CHAPTER 3. DETERMINISTIC ITERATIVE PROGRAMS

guages we can distinguish several common properties. For example, in the

majority of languages, a program is understood as a finite sequence of in-
structions. Combining simple instructions by programming constructs we
obtain more complicated instructions etc.
In this section we present the class of deterministic iterative programs
which abstracts from some details, such as variable declarations, since they
have no influence on the process of verification.
Let L be a fixed FOL-language. Terms (cf. def.2.3.3) and formulas (cf.
def. 2.3.4) of this language will serve as arithmetic and boolean expressions
in the programs defined below.

Definition 3.1.1 By an assignment instruction, we mean any expression of

the form
x := τ or q := γ,
where x is an individual variable, τ is a term of the same type as the
variable x, q is a propositional variable, and γ is an open formula.

Example 3.1.2 If x, y are individual variables of some one-sorted language

L and +, − are symbols representing two-argument operations and ≤ , ≥ are
symbols representing two-argument relations then

z := (x + y) − z and q := (x ≤ y =⇒ x ≥ (y − z))

are assignments instructions.

Assignments instructions will be called atomic or elementary programs.

Definition 3.1.3 The set P of all deterministic iterative programs is the

smallest set of expressions closed with respect to the following formation rules

(1) each assignment instruction in the language L is a program of the class

P,

(2) if γ is an open formula and K, M ∈ P , then the expression if γ then K else M

fi is a program of the the class P ,

(3) if γ is an open formula and M ∈ P , then the expression while γ do M od

is a program of class P ,

(4) if K, M ∈ P , then the expression begin K; M end is a program of the

class P .
3.1. PROGRAMS 37

It is natural to illustrate programs as flow-diagrams. Each deterministic

program can be represented as a graph with one input and one output vertex.
Each edge is labeled by a test (i.e. open formula) or assignment instruction.
The simplest diagram is illustrated on Fig. 3.1.
Fig. 3.1
If the diagrams of K and M are given (cf. Fig. 3.2), then identifying the
output edge of the first diagram with the input edge of the second diagram we
obtain the diagram of the composed program begin K; M end (cf. Fig.3.3).
Fig. 3.2
|

Fig. 3.3
Analogously, if diagrams of programs K and M are as in figure 3.2, then
the graphs given in Fig.3.4 and Fig.3.5 are illustrations of the programs
“if g then K else M fi“ and “while g do K of “,
respectively.
Fig. 3.4
Fig. 3.5
To end the section, we can observe that the set of programs P creates an
algebra with the two-argument operations of composition ◦ and branching
⊻γ and the one-argument operation ∗γ , for γ ∈ Fo , defined as follows
df
K ◦ M = begin K; M end
df
K ⊻γ M = if γ then K else M fi
df
∗γ M = while γ do M od
The set of all assignments instructions is the set of generators of this algebra.
By this we mean that every program from the set P can be constructed from
assignments by means of the program operations ◦ , ⊻γ , ∗γ .
The algebraic character of the set P stresses the modular character of the
class of programs.
Henceforth we will use the following notations and abbreviations:
- instead of i iterations of the program K
begin K;K;...;K end
SYMBOL 59 \f “Fences“
i times
we shall write Ki ,
- for an arbitrary variable x, instead of the instruction
if g then K else x :=x fi
we shall write for short if g then K fi.
38 CHAPTER 3. DETERMINISTIC ITERATIVE PROGRAMS

3.2 Semantics
In order to define the semantics of a programming language one should first
fix an interpretation of the language which is used to define programs. This
means that the relational system or data structure corresponding to the first
order language FOL must be given. The interpretation of terms and formulas
which occur in programs is then defined as in section 2.3. The second impor-
tant part of the semantics is the interpretation of programming constructs.
Using the algebraic structure of the class P we can define the interpretation
of the more complicated instructions making up from the interpretation of
simpler parts.
Although there is no common concensus on what the basic programming
language constructs are and what are their meanings, there is a common
conception which consists in associating with a program a binary relation
which describes the connections between the input and output states of the
computer memory. We shall call such a relation the input-output relation.
Since, in our approach, the memory state is just a valuation of variables (cf.
def.2.3.6), this relation is defined on the set of all valuations. The state of
the computer memory before the execution of a program is called the initial
valuation and the state of the computer memory after execution of a program
- the output valuation.
We shall define the input-output relation with respect to the structure of
the program. The method presented here is called operational semantics of
programming languages.
Let M be a program and let A be a data structure of the language L. If
valuations v, v ′ are in the input-output relation determined by the program
M in data structure A, then we write this as
MA
v −−→ v′
or without the index A when the structure is fixed.
The inductive definition of the input-output relation is given below:
(x:=w)A
v −−−−→ v1 iff v ∈ Dom(wA ), v1 (x) = ωA (v) and v1 (z) = v(z) for z ̸= x
beginK;M end K M
v −−−−−−−−→ A
v1 iff v −→
A
v ′ and v ′ −−→
A
v1
if γ then K else M f iA KA MA
v −−−−−−−−−−−−−−→ v1 iffA, v |= γandv −→ v1 orA, v |= ¬γandv −−→ v1
while γ do M od
v −−−−−−−−−−→
A
v1 iff either A, v |= ¬γ and v1 = v or A, v |= γ and
M while γ do M od
(∃v ′ )v −−→
A
v ′ and v ′ −−−−−−−−−−→ A
v1
for all valuations v, v ′ in the data structure A.
The way in which we have determined the meaning of the programs en-
ables us to observe the process by which the initial data are transformed
into the result. We shall call this process the computation of a program. In
3.2. SEMANTICS 39

the sequel, we define formally the notion of computation and two auxiliary
notions: configuration and the direct succesorship relation.
DEFINITION 3.2.1

Definition 3.2.1 By a configuration in a fixed data structure A we mean an

ordered pair < v, K1 ; ...; Kn >, where v is a valuation in A, and K1 , ..., Kn
is a finite list of programs to be executed consecutively. To abbreviate the
notation we will often omit the name of the structure. □

On the set of all configurations in a fixed data structure A, we define the

direct succesorship relation which will later allow us to define the notion of
computation.

Definition 3.2.2 By a direct successorship relation we mean a binary re-

lation denoted by −→ (we shall omit the sign A if this does not lead to
A
confusion) defined on the set of all configurations in A in the following way:
<v, z:=ω;K1 ;...;Kn > −→ <v’, K1 ;...;Kn > if the value of the expression ω
A
is defined and v’(z)=ωA (v), v’(y)=v(y) for y̸=z.
<v,if γ then K else M fi;K1 ;...;Kn > −→ <v, K;K1 ;...;Kn > when A,v |= γ
A
<v,if γ then K else M fi;K1 ;...;Kn > −→ <v, M;K1 ;...;Kn > when A,v |= ¬γ
A
<v,begin K;M end;K1 ;...;Kn > −→ <v, K;M;K1 ;...;Kn >
A
<v,while γ do M od;K1 ;...;Kn > −→ <v, K1 ;...;Kn > when A,v |= ¬γ
A
<v,while γ do M od;K1 ;...;Kn > −→ <v,M;while γ do M od;K1 ;...;Kn > when
A
A,v |= γ.

Observe the following

Remark 3.2.3 For a given configuration c=<v,K1 ;...;Kn >there exist at most
one configuration c’ such that c −→c’.
A

Definition 3.2.4 By the computation of a program M in a data structure

A at the initial valuation v, we understand a sequence of configurations Q =
{Q0 , Q1 , ..., Qi ...} such that
(1) Q0 =< v, M >
(2) if there exists a configuration Q′ such that Qi −→ Q′ , then the i + 1-th
A
element of Q is defined and Qi+1 = Q′ ,
(3) otherwise Qi is the final element of the computation.
40 CHAPTER 3. DETERMINISTIC ITERATIVE PROGRAMS

Example 3.2.5 Consider the following program K in the language L

begin
y:=0;
while y̸=z do M od
end,
where
M=begin y:=y+1; x:=1+(1/(1+x)) end.
Let <R,0,1,+,/> be a data structure for the one-sorted language L such that
R is the set of real numbers, and 0, 1, +, / have their usual meanings.
1) For initial data v such that v(x), v(z)ÎN the program K has a finite com-
putation. If v(x)=1, v(z)=2, then the computation of K is as follows (the
initial
 value of the
 variable y has no effect on the computation):
x y z
,K
1 − 2
 
x y z
, y : 0; while y ̸= z do M od
1 − 2
 
x y z
, while y ̸= z do M od
1 0 2
 
x y z
, M ; while y ̸= z do M od
1 0 2
 
x y z
, y := y + 1; x := 1 + (1/(1 + x)); while y ̸= z do M od
1 0 2
 
x y z
, x := 1 + (1/(1 + x)); while y ̸= z do M od
1 1 2
 
x y z
3 , while y ̸= z do M od
2
1 2
 
x y z
3 , M ; while y ̸= z do M od
2
1 2
 
x y z
3 , y := y + 1; x := 1 + (1/(1 + x)); while y ̸= z do M od
2
1 2
 
x y z
3 , x := 1 + (1/(1 + x)); while y ̸= z do M od
2
2 2
 
x y z
3 , while y ̸= z do M od
2 2
 2 
x y z
3 ,∅
2
2 2
2) Consider an initial valuation v such that v(x) ∈ N , v(z) < 0, e.g.
v(x) = 0, v(z) = −2. In this case the program K has an infinite compu-
tation. The reason is that at each step of the computation the value of y
3.2. SEMANTICS 41

increases while the value of z remaines unchanged. Thus the condition y = z

will never be satisfied. This means that the loop “while ...“ will be repeated
infinitely many times.
3) Let v be a valuation in which v(x) = −1, v(z) = 2. For this initial valua-
tion program K has a finite but unsuccessful computation (a failing compu-
tation):
 
x y z
,K
−1 − 2
 
x y z
, y : 0; while y ̸= z do M od
−1 − 2
 
x y z
, while y ̸= z do M od
−1 0 2
 
x y z
, M ; while y ̸= z do M od
−1 0 2
 
x y z
, y := y + 1; x := 1 + (1/(1 + x)); while y ̸= z do M od
−1 0 2
 
x y z
, x := 1 + (1/(1 + x)); while y ̸= z do M od
−1 1 2
The computation stops without a result, since the next instruction requires
division by zero.

SYMBOL 224 \f “Symbol“

If the program M has a finite computation Q in a data structure A at
valuation v, and if the final configuration has the form < v ′ , ∅ >, i.e. the list
of programs to be executed is empty, then the valuation v ′ is called the result
of the computation of M at v.
If Q is a finite sequence but the list of instructions left for execution is
not empty, then Q is called an unsuccessful computation of M .
If Q is an infinite sequence which starts from the configuration < v, M >,
then Q is called an infinite computation of M .
Let MA denote a relation on the set of all valuations such that
(v, v ′ ) ∈ MA iff there exists a finite, successful computation Q of the
program M in the data structure A which, starting from the initial valuation
v, halts at the valuation v ′ .
REMARK

Remark 3.2.6 For any data structure A, for any valuation v, for any pro-
gram M
MA
(v, v′) ∈ MA iff v −−→ v′ .
42 CHAPTER 3. DETERMINISTIC ITERATIVE PROGRAMS

The obvious proof is omitted.

SYMBOL 224 \f “Symbol“
We shall use the denotation W (A) to denote the set of all valuations in
A.
LEMMA 3.2.1
For any program M and any data structure A, MA is a partial function,
moreover
(1) if M is of the form (x := t), then Dom(MA ) = Dom(tA ) and for
v ∈ Dom(MA )
MA (v) = v ′ , where v ′ (x) = tA (v), v ′ (z) = v(z) for z ̸= x
(2) if M is of the form q := γ, then Dom(MA ) = W (A) and for v ∈
Dom(MA )
MA (v) = v ′ , where v ′ (q) = 1 iff A, v |= γ, v ′ (z) = v(z) for z ̸= q,
(3) if M is of the form begin K1 ; K2 end, then
Dom(MA ) = {v : v ∈ Dom(K1A ) and K1A (v) ∈ Dom(K2A ) } and
MA (v) = K2A (K1A (v)) for v ∈ Dom(MA ),
(4) if M is of the form if γ then K1 else K2 f i, then
Dom(MA ) = {v : v ∈ Dom(K1A ) and A, v |= γ} ∪ {v : v ∈ Dom(K2A )
and A, v |= ¬γ}
and for v ∈ Dom(MA )

K1A (v) when v satisfies γ
MA (v) =
K2A (v) when v satisfies ¬γ
(5) if M is of the form while γ do K od, then
Dom(MA )={v ∈ Dom(KAi ) :where i is the least natural number such
that for j < i, v ∈ Dom(KAj ), A, KAj (v) |= γ and such that A, KAi (v) |= ¬γ}
and, for v ∈ Dom(MA ), MA (v) = KAi (v), where i takes on the value
defined above.
The proof is technical and is left to the reader as an exercise.
DEFINITION 3.2.4

Definition 3.2.7 Let L be a language of first-order logic. Let P be a class

of deterministic iterative programs over the language L. We say that the
n-argument partial function f (x1 , ..., xn ), on a data structure A, is pro-
grammable in the class P iff there exists a program M ∈ P which uses at
least n + 1 variables x1 , ..., xn , xn+1 and is such that, for arbitrary aj ∈ A of
type ij (for 1≤j≤n+1) and any valuation v such that v(xi ) = ai for i ≤ n,
(1) (a1 , ..., an ) ∈ Dom(f ) iff there exists a finite successful computation of
M at
the initial valuation v,
(2) if (a1, ..., an) ∈ Dom(f ) and v ′ = MA (v), then
3.2. SEMANTICS 43

f (a1 , ..., an ) = an+1 iff v ′ (xn+1 ) = an+1

Program M is then considered as an algorithmic definition of the function f .

SYMBOL 224 \f “Symbol“

REMARK

Remark 3.2.8 Each partial recursive function (cf. Grzegorczyk [21]) is pro-
grammable in a data structure of the natural numbers.

EXAMPLE 3.2.2

Example 3.2.9 Let us consider the function div(x,y) in the data structure
<N,0,s;≤,=>. The following program M defines this function:

begin
r := x; i := 0;
while y ≤ r
do
u := y; j := 0;
while r ̸= u
do
u := s(u); j := s(j)
done;
r := j; i := s(i)
done
end
.

In fact, for any valuation v, if v(x) < v(y), then the value of the variable i
after execution of the program is 0; otherwise, i is the greatest natural num-
ber n such that n ∗ v(y) ≤ v(x).

DEFINITION 3.2.5

Definition 3.2.10 We say that a relation r(x1, ..., xm), of type (i1∗...∗im),
on the data structure A, is programmable (in the class P ), iff there exists a
program M ∈ P which uses at least m variables x1 , ..., xm and a propositional
variable q, and is such that, for arbitrary aj ∈ A of type ij (for 1≤j≤m), and
any valuation v such that v(xi ) = ai for i≤m, (a1 , ..., am ) ∈ r iff there exists
a finite successful computation of M at the initial valuation v, and v ′ (q) = 1
for v ′ = MA (v).
44 CHAPTER 3. DETERMINISTIC ITERATIVE PROGRAMS

REMARK

Remark 3.2.11 Each recursively enumerable relation is programmable in

the class ? (cf. Grzegorczyk [21]) in a data structure of the natural numbers.

EXAMPLE 3.2.3

Example 3.2.12 Let us consider a relation ≤ in a data structure of the

natural numbers N =< N, 0, s; =>. This relation is programmable by the
following program M :

begin
u := x;
w := y;
q := true;
while ((q ∧ u ̸= y) ∨ (¬q ∧ x ̸= w))
do
q := ¬ q;
if q then u := s(u) else w := s(w) fi
done
end

Observe that program M halts for arbitrary initial data in the data structure
N (i.e.for all initial values of x and y).

DEFINITION 3.2.6true

Definition 3.2.13 Let Z be an arbitrary set of variables. We say that two

valuations v, v’ coincide up to the set Z, written symbolically as
v = v’ off Z,
if v(x)=v’(x) for all variables x which are not in Z.
*
Although, in our formalization, the input to a program is defined as the in-
finite sequence of the values of all variables, it is evident from the definition
that the result does not depend on all of them. What are the important values
for a given program M? Obviously a program does not change variables which
are not in its text. Thus the following holds
v = MA(v) off V(M)
where V(M) is the set of variables occurring in the text of M.
Let us denote by Vout(M) the set of variables which occur in the program
M on the left-hand side of at least one assignment instruction. If program
M has a result at the initial valuation v in data structure A, then, by the
3.2. SEMANTICS 45

definition of a computation,
MA(v) = v off Vout(M).
It is a simple observation that the result does not depend on the values of the
variables which occur only on the left-hand side of assignment instructions.
They play the role of auxiliary var-iables. By analogy with bounded variables
in formulas, we can call them bounded variables of the program.
Let Vin(M) denote the variables in M which occur in tests or on the right-
hand side of assignment instructions. Changes to the values of these variables
may change the result and, moreover,
v=v’ off(V-Vin(M)) implies MA(v)=MA(v’).
Variables from the set Vin(M) are similar to free variables in formulas and
we call them free variables of the program. Note that the sets Vin(M) and
Vout(M) are not necessarily disjoint.

To end this section we recall, once again, that a program is a formal

expression. The way in which it will be executed depends on the assumed
semantics and data structure, which together determine the interpretation
of all objects appearing in the program.
EXAMPLE 3.2.4

Example 3.2.14 Consider the following program M

begin
z := x;
u := y;
while z ̸= 0 ∧ u ̸= 0
do
if z¿u then z := z-u else u := u-z fi
od;
if z=0 then z := u fi
end.

All variables that occur in the program are of the same type, > is a two-
argument predicate, − is a two-argument functor, and 0 is a constant.
(1) Let
A =< Z, 0, −; >, =, >
be the structure of the integers with the constant 0, one two-argument function
− (minus) and two binary relations > (greater than) and = (the equality
relation). If v defines the initial data which satisfy v(x) ̸= 0 and v(y) ̸= 0,
then, after execution of M , the value of z is the greatest common divisor of
46 CHAPTER 3. DETERMINISTIC ITERATIVE PROGRAMS

v(x) and v(y).

(2) Let A2 be the data structure
A2 =< W [x], 0, −; >, =>,
where W [x] is a ring of polynomials over the field of rational numbers, 0
is the zero element of this ring, − is a two-argument operation such that
w1-w2= w1modw2 is the modulus of w1 with respect to w2, >is the ordering
relation on the set of polynomials ( w1>w2 iff the degree of w1 is greater then
the degree of w2 or the coefficient of the greatest power of x at which the two
polynomials differ is greater in w1 than in w2).
After execution of the same program M in the data structure A2, the value
of z is the greatest common divisor of the polynomials given as initial values
of x and y.
(3) Let
A3 =< O, 0, −; >, =>
be the data structure in which the universe O is the set of all segments on
the real plane and such that 0 is the empty segment, − is the difference of
segments, and > is the relation ”to be longer”.
After execution of M in data structure A3 the value of the variable z is the
greatest common divisor of the given two segments. Observe that in this
data structure there are initial valuations for which program M has infinite
computations.

chapter:3,page:1

3.3 Semantic properties of programs

3.3.1 The halting problem
One of the fundamental questions which every programmer must answer is :
whether his program M has a finite computation for arbitrary initial data?
In other words whether his programs halts for all valuations. From the point
of view of a user waiting for the result of the computation, a program which
may never terminate is not acceptable. The problem we are talking about is
called “the halting problem“. We can consider three variants of it.

Definition 3.3.1 HALT (M ) ≡ program M has finite computations for all

data in all data structures.
HALT (M, A) ≡ program M has finite computations for all initial data in
the fixed data structure A.
HALT (M, A, v) ≡ program M halts for the initial valuation v in data struc-
ture A.
3.3. SEMANTIC PROPERTIES OF PROGRAMS 47

Example 3.3.2 Let M1 , M2 , M3 be programs in the language L such that

M1 : while q do q := ¬q done
M2 : while x ̸= 0 do x := x − 1 done
M3 : while x ̸= y do x := x + 1 done .
Program M1 halts in every structure for arbitrary initial data.
Program M2 halts for every initial data in the structure of the natural numbers
with zero and predecessor −1.
Program M3 halts in the data structure of the natural numbers with successor
only if the initial data v satisfy the relation v(x) ≤ v(y).

3.3.2 Program correctness

We begin with an example.

Example 3.3.3 Consider the following problem: find a program M , which

computes square root of a given positive number x with a given precision ε
in the structure of the real numbers R. Let the result be stored as the value
of the variable y.
We will say that M is a proper solution to our problem if for any initial
valuation v in R, such that the value of x is
ppositive (i.e. v(x) > 0p
), the result
v ′ of program M satisfies the condition ( v(x) − ε) < v′(y) < ( v(x) + ε).
The following program M :
begin
z := 0;
if x¡1 then y :=1 else y := x fi;
while ¬ |z − y| < ε
do
z := y;
y := (z + xz )/2
done
end.

is a proper solution to our problem. The computation of M creates a sequence

of real numbers such that
y0 = max(v(x), 1)
yi+1 = (yi + v(x)/yi )/2.
Note that, for every i,
if v(x) < 1,then v(x) ≤ yi ≤ 1 and if v(x) ≥ 1,then 1 ≤ yi ≤ v(x).
Moreover, the sequence is monotonic (∀i)yi+1 ≤ yi if y0 >p1 and (∀i)yi+1 ≥
yi otherwise.Thus the sequence{yi }i∈N has a limit which is v(x). Hence the
48 CHAPTER 3. DETERMINISTIC ITERATIVE PROGRAMS

program M does not loop for v(x) ≥ 0. Additionally, the condition control-
√ M i.e.|yi + 1 − yi | < δ is small enough. As a
ling the loop in the program
consequence we have |y − x| < ε

Definition 3.3.4 A program M is correct with respect to a precondition α

and a postcondition β in the data structure A iff for any valuation v in A,
the validity of condition α implies that the result of the program M exists and
satisfies the condition β.

Let us stress that correctness of a program M with respect to a precon-

dition α implies the existence of a finite successful computation of M for
valuations satisfying this condition. This is usually all we require, but it is
very difficult to prove. Hence, we consider another, weaker property called
partial correctness.

Definition 3.3.5 A program M is partially correct with respect to a precon-

dition α and a postcondition β in the data structure A if, for all initial data
for which the program halts, the satisfaction of α by the initial data implies
satisfaction of β after execution of the program M by the result.

Example 3.3.6 Let M be the following program

begin
z:=1;
u:=x; w:=y;
while y¿0
do
if even(w)
then
u:=u*u; w:=w/2
else
z:=z*u; w:=w-1
fi
done
end

Consider the structure R of the real numbers with the usual interpretation of
the functors and predicates appearing in the program. Program M is partially
correct with respect to the precondition true and the postcondition (z = xy )
and is correct with respect to the precondition “y is a natural number“ and
the postcondition (z = xy ).
3.3. SEMANTIC PROPERTIES OF PROGRAMS 49

3.3.3 Strongest postcondition

Let A be a fixed data structure and M a program. What are the properties
of the results when we consider only data satisfying a fixed condition which
guarantees that program M has a finite successful computation? Thus we
are interested in properties of the co-domain of the partial function MA (cf.
Fig.3.6).
Fig.3.6

Definition 3.3.7 By the strongest postcondition of a formula α with respect

to a program M in a data structure A, we mean a formula β which satisfies
the following conditions:
(1) for all initial data, if the computation of M has a result and the formula
α is satisfied, then the result of program M satisfies the condition β (we say
that β is a postcondition of α with respect to the program M ) and
(2) for any condition δ, if δ is a postcondition of α with respect to the program
M , then β implies δ in the structure A (the formula β is then the strongest
postcondition of α with respect to M ).

Example 3.3.8 Consider the program M

begin
z:=x; y:=1;
while z − y ≥ 0
do
z:=z-y;
y:=y+2
done
end

in the structure of the real numbers R with the usual interpretation of the
symbols +, −, 0, 1, 2, =, ≥ .
The variable y takes on the values of the consecutive odd numbers. As a
result, after execution of the ith iteration, the values of variables z, y are,
respectively,
v(x) − 1P− 3 − 5 − ... − (2i − 1) and (2i + 1).
Since (2j − 1) = i2 ,
0≤j≤i
the value of variable z after the ith iteration is v(x) − i2 . The instruction
“while“ is executed until the difference v(x) − i2 − (2i + 1) is less than zero,
i.e. when we find a natural number n, such that
(n + 1)2 > v(x) and n2 < v(x).
50 CHAPTER 3. DETERMINISTIC ITERATIVE PROGRAMS
jp k2
The value of the variable z is equal to v(x) − v(x) , and the value of y
jp k
is 2 (x) + 1. Briefly, if the condition v(x) > 0 holds for the initial data
v, then the program M has a finite, successful computation, and the value of
variable z is the distance from the greatest integer square number less than
v(x).
The formula √ √
2
β ≡ (z = x − ⌊ x⌋ ) ∧ (y = 2 ⌊ x⌋ + 1) ∧ x > 0
is the strongest postcondition of the formula a ≡ x>0 with respect to program
M in the data structure considered.
Indeed, if R, v |= x > 0, then, after execution of the program M , the valuation
MR (v) satisfies the formula β from the above analysis. The condition (1) of
the definition is thus satisfied.
Let δ be a formula such that for any valuation v,
R, v |= a and v ∈ Dom(MR ) implies R, MR (v) |= d.
Consider any valuation v’ and let R,v’|= b. Then
jp k2
v ′ (y) = 2 v ′ (x) + 1,
jp k2
v ′ (z) = v ′ (x) − v ′ (x) ,
v ′ (x) > 0.
Hence R, v ′ |= α, and therefore the program M has a finite computation at
the initial valuation v ′ , i.e. v ′ ∈ Dom(MR ). Using our assumption, we then
have R, MR (v ′ ) |= (δ ∧ β). Since the behaviour of the program M depends
only on the value of the variable x, which, in fact, does not change during
the computation, the resulting valuation MR (v ′ ) may differ from the initial
valuation only on variables y or z. According to the above analysis, the values
of variables z, y after execution of the program M satisfy condition β. As a
consequence, MR (v ′ ) = v ′ and R, v ′ |= δ and finally R, v ′ |= (β =⇒ δ) for all
valuations v ′ , i.e. R |= (β =⇒ δ).

3.3.4 Weakest precondition

Let M be a program and β some fixed condition. What are the initial
conditions on data which ensure that the results of program M satisfy the
condition β in the structure A (cf. Fig.3.7)? In the other words, how can we
characterize the domain of function MR ?
Fig.3.7

Definition 3.3.9 By the weakest precondition of a formula β with respect

to a program M in a data structure A we mean a formula α which satisfies
the following conditions:
3.3. SEMANTIC PROPERTIES OF PROGRAMS 51

(1) for all initial data in A, which satisfy the condition α, the results of M
satisfy the condition β, (i.e. α is a precondition of the formula α with respect
to the program M ) ,
(2) for any formula δ, if δ is a precondition of the formula β with respect to
the program M , then in the structure A, δ implies α.

Example 3.3.10 Let us consider the program M of the form

x:= insert(x,y)
in the data structure of queues Q with the natural interpretation of the functor
insert. We assume that x is a variable of type queue, and y a variable of type
element of queue.
The weakest precondition of a formula ¬empty(x) with respect to the program
M is the formula ¬empty(insert(x, y)). Observe, that in the data structure
Q, the formula ¬empty(insert(x, y)) is valid under each valuation.
The situation is not always so simple. Let K be a program of the form:
while ¬first(x)=y ∧ ¬empty(x)
do
x:=delete(x)
od

The weakest precondition of a formula α of the form

(¬empty(x) ∧ f irst(x) = y)
in the structure of queues Q is the condition which states that y is an element
of queue x. This condition can be written as the following infinite disjunction
(which however does not belong to the language FOL) :
((¬empty(x) ∧ f irst(x) = y) ∧
(¬empty(delete(x)) ∧ f irst(delete(x)) = y) ∧ ...
(¬empty(deleten−1 (x)) ∧ f irst(deleten−1 (x)) = y) ∧ ...)
If the initial valuation is such, that for some n, v(x) is an n-element queue
and v(y) ∈ v(x), then after removing at most (n − 1) first elements we obtain
a queue with first element v(y).

3.3.5 Invariants
In many tasks we are interested in what goes on inside the computation
process. We are interested more in what properties are unchanged during
computation than how the initial valuation differs from the result. In this
class of problems we find, for example, simulation programs and operating
systems.

Example 3.3.11 Let us consider a program for the management of seat

reservations in an airline-ticket agency. The property which must necessarily
52 CHAPTER 3. DETERMINISTIC ITERATIVE PROGRAMS

be continuously valid is, for example:

number of passengers ≤ number of places

Definition 3.3.12 By an invariant of a program M in a structure data A,

we mean a property α such that, for any computation of the program M in the
structure A, if the initial valuation satisfies α, then any valuation obtained
during computation of the program M also satisfies the condition α.

3.3.6 Equivalence of programs

Let K and M be two programs obtained as solutions of some task. Are they
equivalent? In what sense?
One possible criterion of equivalence of programs is as follows: for all
x ∈ V , the value of variable x after execution of K is equal to the value of
variable x after execution of the program M , for the same initial data.

Example 3.3.13 Consider the two programs

K : begin M : begin
z := 0; z := y;
while ¬z = y while ¬z = 0
do do
z := z + 1; z := z − 1;
x := x + 1 x := x + 1
done done
end end
in the structure R of the real numbers with the usual interpretation of the
symbols +, −, =, 1.
According to the above definition of equivalence of programs, K and M are not
equivalent although this violates our intuition about what equivalence should
mean. Both programs computes the sum of x and y if the value of y is a
natural number and both loop indefinately otherwise. The programs K, M
differ only in the “auxiliary“ variable z.

The above naive example shows that the criterion of equivalence of pro-
grams is too strong. This suggests that we must restrict our consideration
to some important variables, from the point of view of the task to be solved.
This leads us to the following example of a criterion which goes in this di-
rection:
3.3. SEMANTIC PROPERTIES OF PROGRAMS 53

Definition 3.3.14 Programs K, M are equivalent with respect to a set of

variables X in the structure A iff
(1) for all initial data v, K has a finite computation iff M has a finite com-
putation
v ∈ Dom(KA ) iff v ∈ Dom(MA ) and
(2) if for any fixed initial data both programs have finite successful computa-
tions, then the results are identical on the set of variables X,
if v ∈ Dom(KA ) then KA (v) = MA (v) off X .
Example 3.3.15 Let K and M be programs that compute the square root of
x, when the value of variable x is a positive number greater than 1, in the
structure of real numbers R. The result of the computation is stored as the
value of the variable y.
K: begin
a := 1; b := x;
M: begin
while ¬(b-a)<d
z := 0; y := x;
do
while ¬ abs(z-y)<d
y := (a+b)/2;
do
if (a2 -x)(y2 -x)<0
z := y;
then
y := (z+x/z)/2
b := y else a := y
od
fi
end
od
end
The program K computes the square root using the bisection algorithm while
the program M computes the square root using the iteration method. The
programs K and M are not equivalent with respect to the variable y since
the obtained approximations of a square root can be different. Nevertheless
we can consider these programs to be equivalent since they compute the same
function.
The last example leads to another definition of equivalence: equivalence
with respect to a set of properties.

Definition 3.3.16 Programs K and M are equivalent in the structure A

with respect to the set of properties Z iff for all α ∈ Z and for all initial data
the result of one program satisfies the condition α if and only if the result of
the second satisfies the condition α.

This ends our selection of examples of semantic properties of programs.

The world of semantics contains other phenomena. They may be of interest
in certain cases.
54 CHAPTER 3. DETERMINISTIC ITERATIVE PROGRAMS

In this section we have presented some interesting and useful semantic

properties of programs.
Nasz dalszy program polega na skonstruowaniu jezyka (zbioru formul),
w ktorym mozna wyrazic powyzsze wlasnosci, a nastepnie na dostarczeniu
rachunku (logika algorytmiczna) stanowiacego narzedzie dowodzenia, badz
odrzucania, tych formul, a w konsekwencji wlasnosci semantycznych pro-
gramow.
In what follows we are going to express these properties by means of
formulas in algorithmic language and prove them by means of logic tools
which will be introduced later.

3.4 Algorithmic language

We observed earlier that the first-order language FOL is not sufficiently pow-
erful to express some properties of algebraic structures (relational systems).
Many properties of programs are also not expressible in this language. There-
fore, we propose an algorithmic language LA lg , an extension of languages of
first-order formulas and of deterministic iterative programs. The new lan-
guage contains both and extends the set of formulas.
Lemma 3.4.1

Lemma 3.4.1 The halting property is not expressible in the first-order lan-
guage.

Proof. Assume the contrary, that for any program M there exists a
formula αM such that for every data structure
(3.1) αM ≡ program M halts on all input data
Consider the program M of the form
begin x := 0; while ¬y = x do x := succ(x) od end
and the class of structures N at similar to the standard model of the natural
numbers N =< N, 0, +1; =>. We define N at to be the class of models for
the following set of classical first-order formulas
(∀x) succ(x) = succ(x)
(∀x) ¬(succ(x) = 0)
(∀x)(∀y) (succ(x) = succ(y) =⇒ x = y).

Remark 3.4.2 If A ∈ N at and the program M halts for all initial data in
the structure A, then A is isomorphic to N.

Proof. Let A =< A, const, f ; => and A ∈ N at. Then

(3.2) f (a) ̸= const for every a ∈ A, and
3.4. ALGORITHMIC LANGUAGE 55

(3.3) f is a one-to-one total function.

Let h be the function defined on the set N such that
h(0) = const and h(n) = f n (const) for n ≥ 1. Note that h is a homomor-
phism which maps N into A, since, for all n, we have

h(n + 1) = f n+1 (const) = f (f n (const)) = f (h(n)).

From the definition of the function h, the constant const is the value of h at
0. If a ∈ A, then for the initial valuation v such that v(y) = a, the program
M has result v ′ and for some m ∈ N, v ′ (x) = f m (const) = v(y). Hence
h(m) = a, which means that a is a value of h. As a consequence, h maps N
onto the set A.
Consider two different natural numbers n ̸= m such that n > m. If h(n) =
h(m), then f n (const) = f m (const). By property (3.3), applied m times,
f (f n−m−1 (const)) = const and n − m − 1 ≥ 0. Since the last equality
contradicts (3.2), we can deduce that h(n) ̸= h(m) for n ̸= m.
We can then conclude that h is an isomorphism from N onto A, which ends
the proof of remark.
Proof. (ctd.) If A is a data structure isomorphic to N, then program M
halts in A for any initial data (cf. section 2.3). Hence by property (3.1) we
have
⊢ αM iff
HALT S(M, A) iff
M halts for any initial data in the structure A iff
A is isomorphic to the standard structure of the natural numbers N.
Since this last property is not expressible in a first-order language (cf. Grze-
gorczyk [21]), there is no first-order formula αM which expresses the halting
property of the program .M . in the class N at.
The above example shows that in order to formally express, and later to
analyze, the properties of programs or data structures, we must extend the
language defined in the previous chapter, cf. [40].
Let Π denote the class of iterative programs over the first-order language
L =< A, T, F > where A is the alphabet, T is the set of terms and F is the
set of formulas.
definition 3.4.1

Definition 3.4.3 By the set of algorithmic formulas over Π, we mean the

set F (Π), which is the smallest set satisfying the following conditions:
(1) F ⊆ F (Π),
(2) If α, β ∈ F (Π), then the expressions ¬α, (α∨β), (α∧β), (α =⇒ β), (∃x)α,
(∀x)α are elements of F (Π),
56 CHAPTER 3. DETERMINISTIC ITERATIVE PROGRAMS
S T
(3) If α ∈ F (Π) and K ∈ Π, then expressions (Kα), Kα, Ka are in
F(Π).
S T
The symbols and will be called iteration quantifiers in contrast to
classical quantifiers ∃ and ∀.
definition 3.4.2

Definition 3.4.4 By the algorithmic language over a class of programs Π,

we mean the system L(Π) =< A(Π), T, F (Π), Π > such that A(Π) is an
extension of the alphabet of L to include the programming constructs begin,
end, if, then, else, fi, while, do, done, T is the set of terms, F (Π) is
the set of formulas, and Π is the set of programs.

The meaning of terms and classical formulas of the language L(Π) in a

data structure A is defined as for the first-order language (cf. section 2.3).
To give a complete definition of the semantics of the algorithmic language
L(Π) it is sufficient to define the semantics of algorithmic formulas.
Let M be an arbitrary program, M ∈ Π, α an arbitrary formula, α ∈
F (Π), and v an arbitrary valuation in the data structure A.
A, v |= (M α) iff the computation of the program M on initial data v is
finite and successful, and the result of this computation satisfies the formula
α.
Thus the meaning of algorithmic formula (M α) is obtained as a compo-
sition of meaning of program M together with the meaning of the formula α
(cf. Fig. 3.8).
Fig. 3.8
TheSmeaning of the iterative quantifiers is defined by:
A, v |= T M α iff (∃i)A, v |= (M i α)
A, v |= M a iff (∀i)A, v |= (M i α).
EXAMPLE 3.4.2

Example 3.4.5 Let us determine the value of the following algorithmic for-
mula :
(q := γ)α ≡ (if γ do q := true else q := f alse f i)α
in an arbitrarily chosen data structure A at an arbitrary valuation v.
A, v |= (q := γ)α iff A, (q := γ)A (v) |= α iff
A, v ′ |= α and v ′ (q) = γA (v), v ′ (z) = v(z) off q iff
[A, v ′ |= α and v ′ (q) = true, v ′ (z) = v(z) off q and A, v |= γ or
A, v ′ |= α and v ′ (q) = f alse, v ′ (z) = v(z) off q and A, v |= ¬γ] iff
[A, v ′ |= α and v ′ = (q := true)A (v) and A, v |= γ or
A, v ′ |= α and v ′ = (q := f alse)A (v) and A, v |= ¬γ] iff
3.4. ALGORITHMIC LANGUAGE 57

A, v ′ |= α and A, v |= γ , v ′ = (if γ do q := true else q := false fi)A (v) iff

A, v |= (if γ do q := true else q := false fi)α .
The above remarks prove that the formula
(q := γ)α ≡ (if γ do q:=true else q:=false fi)α.
is valid at any valuation in any data structure.

REMARK

Remark 3.4.6 If in some data structure A, for a valuation v the compu-

tation of a program M is infinite or unsuccessful then independently of the
value of α, the value of the algorithmic formula (M α) at the valuation v is
false.

LEMMA 3.4.1

Lemma 3.4.7 The formula

(3.4) (if γ then K else M fi)α ≡ ((γ ∧ Kα) ∨ (¬γ ∧ M α))
is valid in any data structure for the algorithmic language L(Π), in which α,
γ are formulas, and K, M are programs.

PROOF
Proof. Let A be arbitrary fixed data structure for L(Π), and let v be
arbitrary valuation in A such that
A, v |= if γ then K else M fi α.
By the definition of the semantics of formulas there exists a finite successful
computation of the program if γ then K else M fi, whose result v ′ satisfies
α. By lemma 3.2.1, we have
v ′ ∈ (if γ then K else M fi)A (v) iff
A, v |= γ and v′ = KA (v) or A, v |= ¬γ and v ′ = M A(v).
Putting together the above facts we have
A, v |= ((γ ∧ Kα) ∨ (¬γ ∧ M α)).
Since all steps of our reasoning are equivalent statements,
A, v |= (if γ then K else M fi) α ≡ ((γ ∧ Kα) ∨ (¬γ ∧ M α)).
We have thus proved that the formula (3.4) is satisfied for any valuation in
the structure A; it is therefore valid in A.
LEMMA 3.4.2

Lemma 3.4.8 The formula S

(3.5) while γ do M od α ≡ if γ then M fi (¬γ ∧ α)
(in which α, γ are formulas, and M is a program) is valid in any data
structure for the algorithmic language L(Π).
58 CHAPTER 3. DETERMINISTIC ITERATIVE PROGRAMS

Proof. Let A be an arbitrary data structure for L(Π), and v be an arbi-

trary valuation in A such that A, v |= while γ do M od α.
There exists a finite, successful computation of the program while γ do M
od, and the result of the computation satisfies α. Let v ′ = (while γ do M
od)A (v). By lemma 3.2.1 there exists an i ∈ N , such that A, v |= M j γ
for j < i and v ′ = MAi (v) and A, v |= M i ¬γ. As a consequence, the
computation of the program (if γ then M fi)i is finite and successful and
v ′ = (if γ then M fi)iA (v) and A, v ′ |= (¬γ ∧ α).
From the definition
S of the iteration quantifier we have
(3.6) A, v |= if γ then M fi(¬γ ∧ α).
Conversely, let condition (3.6) be satisfied for some valuation v in A. Then
there exists an i such that
A, v |= (if γ then M fi)i (¬γ ∧ α).
Let n be the least natural number i with the above property. Since the com-
putation of (if γ then M fi)n is finite and successful, the computations of
all programs (if γ then M fi)j for all j < n are also finite successful, and,
in particular, the value of the test γ is defined. Moreover, if for some j, the
result of the program (if γ then M fi)j satisfies ¬γ, then the result of the
program (if γ then M fi)j+1 also satisfies ¬γ (the results of these programs
are identical). Thus n is the least natural number such that
A, v |= (if γ then M fi)n (¬γ ∧ α)
A, v |= (if γ then M fi)j γ for j < n and
(if γ then M fi)jA (v) = MAj (v) for j ≤ n.
Hence, n is the least natural number such that A, v |= M j γ for j < n and
A, v |= M n (¬γ ∧ α). By lemma 3.2.1, the program while γ do M od has a
finite computation, and its result satisfies the formula α, i.e.
A, v |= while γ do M od α.
We have therefore proved that property (3.5) is valid in any data structure
A.
LEMMA 3.4.3
Lemma 3.4.9 The following formula is valid in every data structure
T T
Proof. (a ∧ K(a =⇒Ka))=⇒ Ka.
Assume that
T for some valuation v in the structure A,
A,v|= a∧ K(a=⇒Ka). T
By the definition of the quantifier , we have A,v|= a and, for every i, A,v|=
Ki(a =⇒ Ka). Thus, for every i∈N, if A,v|= Kia, then A,v|= Ki+1a, and
A,v|= a. By the principleTof mathematical induction, for every i3 0, A,v|=
Kia, and therefore A,v|= Ka. Since T both the structure
T and the valuation
were arbitrary, the formula ((a∧ K(a=⇒Ka))=⇒ Ka) is an algorithmic
tautology.
3.4. ALGORITHMIC LANGUAGE 59

The formula whose validity we have just proved can be viewed as an

algorithmic version of the principle of induction.
EXAMPLE 3.4.3

Example 3.4.10 Let S be the data structure of stacks. Consider the formula
of the form
M (empty(x) ∧ empty(y) ∧ bool),
where bool is a propositional variable, and M is the following program :
begin
bool:= true;
while (¬empty(x) ∧ ¬empty(y) ∧ bool)
do
bool:= bool ∧ top(x)=top(y);
x:=pop(x);
y:=pop(y)
od
end
For any valuation v in the structure S, we have
S, v |= M (empty(x) ∧ empty(y) ∧ bool)
if and only if the stack x has the same contents as the stack y.
Let K denote the program occurring in the above example between do, and
od andS let γ denote the formula (¬empty(x) ∧ ¬empty(y) ∧ bool). Then
S |= if γ then K fi¬γ
for every valuation v in S. In fact, if v is an arbitrary valuation and i is
equal to the minimum of lengths of the stacks v(x) and v(y), then after the
i-th deletion of elements, one of the stacks will be empty. Hence
S, v |= (if γ then K fi)i ¬γ .
If we know that the value of variable x at the valuation v is a stack with n
elements,
T then
S, v |= if γ then K fi true ≡ (if γ then K fi)n ¬γ.

Algorithmic formulas of the form M α are natural and useful tools which
allow us to formulate properties of algorithms. We continue the discussion
of this problem in the next section. In some applications it is convenient to
use (cf. Chapter 5) a version of the algorithmic language which allow us to
use notonly algorithmic formulas but also algorithmic terms.
definition 3.4.3

Definition 3.4.11 The set of algorithmic terms is the smallest set which
contains all individual variables and such that
(1) If τ1 ,..,τn are algorithmic terms of type t1 , .., tn and f is n-argument func-
tor of type t1 × ... × tn −→ t, then the expression f (τ1 , .., τn ) is an algorithmic
60 CHAPTER 3. DETERMINISTIC ITERATIVE PROGRAMS

term of type t. then the expression of the form f (τ1 , .., τn ) is an algorithmic
term of type t,
(2) If τ is an algorithmic term of type t and M is an arbitrary program, then
the expression M τ is an algorithmic term of type t.

REMARK

Remark 3.4.12 According to above definition, the set of classical terms is

a proper subset of the set of algorithmic terms.

The semantics of algorithmic terms of the form M τ is based on the same

idea as the semantics of formulas of the form M α and is illustrated in figure
3.9.
Fig. 3.9
For all fixed data structures A and valuations v, the result (M τ )A (v) is
defined iff the program M has a finite successful computation at the valuation
v and for result v’ of this computation τA (v ′ ) is defined. If the value (M τ )A (v)
is defined then the following equality holds
(M τ )A (v) = τA (M (v)).
EXAMPLE 3.4.4

Example 3.4.13 Let M be the program of the form

while x≥y do x:=x-y done.
The algorithmic term M x defines, in the structure of the natural numbers,
the two-argument function whose value, for arguments x, y, is the remainder
of the division of x by y.

Remark

Remark 3.4.14 For arbitrary A and v, if the values of all the terms which
occur in all the expressions below are defined, then
A, v |= M f (τ1 , ..., τn ) = f ((M τ1 ), ..., (M τn ))
A, v |= M ′ (M τ ) = (begin M ′ ; M end)τ.

This simple observation allows us to formulate the following lemma. The

proof is by induction with respect to the structure of terms, and is left to the
reader.
LEMMA 3.4.4

Lemma 3.4.15 For any algorithmic term τ , there exists a program M and
a variable x such that for every A and v
(1) v ∈ Dom(MA ) iff v ∈ Dom(τA ) and
(2) if (M x)A (v), τA (v) are defined then (M x)A (v) = τA (v).
3.5. EXPRESSIVENESS OF THE AL LANGUAGE 61

3.5 Expressiveness of the AL language

In this section we will show that all properties of programs and of data struc-
tures which are mentioned earlier are expressible in the algorithmic language
L(Π).
We shall assume as usual that A is an arbitrary data structure, M, K are
arbitrary programs and α, β are arbitrary formulas in the language L(Π).
LEMMA 3.5.1

Lemma 3.5.1 A |=M true iff all computations of M in the structure A are
finite and successful.

PROOF
If the result of a computation of M is defined then it obviously satis-
fies the formula true. Conversely, if for some valuationv, A, v|=M true,
then according to assumed meaning of algorithmic formulas, there exists a
successful, finite computation of program M .
♢

Definition 3.5.2 Let us denote by loop(M ) the formula defined recursively

as follows
df
loop(x := ω) = false
df
loop(begin M1 ;M2 end) = loop( M1 ) ∨ (M1 loop(M2 ))
df
loop(if γ then M1 else M2 fi) = ((γ∧ loop(M1 ))∨(¬γ∧loop(M2 )))
df S
loop(while γ do M od) = (¬M γ) ∨ (γ ∧ ( if γ then M fi)(γ ∧loop(M ))).

LEMMA 3.5.2

Lemma 3.5.3 For any valuation v in A, A, v|=loop(M ) iff M has an infinite

computation for initial data v.

PROOF
The proof proceeds by induction with respect to the structure of the
program M . If program M is an assignment instruction, then M has no
infinite computation no matter what the data structure and valuation are.
Assume that the theorem is valid for program K and that M is of the form
while γ do S K od. If A, v|=loop(M ), then by the definition of loop,
A, v|=γ∧ if γ then K fi (γ∧loop(K)) or A, v|= ¬Kγ.
In the first case A, v|= γ and there exists a natural number n such that
A, v|= if γ then K fin (γ∧loop(K)).
62 CHAPTER 3. DETERMINISTIC ITERATIVE PROGRAMS

Therefore, there are valuations v0 = v, v1 , ..., vn−1 , vn such that vi =

KA (vi−1 ) for i < n and A, vn |=(γ∧loop(K)). Let Θi be a computation of
the program K with initial valuation vi , i ≤ n (by our inductive hypothesis
Θn is an infinite computation). Then the sequence Θ1 Θ2 ...Θn is an infinite
computation of the program while γ do K od.
If A, v|= ¬Kγ, then each iteration of program K has a finite computation
and its result satisfies γ. This means that K in the program while γ do K
od will be executed infinitely many times.
To prove the converse, observe that A, v|= γ is a necessary condition for the
existence of an infinite computation of program M at initial valuation v.
Moreover
(1) either after some finite number of iterations program K has an infinite
computation
(2) or each iteration of program K has a successful computation which result
satisfies formula γ.
These two cases corresponds to the validity of the formula ¬Kγ or the for-
mulaS
(γ∧ if γ then K fi(γ∧loop(K))).
As a result A, v|=loop(M ).
The proof for the other forms of program M follow analogously.
♢
Next, let us consider unsuccessful computations. A computation is un-
successful if during the computation an operation is encountered which at
the current valuation has an undefined value. Similarly as in the case of
looping, this property can be defined recursively.

Definition 3.5.4 Let us denote by fail(M) a formula defined recursively:

df
f ail(x := ω) = ¬(x := ω)true
df
f ail(q := γ) = false
df
f ail(if γ then M1 else M2 fi)=(γ∧f ail(M1 )∨¬γ∧f ail(M2 ))
df
f ail(begin M1 ; M2 end)=(f ail(M1 )∨M1 f ail(M2 ))
df S
f ail(while γ do M od)=(γ ∧ if γ then M fi (γ∧f ail(M ))).

LEMMA 3.5.3

Lemma 3.5.5 For any valuation v in A, A, v|=f ail(M ) iff M has an un-
successful computation at the initial valuation v in A.

The proof proceeds by induction with respect to the structure of programs

and is similar to those presented above.
3.5. EXPRESSIVENESS OF THE AL LANGUAGE 63

♢
LEMMA 3.5.4

Lemma 3.5.6 A |=(α =⇒ M β) iff program M is correct with respect to the

precondition α and postcondition β in A.

PROOF
Suppose that A, v |=(α =⇒ M β) for some valuation. If A, v |= α, then
by this assumption A, v |= M β. According to the semantics of formulas,
there exists a finite computation of M at initial valuation v and the result
v ′ = MA (v) of this computation satisfies β, i.e. A, v ′ |= β. Hence the post-
condition is valid.
Conversely, the validity of the precondition α guarantees the existence of a
finite successful computation (cf. def.3.3.2) and guarantees that the result
satisfies β. Thus, if for some valuation v, A, v |= α, then . Therefore

A, v |= (α =⇒ M β) (3.1)
.♢
The partial correctness property of a program M with respect to formulas
α and β is expressible by the algorithmic formula ((α∧M true) =⇒ M β).
Validity of this formula in the data structure A means that whenever the
initial data satisfies precondition α and the program M has a finite successful
computation at v in A, then the result of the program M satisfies formula β.
LEMMA 3.5.5

Lemma 3.5.7 The formula of the form (M α) is the weakest precondition of

the program M with respect to the formula α.

PROOF
Let A, v |=(M α) for some valuation v in A. According to the semantics
of algorithmic formulas, the result v ′ of program M is defined and A, v ′ |= α.
Thus M α is a precondition of M with respect to the formula α.
Consider any formula δ such that the property A, v|= δ implies the exis-
tence of a valuation v ′ satisfying v ′ = MA (v) and A, v ′ |= α. Hence A, v|= δ
implies A, v|=M α, and therefore for any valuation v, A, v|=(d =⇒ M α).
This proves that (M α) is the weakest precondition of M with respect to the
formula α.
♢
In what follows we use the following denotations and definitions.
An element of a vector x will be denoted by x, the i-th element is denoted
as usual by xi . Two vectors of variables x, y will be called corresponding iff
64 CHAPTER 3. DETERMINISTIC ITERATIVE PROGRAMS

their lengths are equal, say equal to n, and, for i = 1, ..., n, the type of xi
is the same as the type of yi . If x, y are corresponding vectors and x ∈ x,
then the corresponding element of the vector y is denoted by y. Let x be the
sequence of all variables that occur in the formula M α and let y be a sequence
of different variables corresponding to x such that x ∩ y = ∅. Let α(x/y)
denote the formula and M (x/y) the program, obtained, respectively from a
formula α and a program M , by simultaneous replacement of all occurrences
of variables from the sequence x by the corresponding variables from the
sequence y. By (∃y) we denote the sequence of quantifiers (∃y1 )...(∃yn ).
LEMMA 3.5.6

Lemma 3.5.8 The formula β = (∃y)(α(x/y) ∧ M (x/y)(x = y)) is the

strongest postcondition of the program M with respect to the formula α.

PROOF
Consider a valuation v in A such that
(3.7)
A, v|=(α ∧ M true) (3.2)
There exists a valuation v ′ such that
v ′ = MA (v) and A, v|= α.
Denote by v ′′ the valuation obtained from v ′ by the following changes of
the values of the variables in y,
v ′′ (y) = v(x) for y ∈ yv ′′ (x) = v ′ (x) for x ∈ x.
By our assumption, we have
A, v ′′ |= α(x/y) and A, M (x/y)A (v ′′ ) |= x = y.
Hence and from the definition of the existential quantifier,
A, v ′ |= (∃y)(α(x/y) ∧ M (x/y)(x = y)).
Since v ′ = MA (v), and using (3.7), we have finally A, v|=((α ∧ M true) =⇒ M β).
The above reasoning is valid for any valuation and we have therefore proved
that the program M is partially correct with respect to the formulas α and
β,
A |=((α ∧ M true) =⇒ M β).
Now, assume now that δ is any formula such that
A |=((α ∧ M true) =⇒ M δ).
We will prove that A |= (β =⇒ δ). Assume on the contrary, that for some
valuation v,
(3.8)A, v |= β and non A, v|= δ.
The formula β forces the existence of an initial valuation v ′ satisfying α
and for which the program M has a finite computation.
A, v|=β iff (∃v ′ )A, v ′ |= α and v = MA (v ′ ).
3.5. EXPRESSIVENESS OF THE AL LANGUAGE 65

Hence, and from assumption (3.8), non A, v ′ |= M δ and simultaneously

A, v ′ |= α and A, v ′ |= M true. Thus non A, v ′ |= ((α ∧ M true) =⇒ M δ),
which contradicts our assumption that δ was a postcondition.
♢
By an invariant of a program, we mean a formula which, if valid on the
initial data, is then also valid during all steps of the computation. We shall
try to define this property by means of algorithmic formula.

Definition 3.5.9 Let invα (M ) be a formula defined recursively with respect

to the structure of a program M as follows
df
invα (x := ω)=((x := ω)true =⇒ (x := ω)α)
df
invα (q := γ)=(q := γ)α
df
invα (if γ then M1 else M2 fi)=((γ∧invα (M1 )∨(¬γ ∧ invα (M2 ))
df
invα (begin M 1; M 2 end)=(invα (M1 ) ∧ M1 invα (M2 ))
df T
invα (while γ do M od)=( if γ then M fi (γ =⇒ invα (M )).

LEMMA 3.5.7

Lemma 3.5.10 For every formula α,

A |= (α=⇒invα (M )) iff α is an invariant of M .

PROOF
If M is an assignment instruction x := ω, where x is an individual variable
and ω is a term, then for any valuation v, M has either a finite successful
computation or a finite but unsuccessful computation. Thus
A |= ((α∧ (x := ω)true) =⇒ (x := ω)α)
exactly when α is an invariant of x := ω. Analogously for the assignment
instruction of the form q := γ.
Assume (inductive assumption), that, for all programs K which are of
simpler structure than M , the lemma holds, i.e.
A |= (α=⇒invα(K)) iff α is an invariant of K.
Consider a program M of the form while γ do K od and suppose that
(3.9) \
A |=(α=⇒ if γ then K fi (γ =⇒ invα (K)) (3.3)
Suppose that the sequence of all valuations that occur in the computation
of M , at the initial valuation v, has the following form:
Θ = v1 , Θ1 , v2 , Θ2 , ..., vn , Θn , vn+1 , ...
where v1 = v and vi , Θi , vi+1 denote the sequence of valuations which
occur in the computation of K which leads from vi to vi+1 for i ≤ n. Sup-
pose that, for i < n, all valuations in the sequence vi , Θi , vi+1 satisfy α. In
66 CHAPTER 3. DETERMINISTIC ITERATIVE PROGRAMS

particular, A, v |= α for i ≤ n. Since v1 , Θ1 , v2 , Θ2 , ...Θn−1 , vn is the sequence

of all valuations that occur in the computation of (if γ then K fi)n−1 , and
by assumption (3.9), we have
A, v |= (if γ then K fi)n−1 (γ =⇒ invα (K)),
and therefore
(3.10)A, vn|=(γ =⇒ invα (K)).
If A, vn |= ¬γ, then the computation of M is finite and either unsuccessful
or vn is its result. In both cases, all states of the computation satisfy formula
α. If A, vn |= γ, then, by property (3.10), A, vn |= invα(K). Since we also
have A, vn |=α, by our inductive assumption, all states of the computation
of K from the initial state vn satisfy α. Thus all elements of the sequence
v1 , Θ1 , ..., vn , Θn , vn+1 satisfy the formula α. Standard inductive reasoning
leads to the conclusion that each state of each computation of M satisfies
the formula α. This justifies the lemma in the case that M = while γ do K
od.
We leave to the reader the verification of the remaining cases.
♢

Definition 3.5.11 Assume the following definition:

df
⊥α (z := ω)=(α ∨ (z := ω)α)
df
⊥α (if γ then M1 else M2 fi)=(α ∨ (γ∧ ⊥α (M1 ))∨(¬γ ∧ ⊥α (M2 )))
df
⊥α (begin M1 ; M2 end)=(⊥α (M1 )∨M1 (⊥α (M2 )))
df S
⊥α (while γ do M od)= (α ∨ if γ then M fi(γ∧ ⊥α (M )))
LEMMA 3.5.8

Lemma 3.5.12 For any formula α and any program M , A |= ⊥α M iff

each computation of M in A has a state which satisfies the formula α.

Proof.
It suffices to show, that, for any valuation v in the data structure A, the
following property holds:
(3.11) A, v|= ⊥α M iff there exists a state in the computation of M, from
the initial valuation v, which satisfies α.
Assume that the formula α is not satisfied by the valuation v, since oth-
erwise the lemma is trivial. The proof proceeds by structural induction.
If M is an assignment instruction of the form x := ω, then the valuation
[x := ω]A (v) is defined and satisfies the formula α. Obviously the theorem
holds in this case.
Assume property (3.11) for all programs which are simpler than M . If
M is of the form if γ then M1 else M2 fi then the computation of M is
3.5. EXPRESSIVENESS OF THE AL LANGUAGE 67

identical to the computation of M1 or to the computation of M2 depending

on the value of formula γ. By our inductive assumption, the property (3.11)
is therefore valid. In the case of the composed instruction begin M1 ; M2 end
the computation of M consists of the computation of M1 , followed by the
computation of M2 starting from the initial valuation M1A (v) (provided that
the computation of M1 was successful). The valuation which satisfies the
formula α occur in the computation of M1 or in the computation of M2 .
By our inductive assumption on the programs M1 and M2 ,property (3.11) is
valid for M .
We now examine the case of the iteration instruction, i.e. let M = while
γ do K od. Consider the computation of M from the initial valuation v in A.
Independently of the length of the computation, the consecutive valuations
that occur in it can be obtained as the elements of the computation (from
the same initial state v) of if γ then K fin , for some n. In particular, the
valuation v ′ satisfying the formula α, is an element of the computation of
the program if γ then K fin , for some n. Let n be the least natural number
with this property. Thus
- v ′ does not belong to the computation of program if γ then K fin−1
- the result v ′′ of if γ then K fin satisfies γ, A, v ′′ |= γ and
- v ′ belongs to the computation of K from the valuation v ′′ .
Hence A, v|= if γ then K fin−1 (γ∧ ⊥α K) for some n, which means that
S
A, v|= if γ then K fi(γ ∧ ⊥α K). Thus the property (3.11) has been
proved. The lemma follows immediately. ♢
Algorithmic formulas also allow to express properties of a different char-
acter. As an example, consider the formulas
(if γ then M fi)n ¬γ
and
(if γ then M fi)n γ.
Validity of the first formula in the structure A means that the length of
all computations of the program while γ do M od in A are bounded by
(n ∗ const), assuming that const is the length of all computations of M in
A. The validity of the second formula means that a lower bound for all
computations of while γ do M od in A is (n ∗ const).
In the previous section we presented some definitions of equivalence of
programs. In two subsequent lemmas, we show how to express equivalence
of programs by means of algorithmic formulas. The simple proofs of these
lemmas are omitted.
Let x be the set of all variables that occur in the programs K and M ,
and let y be a corresponding sequence of different variables x∩y=∅.
LEMMA 3.5.9
68 CHAPTER 3. DETERMINISTIC ITERATIVE PROGRAMS

Lemma 3.5.13 Programs K and M are equivalentS with respect to the set of
variables z in the structure AV, z ⊆ V (K) V V (M ) (cf. Definition 3.3.8) iff
A |= (y := x) K(M (x/y)∧ (x = y)) ∧ (Kq ≡ M q) ∧ (Ktrue ≡ M true)
x∈z∩Vi q∈z∩V0

□
LEMMA 3.5.10

Lemma 3.5.14 Programs K and M are equivalent in the structure A with

respect to a set of formulas Z (cf. Definition 3.3.8) iff for any formula α ∈ Z,
A |=(M α ≡ Kα) .

□
Algorithmic formulas allow us to express some properties of data struc-
tures in which the computations are performed. For example,we can mention
two properties: “to be a natural number“ and “to be a finite stack“. The
formula
(x := 0)(while ¬x = y do x := x + 1 od true)
is satisfied in the data structure of real numbers by a valuation v if and only
if v(y) is a natural number.
The formula
while ¬empty(x) do x := pop(x) od true
is satisfied in the structure of stacks by a valuation v if and only if v(x) is a
finite stack. We shall discuss other properties of data structures in Chapter
5.
Chapter 4

Algorithmic Logic

This chapter presents the formal system of algorithmic logic. The logic was
designed to allow formal proofs of semantic properties of programs and data
structures. Henceforth, this system will be denoted by AL(Π), in this way
we indicate that the system is relative to the class of deterministic iterative
programs. In later chapters, we discuss algorithmic logics of others classes of
programs.

4.1 Axiomatization
The goal of axiomatization is achieved when a set of formulas, called axioms,
and a set of inference rules is given, such that all formulas valid in the as-
sumed semantics, and only these formulas, are provable from the axioms. For
this reason, the axioms cannot be an arbitrary set of formulas. They must
themselves be valid formulas. Moreover, the inference rules must preserve
the validity of formulas, i.e. they must lead to valid conclusions if the given
premises are valid. The process of deduction of a formula from a given set
of axioms with the help of given inference rules is called a formal proof.
Studying the validity of a formula using only semantic methods only is,
in general, a complicated and tedious activity. The axiomatic method of
inferring formulas from a set of admitted premises (i.e. axioms) sometimes
reduces and simplifies this process.
Definition 4.1.1

Definition 4.1.1 Let X be a set of formulas, and let β be a formula. A pair

(X, β) is called an inference rule. The formulas from the set X are called
the premises, and the formula β is called the conclusion of the inference rule.

69
 70 CHAPTER 4. ALGORITHMIC LOGIC

Traditionally an inference rule is denoted by

X
β

If we are able to prove all premises in an inference rule, then by applying

the rule we prove the conclusion of the rule. Inference rules are usually
presented in the form of schemes. As an example, the following scheme is an
inference rule for all formulas α , γ and all programs K, M .
Kα, M α
if γ then K else M fi α
The rule says: if the formula α is satisfied after any execution of the
program K and after any execution of the program M , then the formula
α is satisfied after any execution of the program if γ then K else M fi
independently of the form of the formula γ.
We say that a formal deductive system is defined when a triple consisting
of a formal language, a set of axioms and a set of inference rules is given.
definition 4.1.2

Definition 4.1.2 By algorithmic logic of deterministic, iterative programs

we understand the system AL(Π) determined by the language L(Π) (c.f. 3.2)
and by the set Ax of axioms and the set IR of inference rules listed below.

Axioms

Ax1 ((α =⇒ β) =⇒ ((β =⇒ δ) =⇒ (α =⇒ δ)))

Ax2 (α =⇒ (α ∨ β))
Ax3 (β =⇒ (α ∨ β))
Ax4 ((α =⇒ δ) =⇒ ((β =⇒ δ) =⇒ ((α ∨ β) =⇒ δ)))
Ax5 ((α ∧ β) =⇒ α)
Ax6 ((α ∧ β) =⇒ β)
Ax7 ((δ =⇒ α) =⇒ ((δ =⇒ β) =⇒ (δ =⇒ (α ∧ β))))
Ax8 ((α =⇒ (β =⇒ δ)) ≡ ((α ∧ β) =⇒ δ))
Ax9 ((α ∧ ¬α) =⇒ β)
Ax10 ((α =⇒ (α ∧ ¬α)) =⇒ ¬α)
Ax11 (α ∨ ¬α)
 4.1. AXIOMATIZATION 71

Ax12 ((x := τ )true =⇒ ((∀x)α(x) =⇒ (x := τ )α(x)))

where term τ is of the same type as the variable x
Ax13 (∀x)α(x) ≡ ¬(∃x)¬α(x)
Ax14 K((∃x)α(x)) ≡ (∃y)(Kα(x/y)) for y ∈
/ V (K)
Ax15 K(α ∨ β) ≡ ((Kα) ∨ (Kβ))
Ax16 K(α ∧ β) ≡ ((Kα) ∧ (Kβ))
Ax17 K(¬α) =⇒ ¬(Kα)
Ax18 ((x := τ )γ ≡ (γ(x/τ ) ∧ (x := τ )true)) ∧ ((q := γ′)γ ≡ γ(q/γ′))
Ax19 begin K; M end α ≡ K(M α)
Ax20 if γ then K else M fi α ≡ ((¬γ ∧ M α) ∨ (γ ∧ Kα))
Ax21 while γ do K od α ≡ ((¬γ ∧ α) ∨ (γ ∧ K(while γ do K od(¬γ ∧ α))))
\ \
Ax22 Kα ≡ (α ∧ (K Kα))
[ [
Ax23 Kα ≡ (α ∨ (K Kα))

Inference rules IR :
α, (α ⇒ β)
R1
β
(α ⇒ β)
R2
(Kα ⇒ Kβ)
{s(if γ then K fi)i (¬γ ∧ α) =⇒ β}i∈N
R3
(s(while γ do K od α) =⇒ β)
{(K i α =⇒ β)}i∈N
R4 S
( Kα =⇒ β)
{(α =⇒ K i β)}i∈N
R5 T
(α =⇒ Kβ)
(α(x) =⇒ β)
R6
((∃x)α(x) =⇒ β)
(β =⇒ α(x))
R7
(β =⇒ (∀)α(x))

In rules R6 and R7 , it is assumed that x is a variable which is not free in

β, i.e. x ∈ / F V (β). The rules are known as the rule for introducing an
existential quantifier into the antecedent of an implication and the rule for
introducing a universal quantifier into the successor of an implication. The
72 CHAPTER 4. ALGORITHMIC LOGIC

rules R4 and R5 are algorithmic counterparts of rules R6 and R7 . They are

of a different character, however, since their sets of premises are infinite. The
rule R3 for introducing a while into the antecedent of an implicationis of a
similar nature. These three rules are called ω-rules.
The rule R1 is known as modus ponens, or the cut rule.
In all the above schemes of axioms and inference rules, α, β, δ are arbi-
trary formulas, γ and γ ′ are arbitrary open formulas, τ is an arbitrary term,
s is a finite sequence of assignment instructions, and K and M are arbitrary
programs.
The deductive system consisting of the language containing only pro-
positional variables and logical connectives ∧, ∨, ¬, ⇒ axioms Ax1 - Ax11 and
the inference rule R1 is called classical propositional calculus. (c.f. [44,33]).
The deductive system determined by the first-order language L, the ax-
ioms Ax1 − Ax13 and the rules R1 , R6 , R7 is called classical predicate calculus
or classical logic (c.f.[44,33]).
Algorithmic logic is an extension of classical predicate calculus to include
certain axioms and rules that characterize the new types of operators which
appear in the algorithmic language. We observe that the rules R1 , R6 and
R7 have finitely many premises. In algorithmic logic we also encounter rules
with infinitely many premises. Since the sets of axioms and inference rules
determine the notion of formal proof, the consequences of admitting the ω-
rules will become evident in the process of proving formulas.
definition 4.1.3

Definition 4.1.3 By a (formal) proof of a formula α starting from the set

of formulas Z we mean a pair (D, d), where D is a set of finite sequences
of natural numbers, and d is a function from the set D into the set F (Π) of
formulas. The set D is ordered by the relation to be an initial segment. The
function d and the set D satisfy the following conditions:
(1) every linearly ordered subset of the set D is finite,
S
(2) if c = (i1 , ..., in ) ∈ D, then d(c) ∈ Ax Z if and only if there is no
j ∈ N such that (i1 , ..., in , j) ∈ D,

(3) if (i1 , ..., in , j) ∈ D and d((i1 , .., in , j)) = αj , j ∈ J, J ⊂ N then c =

(i1 , ..., in ) ∈ D and d(c) is the conclusion in a certain inference rule in
which the formulas {αj }j∈J are the premises,

(4) the empty sequence ∅ belongs to D and d(∅) = α.

We observe that the set D in the definition forms a tree. The elements of D
are its nodes. The nodes which are n-element sequences of natural numbers
4.1. AXIOMATIZATION 73

form the n-th level of the tree. Two nodes c and c′ are connected by an edge
if and only if c is a node on level n, of the form (i1, ..., in), and c′ is a node
on level n + 1 and c′ = (i1, ..., in, j) for certain i1, ..., in, j ∈ N . The node c′
is called the successor, or the son, of the node c. The nodes which have no
son are called leaves of the tree D. The node which is not a son of any node
is called the root of D. The tree D, labeled by formulas in accordance with
the above definition, is called the proof tree of the formula associated with
the root of D.
Example 4.1.2

Example 4.1.4 Let Z = {α, M true}, where α is an arbitrary formula and

M is an arbitrary program. Figure 4.1 represents the proof of formula M α
from the set Z.

Fig.4.1
example 4.1.3

Example 4.1.5 Let α, β, γ be any formulas. Figure 4.2 represents the

formal proof of the formula

((α ∨ γ) =⇒ (β ∨ γ))

from the assumption (α ⇒ β).

Fig.4.2
If the rules which we apply in a proof have finitely many premises then
the tree is finite: - it contains only finitely many nodes. Hence in classical
logic every proof is finite. As an immediate corollary we obtain the follow-
ing property: if a formula α has a proof in classical logic, from a set Z of
formulas, then it has a proof from a certain finite subset Z0 ⊂ Z. the set
Z0 contains precisely those formulas of Z which appear in a certain formal
proof of α. Thus every theorem of classical logic is a consequence of a finite
set of premises.
Unfortunately, in algorithmic logic the situation is much more compli-
cated. A formal proof is not necessarily finite. If a rule with infinitely many
premises is used at least once then the width of the tree is infinite. It may
also happen that all branches of a tree are finite but that no upper bound
on their lengths exists: this means that the tree has infinitely many levels.
example 4.1.4

Example 4.1.6 Let Z be the infinite set of formulas

Z = {0 ≤ 0, 0 ≤ s(0), 0 ≤ s(s(0)), . . . 0 ≤ si (0), . . . }

 74 CHAPTER 4. ALGORITHMIC LOGIC

and let α be the formula of the form

¬begin x := 0; while 0 ≤ x do x := s(x) od end true.

A formal proof of the formula α from the set Z is given in Figure 4.3. Note
that all branches of the proof are finite but, for every natural number n, there
exists in the tree a branch of the length n.

Fig.4.3
To check whether a given, finite tree labeled by formulas is a proof, is
a rather simple task. Both the set of axioms and the set of inference rules
contain only finitely many schemes. Definition 4.1.3 leads us to a straight-
forward algorithm to answer this question in the case of a finite tree. To
construct a proof of a certain formula α is, however a completely different
problem. In general, we cannot guess whether the formula has a proof or
not. If it has one, then it is impossible to guess its form. Obviously one
formula can have many proofs. We cannot say a priori which rules will be
used, which assumptions are necessary. The process of building a proof is a
creative process requiring a certain ingenuity.
The system presented in this section, a so called Hilbert-like system, is not
appropriate for the goal of automatization. There exist other formal systems
of algorithmic logic which permit a mechanized proofs, up to a certain extent.
One such system is a Gentzen-like system which will be presented later in
this book.
definition 4.1.4

Definition 4.1.7 If a formula α has a proof from a set Z of formulas we

denote this by Z ⊢ α and read: the formula α has a proof from the set Z. If
the formula has a proof from the axioms of algorithmic logic only, we write
⊢ α, and we call the formula a theorem of algorithmic logic. The function
C : 2F → 2F such that, for a given set Z of formulas, C(Z) is the smallest
set containing Ax ∪ Z and closed with respect to the inference rules is called
the operation of syntactical consequence. If α ∈ C(Z) we say that α is a
syntactical consequence of the set Z.

The following properties of the operation C are a direct consequence this

definition.
Lemma 4.1.1

Lemma 4.1.8 For arbitrary sets of formulas Z, Z1 , Z2 the following proper-

ties hold

(1) if Z1 ⊆ Z2 , then C(Z1 ) ⊆ C(Z2 ),

 4.1. AXIOMATIZATION 75

(2) Z ⊆ C(Z),
(3) C(C(Z)) = C(Z).
(4) For every formula α, Z ⊢ α iff α ∈ C(Z).

In other words, if a formula α is a consequence of a set Z then it is also a

consequence of each superset of Z. Each formula of the set Z is also the
consequence of the set. The consequences of the consequences of a set Z
are in C(Z). The last property asserts the equivalence of the relations “to
possess a proof from Z“ and “to be a consequence of Z“.
We can formulate the following, simple lemma which follows immediately.
lemma 4.1.2

Lemma 4.1.9(1) If α is a theorem of classical propositional calculus then α

is a theorem of algorithmic logic.
(2) If α is a theorem of classical predicate calculus then it is a theorem of
algorithmic logic.

DEfinition 4.1.5

Definition 4.1.10 Let Z be a certain set of formulas. If from the fact that
for every i ∈ I, αi ∈ Z it follows that the formula β ∈ C(Z), then the scheme

{αi }i∈I
β

is called a secondary inference rule.

jak sie ma Z do I?
An example of a secondary inference rule is

α⇒β
(α ∨ δ) ⇒ (β ∨ δ)

(c.f.example 4.1.3).
Below we present other examples of secondary inference rules. These rules
are helpful for they permit the simplification of the proofs.
example 4.1.5

Example 4.1.11 For every i ∈ N , for every program M , for any open for-
mula γ and any formula α, the following formula is a theorem of algorithmic
logic AL(Π).

(if γ then M fi)i (¬γ ∧ α) ⇒ while γ do M od(¬γ ∧ α). (4.1)

76 CHAPTER 4. ALGORITHMIC LOGIC

Proof. the proof proceeds by induction with respect to the number i. For
i = 0 we have

⊢ (¬γ ∧ α) ⇒ while γ do M od(¬γ ∧ α)

as a simple consequence of axioms Ax21 and Ax3 .

Let us assume (inductive hypothesis) that

⊢ (if γthen M fi)k (¬γ ∧ α) ⇒ whileγdo M od(¬γ ∧ α).

By axiom Ax20

⊢ (if γ then M fi)k+1 (¬γ∧α) ⇒ (γ∧M (if γ then M fi)k (¬γ∧α))∨(¬γ∧(if γ then M fi)k (¬γ∧

Applying rule R2 to the inductive hypothesis and making use of axioms

Ax1 − Ax4 (c.f.example 4.6.1), we obtain

⊢ (∧M (if γ then M fi)k (¬γ ∧ α)) ⇒ (γ ∧ M (while γ do M od(¬γ ∧ α)))

and
⊢ (¬γ ∧ (if γ then M fi)k β ⇒ (¬γ ∧ α)).
Hence by axioms Ax1 , Ax5 − Ax9 (c.f. example 4.1.3),

⊢ (if γ then M fi)k+1 (¬γ ∧ α) ⇒ (γ ∧ M (while γ do M od(¬γ ∧ α)) ∨ ¬γ).

Finally by the axiom Ax21 , we obtain

⊢ (if γ then M fi)k+1 (¬γ ∧ α) ⇒ while γ do M od(¬γ ∧ α).

By the rule of mathematical induction we have proved that the formula (4.1)
has a proof for any natural number i. example 4.1.6
Example 4.1.12 For every set Z of formulas, the set C(Z) is closed with
respect to the following secondary inference rule called the invariant. rule
(α ⇒ M α)
((α ∧ while γ do M od true) ⇒ while γ do M odα)
where α is an arbitrary formula, M any program and γ is any open formula
(i.e. a formula without quantifiers or programs).
Proof. We will prove that if the premise of the rule has a proof in AL,
then the conclusion also has a proof. The rule is a helpful tool in proving
properties of iterative programs. Suppose that

Z ⊢ (α ⇒ M α) (4.2)
4.1. AXIOMATIZATION 77

We shall prove, by induction with respect to i, that the formula

((α ∧ if γ then M fii ¬γ) ⇒ while γ do M odα) (4.3)

has a formal proof from the set Z in algorithmic logic. Denote by IF the pro-
gram if γ then M fi and by WH the program whileγdo M od. It is fairly
obvious, by axioms Ax2 , Ax21 and by modus ponens, that

⊢ ((α ∧ ¬γ) ⇒ WHα)

Let us assume (inductive hypothesis) that for a certain j

Z ⊢ ((α IFj¬γ) ⇒ WHα).

By axiom Ax20 we have,

⊢ IFj+1 ¬γ ⇒ (γ ∧ M (IFj ¬γ) ∨ ¬γ ∧ (IFj ¬γ)),

and using Ax5 and the assumption 4.2 we obtain,

Z ⊢ (α ∧ IFj+1 ¬γ) ⇒ ((γ ∧ M α ∧ M (IFj ¬γ)) ∨ (¬γ ∧ α))

Putting together the last formula, axiom Ax16 , the inductive hypothesis and
formula 4.1 proved in the previous example, we obtain

Z ⊢ (α ∧ IFj+1 ¬γ) ⇒ ((γ ∧ M (WHα)) ∨ (α ∧ ¬γ)).

By axiom Ax21 we have

Z ⊢ (α ∧ IFj+1 ¬γ) ⇒ WHα

and hence formula 4.3 has been proved for every natural number i. Applying
axiom Ax8 we can transform formula 4.3 to the form required in ω-rule R3 .
The rule leads to the conclusion

Z ⊢ (WH true ⇒ (α ⇒ WHα)).

Applying axiom Ax8 once again, we obtain

Z ⊢ ((α ∧ WH true) ⇒ WHα),

which is what we were trying to prove. Example 4.1.7

Example 4.1.13 The following scheme is a secondary inference rule in AL
(α ⇒ β)
while β do K od true ⇒ while α do K od true
78 CHAPTER 4. ALGORITHMIC LOGIC

Proof. We will give a proof that, for every set Z of formulas, for all formu-
las α, β and every program K, if the premise has a proof from Z then the
conclusion of the rule has a proof from Z .
Z ⊢ (α ⇒ β) {assumption}
Z ⊢ (¬β ⇒ ¬α) {propositional calculus}
Z ⊢ (¬β ⇒ while α do K od true) {Ax2 and Ax21 }
Assume (inductive hypothesis) that, for some i ∈ N ,
Z ⊢ if β then K fii ¬β ⇒ while α do K od true.
df df
Let IF = if β then K fi and WH = while α do K od.
⊢ if β then K fii+1 true ⇒ (¬β ∧ IFi true ∨ β ∧ K(IFi true))
⊢ (¬β ∧ IFi true ∨ β ∧ K(IFi true)) ⇒ (¬β ∨ β ∧ K(IFi true))
{The following line comes from the inductive hypothesis, by R2 andthe secondary rule of F
Z ⊢ (¬β ∨ β ∧ K(IFi true)) ⇒ ((¬α ∨ β ∧ K(while α do K od true))
But
⊢ ¬α ∨ β ∧ K(WH true) ≡ ¬α ∨ ¬α ∧ β ∧ K(WH true) ∨ α ∧ β ∧ K(WH true),
and hence
Z ⊢ (¬β ∨ β ∧ K(IFi true)) ⇒ (¬α ∨ α ∧ K(while α do K od true))
Z ⊢ (¬α ∨ α ∧ K(while α do K od true)) ⇒ while α do K od true
From this sequence of statements, by axiom Ax1 and by modus ponens, we obtain
Z ⊢ if β then K fii+1 true ⇒ while α do K od true.
By the principle of induction, we can assert that, for every natural numberi,
Z ⊢ if β then K fii true ⇒ while α do K od true.
We can now apply the rule R3 and conclude the proof
Z ⊢ while β do K od true ⇒ while α do K od true.

4.2 On the completeness of algorithmic logic

In this section we justify the choice of axioms and inference rules. We prove
that the formal system of algorithmic logic is adequate for the semantics we
defined earlier. It means that, the system does not admit a proof of a false
formula, all formulas which possess a proof are valid. Moreover, for every
valid formula there exists a proof.

Lemma 4.2.1 All axioms of the system AL(Π) are tautologies.

Proof. (a) Consider axiom Ax18 in which τ is a term, γ is an open formula,

and x is a variable

(x := τ )γ(x) ⇔ (γ(x/τ ) ∧ (x := τ )true).

4.2. ON THE COMPLETENESS OF ALGORITHMIC LOGIC 79

Let A be a fixed data structure and v a valuation of variables. Observe that

the formula (x := τ )true is satisfied by every valuation v such that, v belongs
to the domain of τA (c.f. section 2.3). Therefore

A, v |= (x := τ )γ(x) iff v ∈ Dom(τA )

and there exists a finite, successful computation of the program (x := τ ),

and the result v ′ of the computation satisfies the formula γ(x).
For every valuation v ′ such that, v ′ (x) = τA (v), A, v |= γ(x/τ ) iff A, v ′ |=
γ(x), hence finally A, v |= (x := τ )γ(x) iff A, v |= (γ(x/τ ) ∧ (x := τ )true).
(b) Consider the axiom Ax21

whileγdoM odα ⇔ ((¬γ ∧ α) ∨ (γ ∧ M (whileγdoM odα))).

We will show that every formula of the above scheme, is satisfied in every
data structure A by every valuation v.
A, v |= while γ do M odα) iff there exists a finite, successful computation
of the program while γ do M od, the result of which satisfies the formula α
iff there exists i ∈ N such that v ∈ Dom(Mj )A , for j < i, and A, v |= Mj γ
for j < i and A, v |= Mi (¬γ ∧ α) iff A, v |= (¬γ ∧ α) or there exists i1 ̸= 0,
such that, for j + 1 < i A, v |= M (M j γ and A, v |= M (M i−1 (¬γ ∧ α),
v ∈ Dom(MA ) and MA (v) ∈ Dom(MAi−1 ) iff A, v |= (¬γ∧α) or v ∈ Dom(MA )
and there exists i1 ̸= 0, such that, for j < i − 1, A, MA (v) |= M j γ, MA (v) ∈
Dom(M i−1 A) and A, MA (v) |= M i−1 (¬γ ∧ α) iff A, v |= (¬γ ∧ α) or v ∈
Dom(MA ) and there exists i ∈ N , such that M A(v) ∈ Dom(M jA) for
j < i and A, MA (v) |= M j , for j < i, and A, MA (v) |= M i (¬γ ∧ α) iff A, v |=
(¬γ ∧α) or A, v |= γ and v ∈ Dom(M A) and A, MA (v) |= whileγ do M od α
iff A, v |= ((¬γ ∧ α) ∨ (γ ∧ M while γ m M od α)). In the remaining cases
the proof of the lemma is similar. The lemma we just proved, asserts
that every axiom of the system A(Π) is a scheme of formulas which are valid
in any data structure. Now, we shall prove that every inference rule of the
system leads from valid premises to valid conclusions.
Lemma 4.2.2 For every inference rule of the system AL(Π) of the form
(Z, α), and for every data structure A, if A |= Z, then A |= α.
Proof. The proof consists in verifying that, for every rule, the validity of its
premises implies the validity of its conclusion.
Consider rule R2
α⇒β
Mα ⇒ Mβ
Let ( α ⇒ β) be a formula which is valid in a data structure A . Assume
that, for a certain valuation v, A, v |= M α. From this, it follows that
80 CHAPTER 4. ALGORITHMIC LOGIC

v ∈ Dom(MA ) and A, MA (v) |= α. By our assumption on the validity of

the premise of the rule, we have A, MA (v) |= β , hence A, v |= M β . The
valuation v was chosen arbitrarily, hence A |= (M α ⇒ M β), which ends the
proof of the soundness of rule R2.
Consider rule R3
(s(if γ then M fi)i (¬γ ∧ α) ⇒ β)i∈N
swhile γ do M odα) =⇒ β
where s is any sequence of assignment instructions, γ is an open formula, α
, β are arbitrary formulas and K, M are any programs.
Let A be a data structure and v a valuation such that

A, v |= s (while γ do M od α)andnon A, v |= β.

Then, by the lemma 3.4.2, there exists i ∈ N , such that

A, sA(v) |= (if γ then M fi)i (¬γ ∧α)and A, v |= s (if γ then M fi)i (¬γ ∧α).

By our assumption that non A, v |= β , there exists i ∈ N , such that

non A, v |= (s(if γ then M fi)i (¬ ∧ α) ⇒ β).

Therefore the i-th premise of the considered rule is false. By contradiction

we have thus proved that if all premises of the rule R3 are formulas valid in
the data structure A , then the conclusion of rule R3 is also valid in the data
structure A .
{(β ⇒ K i α)}i∈N
Consider rule R5 T Assume that for every i ∈ N , A |= (β ⇒
(β ⇒ Kα)
i
T α) and suppose that for a certain valuation v A, v |= β and non A, v |=
K
Kα . By the definition of iteration quantifier (c.f. section 3.4) there exists
an n ≥ 0 such that nonA, v |= K n α and consequently

non A |= (β ⇒ K n α)

which leads to the negation of the assumption. Consider rule R7

β ⇒ α(x)
β ⇒ (∃x)α(x)

Suppose that A |= β ⇒ α(x)) and assume that, for a certain valuation v,

A, v |= β and non A, v |= (∃x)α(x). By the definition of the quantifier ∃ (cf.
section 2.3), there exists a value a of variable x such that A, vxa |= ¬α(x).
Since the variable x does not occur as a free variable in the formula β, we
4.2. ON THE COMPLETENESS OF ALGORITHMIC LOGIC 81

see that A, vxa |= β . From this it follows that non A, vxa |= (β ⇒ α(x)),
which contradicts our assumption that the premise of the rule is valid at
every valuation.
The proofs in the remaining cases are analogous to the cases already consid-
ered.
The theorem which we will now prove is called the adequacy of axioma-
tization theorem and summarizes the above discussion.

Theorem 4.2.3 For an arbitrary formula α and every set Z of formulas, if

there exists a proof of α from the set Z, then the formula α is valid in every
model A for Z.
Z ⊢ α implies Z |= α .

Proof. From the assumption Z ⊢ α it follows that there exists a formal

proof ⟨D, d⟩ of the formula α from the set Z. Let A be a model for the set Z.
Observe that if there is a formula βn on level n of the proof tree ⟨D, d⟩ which
is not valid in A, then by lemma 4.2.2 one of the formula-premises used to
infer βn is also not valid in A. Hence, on the level n + 1 there exists a formula
βn+1 which is also non valid in A and the corresponding nodes are connected
by an edge. Therefore if formula α is non valid in A, then there exists a path
(in the proof D of α ) on which all formulas are not valid in A. In particular,
the formula assigned to the leaf is not valid. This contradicts either lemma
4.2.1 or the assumption of the theorem. For the formula assigned to the leaf
is either a tautology (by lemma 4.2.1) or is valid in A (by the assumption).
Since we did not assume anything about the model for Z, the formula α is
therefore valid in any model for Z.
We can observe the following corollary of the above theorem.

Corollary 4.2.4 The system AL(Π) is consistent.

There is no formula α such that both α and its negation ¬α have formal proofs
in the system. If such a formula existed, then, by the above theorem, both
α and ¬α would be valid in any data structure. This is clearly impossible.
Theorem 4.2.3 can be expressed in the following way: if a formula α is
a syntactical consequence of a set Z of formulas, then it is also a semantic
consequence of the set Z.
The system AL(Π) does not admit a proof of a falsifiable (i.e. not valid)
formula. This raises another question: does the system have the property
that every valid formula has a proof? The following theorem, called com-
pleteness theorem, answers this question.
82 CHAPTER 4. ALGORITHMIC LOGIC

Theorem 4.2.5 For every set Z of formulas and for every formula α
α ∈ C(Z) iff α ∈ Cn(Z)

The detailed and difficult proof of this theorem is given elsewhere. Those
readers interested in the method for proving the completeness theorem are
advised to consult [40].
The following example shows how to apply the completeness theorem in
order to show the existence of a proof. We could produce a formal proof, but
the reasoning presented below is much shorter and easier to understand.
Example 4.2.1

Example 4.2.6 Suppose that Vout (K) ∩ V (α) = ∅ for a formula α and a
program K. Then the formula

Kα ⇔ (α ∧ Ktrue)

is a theorem of algorithmic logic.

Indeed, for every data structure A and for every valuation v,

A, v |= KαiffA, v |= KtrueandA, KA (v) |= α.

Since by assumption, the variables which can have the values changed as a
result of performing the program K do not occur in the formula α, hence
αA (KA (v)) = αA (v).
As a consequence, for any data structure A we have A |= Kα ⇔ (α∧Ktrue).
By the completeness theorem we obtain ⊢ Kα ⇔ (α ∧ Ktrue). This result
can also be presented as an inference rule
Ktrue, α
where Vout (K) ∩ V (a) = ∅.
Kα
which is a convenient tool in proofs of properties of programs .
□
example 4.2.2

Example 4.2.7 We shall prove that, for arbitrary programs K, M and for
every formula α , such that V (M α) ∩ V (K) = ∅,
⊢ M (Kα) ⇔ (M α ∧ Ktrue)
and ⊢ K(M α) ⇐⇒ M (Kα).

Proof. Applying rule R2 to formula Kα ⇐⇒ (α ∧ Ktrue) we obtain

M (Kα) ⇐⇒ (M α ∧ M (Ktrue)).
 4.2. ON THE COMPLETENESS OF ALGORITHMIC LOGIC 83

Since, by assumption, programs K and M do not have common vari-

ables, the formula M (Ktrue) ⇐⇒ (Ktrue ∧ M true) is valid in every
data structure, which by the completeness theorem concludes the proof of
M (Kα) ⇐⇒ (M α ∧ Ktrue). If in formula (4.4) we replace the formula by
(M α), we get ⊢ K(M α) ⇐⇒ (M α ∧ Ktrue). Applying axiom Ax1 to the
last two statements, we obtain ⊢ M (Kα) ⇐⇒ K(M α)
Let us summarize the results of above considerations. A formula is a
theorem of algorithmic logic if and only if it is a tautology. Moreover, the
syntactic and the semantic consequence operations coincide. Thus the formal
system of algorithmic logic AL(Π) allows us to use both semantic or syntactic
methods to check the validity of a given algorithmic property.
Unfortunately, as we observed earlier, formal proof’s construction is not
an automatic procees and is by no means, easy. The existence of the ω-rules
is one of the important sources of difficulty. Let us examine the necessity of
this rule. Is it possible to characterize completely the set of all valid formulas
by means of a finitary axiomatization (that is, by means of rules with only a
finite number of premisses)?

Lemma 4.2.8 The ω-rules can not be avoided and replaced by any (finite or
infinite) set of finitary rules.

Proof. Let X be such a system. The following postulates are valid (by
assumption):

(Z1) all inference rules of X are finite,

⊢
(Z2) for every set Z of formulas and every formula α , Z |= α iff Z X α (i.e.
the formula α has a proof from Z in X).

Let Z be the following set of formulas

{(x := 0)0 ≤ x, ..., (x := 0)((x := succ(x))i 0 ≤ x), ...}
and let α be the following formula
¬(x := 0)(while 0 ≤ x do x := succ(x) odtrue).
Observe that Z |= α . Thus by assumption (Z2) we have Z ⊢ α , ie. the
formula α has a proof from the set Z in the system X. Although the set Z
is infinite, the formal proof of α in system X is finite by assumption (Z1).
Thus there exists a subset Z0 ⊂ Z which contains all formulas that appear
⊢
in the proof of the formula α and such that Z0 X α . We will show that this
leads to contradiction.
Consider an arbitrary finite subset ZI of the set Z. It is obviously deter-
mined by those natural numbers representing the number of iterations of the
program (x := succ(x)) in the formulas of the set ZI . Let
84 CHAPTER 4. ALGORITHMIC LOGIC

ZI = {(x := 0)(x := succ(x))i 0 ≤ x}i∈I

and let A be the data structure
A = ⟨N, 0, succ, 0 ≤⟩ >
where succA is the usual successor operation in N , 0 is the constant zero and
0 ≤A is the one-argument relation in N defined by
(0 ≤)A (n) = true iff n ∈ I.
Thus for any valuation v, we have
((x := 0)(x := succ(x))i 0 ≤ x)A(v) = (0 ≤)A succiA (0) = (0 ≤)A (i).
Hence
A, v |= (x := 0)(x := succ(x))i 0 ≤ x iff i ∈ I
and therefore A is a model of the set ZI . Since I is a finite subset of N ,
there exists a natural number j such that, j ∈ / I. We then have
non A, v |= (x := 0)(x := succ(x))j 0 ≤ x.
The program begin x := 0; while 0 ≤ x do x := succ(x) od end thus
has a finite computation in the data structure A , which implies non A |= α
.
This demonstrates that, for any finite subset ZI of Z, there exists a model
for ZI which is not a model for α . As a consequence non ZI |= α . This
contradiction proves the impossibility of satisfying both assumptions (Z1)
and (Z2) . The ω-rules, although not very convenient themselves, enable
us to prove many useful secondary inference rules, (cf. Def. 4.1.5), which
allow us to prove properties of programs in a finitary way. Below we present
an example of such a secondary rule.
example 4.2.3

Theorem 4.2.9 The following schema is a sound inference rule

K1 true, K2 true
while γ doM od α ⇔ while γ do K1 ; M ; K2 od α
where γ is any quantifier-free formula, α is any formula, and K1 , K2 , M are
programs such that Vout (K1 )∩V (M γ ∨α) = ∅ and Vout (K2 )∩V (M γ ∨α) = ∅.

Proof. Let Z be any set of formulas. If Z ⊢ K2 true, then by the rule (4.4)
we have
Z ⊢ (γ ⇐⇒ K2 γ).
Applying rule R2 we have
Z ⊢ K1 (M γ) ⇐⇒ K1 (M (K2 γ)).
Similarly, if Z ⊢ K1 true, then by rule (4.4)
Z ⊢ M γ ⇐⇒ K1 (M γ).
The above two formulas imply by axiom Ax1 that
Z ⊢ M γ ⇔ begin K1 ; M ; K2 endγ .
4.2. ON THE COMPLETENESS OF ALGORITHMIC LOGIC 85

An analogous argument allows us to obtain

Z ⊢ M (¬γ ∧ α) ⇔ begin K1; M ; K2 end(¬γ ∧ α).
Let us denote as β the formula (¬γ ∧ α). By the axioms of the proposi-
tional calculus Ax1-Ax11, we can infer
Z ⊢ (γ ∧ M β) ∨ β ⇔ (γ ∧ K1 (M K2 β)) ∨ (¬γ ∧ β)
which by Ax20 is equivalent to
Z ⊢ if γ then M fiβ ⇔ if γ then K1 ; M ; K2 fiβ .
Straightforward induction leads us to
Z ⊢ (if γ then M fi)i β ⇔ (if γthenK1 ; M ; K2 fi)i β
for any natural number i.
Observe that, by our assumptions, Vout (K1)∩V (M i β) = ∅ and Vout (K2)∩
V (M i β) = ∅. Thus, by property (4.3) and inference rule R3, we obtain
Z ⊢ while γ do M odα ⇐⇒ while γ do K1 ; M ; K2 odα . Several
examples which make use of this rule can be found in the next chapter.
Example 4.2.4

Example 4.2.10 Let Z be a set of algorithmic formulas and let γ and δ be

open formulas such that Z ⊢ (γ ⇒ δ).
Let K, M1 , M2 be arbitrary programs and α an arbitrary formula. Assume
that Vout (M 1) ∩ V (δ) = ∅. Then the following formula is provable from Z
while γ do M1 ; if d then K fi; M2 odα ⇔ while γ do M1 ; K; M2 odα .

PROOF Proof. Let γ, δ, α, K, M1 , M2 be as in the above assumptions.

By the property proved in example 4.2.1 we have
Z ⊢ M1 δ ⇔ (δ ∧ M1 true)
Z ⊢ M1 ¬δ ⇔ (¬δ ∧ M1 true)
Z ⊢ (γ ∧ δ) ⇔ γ Z ⊢ (γ ∧ ¬δ) ⇔ false. Denote by M the follow-
ing program begin M1 ; if d then K fi; M2 end and by M ′ the program
begin M1 ; K; M2 end. Let moreover β denote an arbitrary formula. Then
the formula
if γthen M fi β is equivalent to the subsequent following formulas
(γ ∧ M β) ∨ (¬γ ∧ β)

(γ ∧ M1 (δ ∧ K(M2 β) ∨ (¬δ ∧ M2 β)) ∨ (¬γ ∧ β))

(γ ∧ δ ∧ M1 (K(M2 (β))) ∨ (γ ∧ ¬δ ∧ M1 (M2 β))) ∨ (¬γ ∧ β)
(γ ∧ M ′ β) ∨ (¬γ ∧ β)
if γ then M ′ fi β .
Putting β = (¬γ ∧ α) , we have by straightforward induction
Z ⊢ (if γthen M fi)i (¬γ ∧ α) ⇔ (if γthen M ′ fi)i (¬γ ∧ α)
for all i ∈ N . Finally, by property (4.3) and by inference rule R3, we have
Z ⊢ while γ do M odα ⇔ while γ do M ′ odα .
86 CHAPTER 4. ALGORITHMIC LOGIC

The above example can be represented as the following sound secondary

rule
γ⇒δ
while γ do M1 ; if δ then K fi; M2 odα ⇔ while γ do M1 ; K; M2 odα

under the assumption Vout (M 1) ∩ V (δ) = ∅.

example 4.2.5

Example 4.2.11 The following schemes are simple secondary rules whose
proofs do not require ω-rules.
α ⇒ ¬γ
α ∧ if γ then M fiβ ⇔ α ∧ β
α ⇒ ¬γ
α ∧ while γ do M odβ ⇔ α ∧ β
where γ is any open formula, α ,β are arbitrary formulas and M is a program.

Proof. If formula (α ⇒ ¬γ) has a proof, then by axioms Ax2 and Ax7 , there
are proofs of the following formulas
((α ∧ γ) ⇔ (¬γ ∧ γ)),
((α ∧ β) ⇔ (¬γ ∧ α ∧ β)) .
Thus
⊢ (α ∧ (γ ∧ M δ ∨ ¬γ ∧ β)) ⇔ (α ∧ β)
for any formula δ.
Now we shall apply this result twice. Setting, first time δ = β we obtain

⊢ (α ∧ if γthen M f iβ) ⇔ (α ∧ β)
. Setting the second time δ = (while γ do M odβ) we have by axioms Ax20
and Ax21
⊢ (α ∧ while γdo M odGbeta) ⇔ (α ∧ β).

The following theorem is of importance, since it leads to a better understand-

ing of the proof concept.
theorem 4.2.5

Theorem 4.2.12 For every formulas α , β and for every set Z of formulas,

Z ∪ {α} ⊢ β iff Z ⊢ ((∀x)α(x) ⇒ β)

where x denotes the set of all variables which are free in the formula α .
4.2. ON THE COMPLETENESS OF ALGORITHMIC LOGIC 87

Proof.
Let A be a model for the set Z, and suppose that for some valuation v0
A, v0 |= (∀x)α(x).
Since the value of this formula does not dependent on the values of the
variables x, we have for any valuation v,
A, v |= (∀x)α(x).
This implies that A is a model for the set Z ∪ {α}.
If we assume that β ∈ C(Z ∪ {α}) then by the above reasoning and by the
completeness theorem 4.2.4 we obtain
A |= β .
In particular, A, v0 |= β .
Hence, we have proved that, for an arbitrary valuation v, A, v |= ((∀x)α(x) ⇒
β).
Consequently, every model for the set Z is also a model for the formula
((∀x)α(x) ⇒ β), i.e. Z |= ((∀x)α(x) ⇒ β).
By the completeness theorem, we have Z ⊢ (∀x)α(x) ⇒ β .
As an immediate corollary of the above, we obtain the following theorem on
deduction.
theorem 4.2.6

Theorem 4.2.13 For any formula β , any closed formula α and any set Z
of formulas,
Z ⊢ (α ⇒ β) iff Z ∪ {α} ⊢ β.

□
88 CHAPTER 4. ALGORITHMIC LOGIC
Chapter 5

Other Logics of Programs

5.1 Floyd’s descriptions of programs

In 1967 R.W.Floyd [19] introduced the notion of a description of a program in
order to analyse the meaning of programs. By a description of a program’s
diagram (c.f. chapter 3) we mean a mapping which to every edge of the
diagram associates a formula of the first-order logic. If a description has
the property: for every edge of the diagram the formula associated to it, is
satisfied by a memory state (a snapshot) when a computation passes along
the edge, then the description is called admissible. Admissible descriptions
are helpful in verification of partial correctness of programs. Namely, if
a program possesses an admissible description, then it is partially correct
w.r.t. the formulas associated with the initial edge and the terminal edge
of the program’s diagram. It turned out, that there exists a simple enough,
syntactical condition (verification condition) satisfactory for a description to
be admissible. The theory proposed by R.W.Floyd caused big interest of the
computer science community and of a number of programmers, for it was
one of first mathematical theories of the semantics of programs. In the paper
[22] one can find the following result: a description is acceptable in a theory
T iff it is admissible in all models of the theory T
In the present section we shall present the concepts of Floyd in a slightly
modified form. We used the result of L.Banachowski [6] and his suggestion
to consider a structured programs. Besides the definition of a description, we
shall use the term an annotated program, which denotes an linear expression
corresponding to a graphical description.
Let us consider an example of division of integers.

Example 5.1.1 (well known example)

89
90 CHAPTER 5. OTHER LOGICS OF PROGRAMS

x≥ 0, y>0

q :=0

r:=x

x=q*y+r, r≥ 0

while r≥ y
do done
x=q*y+r, r≥ y

r :=r-y x=q*y+r, y>r≥ 0

q :=q+1
x=q*y+r, r≥ 0

Figure 5.1: A description of a program 5.1.1

q := 0;
r := x;
while r ≥ y
do
r := r − y;
q := q + 1
done
One can remark that during every execution of the program the following
property holds: whenever during the computation we pass along an edge then
the actual state of memory satisfies the formula associated to the edge. In
particular, when the program ends its computation, the formula associated
to the outgoing edge is satisfied by the results of the program. The formula
of our example expresses the following property: the integer number q is the
quotient of the integers x and y, and the number r is the remainder.

Definition 5.1.2 By an annotated program we shall understand an expres-

sion defined by induction w.r.t. length of a program in the following way:
5.1. FLOYD’S DESCRIPTIONS OF PROGRAMS 91

a) Any expression of the form {α} [x := τ ] {β} is an annotated program.

Let M1′ and M2′ be annotated versions of programs M1 and M2 .

b) the expression {α}if γ then M1′ else M2′ fi {β} is the annotated version
of the program if γ then M1 else M2 fi,

c) the expression {α} while γ do M1′ od {β} is the annotated version of

the program while γ do M1 od,

d) the expression {α} begin M1′ ; M2′ end {β} is the annotated version of
the program begin M1 ; M2 end.

The formulas α and β will be called respectively the pre-condition ( or initial

condition) and the post-condition (or terminal condition) of the description
(also of annotated version) of the program.

It is convenient to illustrate the concept of the description of program graph-

ically. A description of an atomic program, i.e. an assignment instruction
looks like on the Fig. 5.2. Let M1’ and M2’ be two annotated programs, c.f.

x:=

Figure 5.2: Description of assignment instruction

Fig. 5.3 Then the annotated programs of more complicated structure are as

a) 1 b) 2

M1 M2
1 2

Figure 5.3: Two annotated programs

presented in the Fig. 5.4

92 CHAPTER 5. OTHER LOGICS OF PROGRAMS


a)  b)  c)
1
if 
while  M1'
then else 1
do
2 1 done 
1 2
M2'
M1' M2' M1'
2
1 fi 2 1
 

Figure 5.4: Descriptions of a) conditional instruction, b) iterative instruction,

c) composed instruction

Definition 5.1.3 Verification condition of an annotated program M ′ is a

formula V C(M ′ ) defined by induction in the following way:

a) If M ′ is of the form {α}s{β} where s is an assignment instruction and

α and β are any formulas then
df
V C(M ′ ) = (α ⇒ sβ).

Let M1′ and M2′ be annotated versions of programs M, 1 and M2 , let αi be the
pre-condition of the annotated program Mi′ , let βi be the post-condition of the
annotated program Mi′ {i = 1, 2}.

b) if M ′ is of the form {α}if γ then M1′ else M2′ fi {β} then

df
V C(M ′ ) = V C(M1′ )∧V C(M2′ )∧((α∧γ) ⇒ α1 )∧((α∧¬γ) ⇒ α2 )∧((β1 ∨β2 ) ⇒ β).

c) if M ′ is of the form {α}begin M1′ ; M2′ end{β} then

df
V C(M ′ ) = V C(M 1′ ) ∧ V C(M 2′ ) ∧ (α ⇒ α1 ) ∧ (β1 ⇒ α2 ) ∧ (β2 ⇒ β).

d) if M ′ is of the form {α}while γ do M 1′ od{β} then

df
V C(M ′ ) = V C(M1′ ) ∧ (((α ∧ β1 ) ∧ γ) ⇒ α1 ) ∧ (((α ∨ β1 )∧ ⇒ ¬γ) ⇒ β).
5.1. FLOYD’S DESCRIPTIONS OF PROGRAMS 93

Let us consider the following program M

Example 5.1.4 (a program M)

begin
while(z − y)¿0
do
i := i + 1;
z := z − y;
y := y + 2
od;
if z = ytheny := 0elsey := zfi
end

and its annotated version

Example 5.1.5 (an annotated version of the program M)

α1 : {y = 1 ∧ z = x ∧ x > 0 ∧ i = 0 }
begin
α2 : {y = 2i + 1 ∧ z = x − i 2 ∧ x > 0 ∧ i ≥ 0 }
while (z − y) > 0
do
α3 : {z > y ∧ z = x − i2 ∧ y = 2i + 1 ∧ i ≥ 0}
i := i + 1;
α4 : {z > y ∧ z = x − (i − 1)2 ∧ y = 2i − 1 ∧ i ≥ 0 ∧ x ≥ 0}
z := z − y;
α5 : {z > 0 ∧ z = x − (i − 1)2 − (2i − 1) ∧ y = 2i − 1 ∧ i ≥ 0 ∧ x ≥ 0}
y := y + 2
α6 : {z > 0 ∧ z = x − Σij=1 (2j − 1)(i − 1)2 − 2i − 1 ∧ y = 2i − 1 ∧ i ≥ 0 ∧ x ≥ 0}
od;
α7 : {z ≤ y ∧ y = 2i + 1 ∧ z = x − i2 ∧ x > 0 ∧ i ≥ 0}
α8 : {x − i2 ≤ 2i + 1 ∧ z = x − i2 ∧ y = 2i + 1}
if z = y
then
α9 : {x − i2 = 2i + 1 ∧ z = x − i2 }
y := 0
α10 : {y = 0 ∧ x = (i + 1)2 }
else
α11 : {i2 ≤ x < (i + 1)2 ∧ z = x = i2 }
y := z
94 CHAPTER 5. OTHER LOGICS OF PROGRAMS

α12 : {y = x − i2 ∧ i2 ≤ x < (i + 1)2 }

fi √
α13 : {y = x − ⌊ x ⌋2 }
end √
α14 : {y = x − ⌊ x ⌋2 }

and its description in graphical form (see Fig.8.7)

Fig.8.7

Definition 5.1.6 A verification condition V C(M ′ ) of an annotated program

M ′ is admissible in a data structure A iff it is a formula valid in A.

Example 5.1.7 The verification condition for the above given annotated
program is the following formula: V C(M ) = (α1 ⇒ α2 ) ∧ (α7 ⇒ α8 ) ∧ (α13 ⇒
α14 ) ∧ (α5 ⇒ [y := y + 2]α6 ) ∧ (α3 ⇒ [i := i + 1]α4 ) ∧ (α4 ⇒ [z :=
z − y]α5 ) ∧ (((α2 ∨ α6 ) ∧ z − y > 0) ⇒ α3 ) ∧ (((α2 ∨ α6 ) ∧ z − y > 0) ⇒
α7 ) ∧ (α9 ⇒ [y := 0]α10 ) ∧ (α − 11 ⇒ [y := z]α12 ) ∧ ((α8 ∧ z = y) ⇒
α9 ) ∧ ((α8 ∧ z ̸== y) ⇒ α11 ) ∧ ((α10 ∨ α12 ) ⇒ α13 ).

Let us note, that the formula V C(M ) is a conjunction of thirteen implica-

tions, all of them have a simple structure. Every of these formulas describe
certain node in the program’s diagram. To every test node (a node of if
or while type) correspond two implications (one may say, they describe it),
one implication is associated with a node containing an assignment. Ev-
ery implication expresses a simple semantically property of computations of
program M: If a computation of program M reached a given node c and if
the current configuration (a state) of the computation satisfies the condition
given in the predecessor of the implication - this condition is an disjunction
of the conditions associated to the edges leading to the node c - then after
execution of the instruction (or test) contained in the node c, the new state
of the computation satisfies the formula associated to the edge leaving the
node c. In the case where c is a test node and two edges leave it, we have two
implications. The above sentence can be repeated, appropriately modified,
for every edge leaving a test node.

Lemma 5.1.8 Let A be a data structure. If a verification condition V C(M ′ )

of an annotated program M ′ is admissible in A, then the program M is par-
tially correct w.r.t. the formula α - pre-condition in the annotated program
M ′ and the formula β - post-condition in M ′ .
A ⊨ V C(M ′ ) implies A ⊨ ((α ∧ M true) ⇒ M β) i.e. the verification condi-
tion V C(M ′ ) is valid in A iff the formula expressing the partial correctness
5.2. HOARE’S LOGIC OF PARTIAL CORRECTNESS 95

of the program M w.r.t. the pre- and post- conditions of M ′ , is valid in A.

Lemma 5.1.9 The verification condition V C(M ′ ) of an annotated program

M ′ is admissible in the data structure A iff the formula (aM ⇒ b) is valid
in A, where αM denotes (c.f 3.x.y) the strongest consequent of condition α
w.r.t. the program M .

Definition 5.1.10 A verification condition V C(M ′ ) of an annotated pro-

gram M is acceptable in a theory T = ⟨L, C, A⟩ iff it is a theorem of the
theory T .

Lemma 5.1.11 For a given annotated program M its verification condition

is acceptable in a theory T iff it is admissible in every model of the theory
T.

The above lemma is in fact, a rather simple corollary from the completeness
theorem (c.f. 4.x.y). The lemma has, however, deeper consequences, for it
enables verification of partial correctness of a program through a proof of a
number of implications, where each of them is easy to check.
A verification condition is a conjunction of certain number of implications.
Every implication has a simple structure. Hence, most of them are easily
provable or disprovable (by means of a counter-example). This feature caused
certain popularity of Floyd’s method. Two years later, C.A.R.Hoare [27]
presented an axiomatic system for proving partial correctness of programs.

5.2 Hoare’s logic of partial correctness

In 1969 C.A.R. Hoare [27] published a system of inference rules for reasoning
about partial correctness of programs. The expressions of the language con-
sidered are: programs, formulas of first-order logic and triples of the form
{α}M{β} where α and β are first-order formulas and M is a program. The
triple {α}M{β} is a logical formula and expresses the property of program
M being partially correct w.r.t. a precondition α and a post condition β. It
is interpreted in the following way: for a given state v value of the triple is
true iff either the precondition α is not satisfied by the state v or program M
does not terminate a computation starting from v or program M terminates
and the final state of the computation satisfies the post condition β. The
reader can remark that the triple {α}M{β} expresses the same property as
the algorithmic formula (α ∧ Mtrue) ⇒ β). From this remark and from the
completeness property of deductive system of AL it follows that the Hoare’s
96 CHAPTER 5. OTHER LOGICS OF PROGRAMS

calculus is included in AL. However, we hope that a presentation of the more

detailed reasoning on that, may be instructive for the reader.
Let us begin from the presentation of the formal construction of Hoare’s sys-
tem.
AXIOMS
Axiom of assignment instruction
H1 {α(x/τ )} [x := τ ] {alpha(x)}
Axiom of instruction abort
H2 {alpha} [abort] {false}
Axiom of instruction leave
H3 {alpha} [leave] {alpha}
Inference Rules
Rule of composed instruction
{α}[K1 ]{α′ }, {α′ }[K2 ]{β}
H4
{α}[begin K1 ; K2 end]{β}
Rule of branching instruction
{α ∧ γ}[K1 ]{β}, {α ∧ ¬γ}[K2 ]{β})
H5
{α}[if γ then K1 else K2 fi]{β}
Rule of iteration instruction
{α ∧ γ}[K]{α}
H6
{α}[while γ do K od]{¬γ ∧ α}
Rule of consequence
{α′ ⇒ α}, {α}[K]{β}, {β ⇒ β ′ }
H7
{α′ }[K]{β ′ }

We are going now to show that the axioms and rules H1 - H7 can be deduced
with the help of algorithmic logic. Hence, every reasoning which makes use
of Hoare’s rules is also a correct reasoning in algorithmic logic.

Proofs of soundness of the Hoare’s rules in AL.

It is known, c.f. Alagic and Arbib [2], that the rules H1 - H7 are semantically
sound, i.e. from the validity of premises it follows the validity of conclusions,
in every rule. Making use of the completeness theorem one can generally
assert that the axioms and rules presented above can be formally proved in
AL. We are going to construct and present these proofs.
5.2. HOARE’S LOGIC OF PARTIAL CORRECTNESS 97

Proof of the axiom H1

Axiom H1 is an equivalent of the algorithmic formula α(x/τ )∧[x := τ ]true ⇒
[x := τ ]α, which follows directly from axiomAx18 of algorithmic logic. This
axiom is stronger than the formula H1.
Proof of the rule H4
We are going to prove that from the following two premises (α1 ∧ K1 true ⇒
K1 α2 ), (α2 ∧ K2 true ⇒ K2 α3 ) one can deduce the formula
α1 ∧ begin K1 ; K2 endtrue ⇒ begin K1 ; K2 endα.
Indeed, applying the rule R2 of algorithmic logic to the second premise,
we obtain (K1 ∧ K1 (K2 true) ⇒ K1 (K2 α)). Using the first premise (α1 ∧
K1 true ⇒ K1 α2 )and applying laws of propositional calculus we infer α1 ∧
K1 (K2 true) ⇒ K1 (K2 α). By the axiom Ax19 we obtain the needed formula.
Proof of the rule H7
We have to prove that the formula α′ ∧ Ktrue ⇒ Kβ ′ has a proof from
the three premises mentioned in the rule H7. From the premise α ⇒ α we
deduce the formula α′ ∧Ktrue ⇒ α ∧Ktrue. Applying the rule R2 we prove
the formula Kβ ⇒ β ′ . The formula α ∧ Ktrue ⇒ Kβ is our second premise.
Now, applying the axiom Ax1 twice we obtain α′ ∧ Ktrue ⇒ Kβ, and next,
the formula α′ ∧ Ktrue ⇒ Kβ ′ .
Proof of the rule H5
From the first premise we infer the formula
(α ∧ γ) ∧ Ktrue ⇒ ((Kβ) ∧ γ)
From the second premise we obtain
((α ∧ ¬γ) ∧ M true) ⇒ ((M β) ∧ ¬γ.
Now, we apply the following law of propositional calculus
((δ → σ) ∧ (δ ′ ⇒ σ ′ )) ⇒ ((δ ∨ δ ′ ) ⇒ (σ ∨ σ ′ ))
and obtain the formula
((α ∧ γ) ∧ Ktrue) ∨ ((α ∧ ¬γ) ∧ M true) ⇒ (γ ∧ Kβ ∨ ¬γ ∧ M β)
From this formula in a few easy steps we deduce the formula
α ∧ if γ then K else M fitrue ⇒ if γ then K else M fiβ
which ends the proof the rule R5 .
Proof of the rule H6
This rule may be proved on many ways. Dijkstra proves it in his book[?].
We gave another proof of this secondary but very useful rule in the example
4.1.12.
98 CHAPTER 5. OTHER LOGICS OF PROGRAMS

Warning
After M. O’Donnell we would like to call the attention of the reader that it
is somewhat easy to turn this system into an inconsistent one.

On the relative completeness of Hoare’s logic

The system composed of axioms and rule H1 − H7 is an incomplete deduc-
tion system. There are properties valid but not provable. In 1974 S. Cook
proposed to extend the system by adding to it all formulas of the first order
language valid in the data structure A.

5.3 Dijkstra’s calculus of weakest precondi-

tions
In 1974 E.W.Dijkstra [17] presented a calculus of so called predicate transfor-
mers. In his considerations the author of [17] starts from a remark that pro-
grams can be conceived as transformers of conditions i.e. predicates satisfied
by states of computations. In particular he studied the weakest precondition.
In a book[18] which appeared a year later he presented his opinions and sev-
eral examples of semantic analyses of properties of programs, in which the
axioms of weakest precondition are used. In this chapter we present the Di-
jkstra’s calculus adapted to the language of deterministic, iterative programs
c.f. chapter 2. The informal description of the weakest precondition in [18]
reads as follows: a condition which characterises the set of all initial states,
such that the beginning of computations in any of the states will certainly lead
to a successful termination in a state satisfying given terminal condition, is
called the weakest precondition for a given post condition. In the papers of
Dijkstra there is no other definition of the notion. Instead, the author gives
the properties which are to be satisfied by the weakest precondition. We are
calling the attention of the reader to the definition of this notion we gave
in 3.3.5. Accordingly, we shall replace the Dijkstra’s formulas wp(α, K) by
algorithmic formula Kα. After the translation to the language of algorithmic
logic the properties of weakest precondition obtain the following form.

Pr1 ) M false ⇔ false

(α ⇒ β)
Pr2 )
(M α ⇒ M β)
Pr3 ) M (α ∧ β) ⇔ (M α ∧ M β)
5.3. DIJKSTRA’S CALCULUS OF WEAKEST PRECONDITIONS 99

Pr4 ) M (α ∨ β) ⇔ (M α ∨ M β)

Pr5 ) In the book [18] this property is formulated as follows: for any program
M and for every infinite sequence of formulas α0 , α1 , α2 , ..., such that
for all states and for every number r ≥ 0 the following implications
hold
(αr ⇒ αr+1 ),
then for every state, the following equivalence holds

M ((∃r≥0 )αr ) ⇔ ((∃s≥0 )M αs ).

Here we encounter certain problem when we wish to express this property in

the language of algorithmic logic. The difficulties come from the fact, that
the author unconsciously made the wording easier for himself, confusing the
notions of quantifier and of infinite disjunction. In the language of algorith-
mic logic there is no infinite disjunction of formulas. Although the notation
(∃r≥0 αr ) admitted by Dijkstra is confusing, its semantic meaning is clear:
the whole formula is satisfied if there exists an r ≥ 0, such that the formula
αr is satisfied. The r-th formula in the sequence α1 , α2 , ... Hence, one should
assert that we are doing with infinite disjunction and write
_ _
M ( αr ) ⇔ ( M αs ).
r≥0 s≥0

We can remark, moreover that the index r need not to occur in any of the
formulas of the sequence, it is just a number of a formula. In the language
of first-order logic a correct formula of similar form is (∃r≥0 α(r)), but it
has completely different meaning and has no connection with sequence of
formulas we were talking about in the premise of the property P r5 .
This leads to the conclusion, that property Pr5 is a rule of inference with
the infinitely many premises. It should read as follows
(αr ⇒ αr+1 )r∈N
W W
M ( αr ) ⇔ ( M αs )
r≥0 s≥0

W numberWr, the implication (αr ⇒ αr+1 ) is

in other words if for every natural
valid then the equivalence M ( αr ) ⇔ ( M αs ) is valid also.
r≥0 s≥0
The author discusses in turn program connectives appearing in the pro-
gramming language and gives further properties of the weakest precondi-
tion. He views them as axiomatic definitions of meaning of corresponding
programming constructions of the language. Without loss of generality we
100 CHAPTER 5. OTHER LOGICS OF PROGRAMS

can replace the language of guarded commands introduced by the author

by the language of iterative, deterministic commands. As atomic programs
we shall have the assignment instructions, and two instructions abort and
do-nothing. One could define the instructions abort and do-nothing by the
more complicated ones. We shall keep however the notation as useful in our
future considerations.
Apart of above enumerated, five properties of the weakest precondition,
the author gives six additional schemes of axioms. The goal which they are
to reach is to define the semantics of the programming connectives which
appear in the programming language.
A1) do − nothing α ⇔ α
A2) abort α ⇔ f alse
A3) [x := τ ] α ⇔ α(x/τ )
A4) begin M1 ; M2 end α ⇔ M1 (M2 α)
A5) if γ then M1 else M2 fi α ⇔ ((γ ∧ M1 α) ∨ (¬γ ∧ M2 α))
A6) for the iteration instruction Dijkstra gives the following definition of
the weakest precondition
while γ do M done α ⇔ (∃k≥0 )Hk (α)
where the formulas Hk are defined by induction, as follows:
df
H0 (α) ⇔ α ∧ ¬γ (5.1)
df
Hk+1 (α) ⇔ (if γ then M fi)Hk (α) ∨ H0 (α) (5.2)

Let us closer examine these formulas. Formula H0 is beyond suspicion. Let

us compute the formula H1 , applying A5) and simple transformations of
predicate calculus, we see that
H1 (α) ⇔ (if γ then M fi)(α ∧ ¬γ) ∨ (α ∧ ¬γ)
⇔ ((γ ∧ M (α ∧ ¬γ) ∨ ¬γ ∧ (α ∧ ¬γ)) ∨ (α ∧ ¬γ)
⇔ ((γ ∧ M ¬γ ∧ M α) ∨ (¬γ ∧ α))
In general, the formula Hk is expressed as more and more lengthy disjunction
of conjunctions which also grow in length.
Hk (α) ⇔ ((¬γ ∧ α) ∨ (γ ∧ M ¬γ ∧ M α) ∨
. . . (γ ∧ M γ ∧ M M γ ∧ · · · ∧ M k−1 γ ∧ M k ¬γ ∧ M k α))
⇔ (if γ then K fi)k (¬γ ∧ α)
5.3. DIJKSTRA’S CALCULUS OF WEAKEST PRECONDITIONS 101

Remark 5.3.1 The subformula H0 (α) in the above definition 5.2 is redun-
dant and may be ommitted
df
Hk+1 (α) ⇔ (if γ then M fi)Hk (α).

Let us remark, first of all, that every of these formulas has a different struc-
ture and that the formulas Hk do not contain the variable k at all. The
usage of quantifier notation (∃k≥0 Hk (α)) should be treated as an informal
denotation of the infinite disjunction of formulas Hk , moreover, that every
such formula has a different structure. Let us recall, in the first-order predi-
cate calculus the expression of the form (∃x)α(x) is a formula of the language
if α(x) is a formula. Can we apply this simple grammatical rule to the ex-
pression (∃k≥0 Hk (α))? No, it is not a formula. Here the formulas and their
denotations are mixed. The expression Hk belongs to the metalanguage.
Putting our remark in other words: the formula (∃x)α(x) has a value equal
to the value of the least upper bound of values of formulas α(x/τ ) where τ is
any term (or if you prefer an arithmetic expression). Every of these formulas
has the same logical structure, the same number of logical connectives and
quantifiers in it, however they can differ in length since the terms t can be of
different structure. In the case of formulas Hk their logical structure changes
with the growth of k. Therefore, application of quantifier notation is not
allowed in this case. And how to do this when the variable k does not occur
in the formulas Hk ?
We would like to call the reader’s attention to the fact that the semantic
meaning of the Dijkstra’s axiom A6 is faithfully expressed by the following
formula
[
while γ do K done α ⇔ if γ then K fi (α ∧ ¬γ). (5.3)

Validity of this formula has been shown in lemma 3.4.2. By the completeness
theorem we know that the formula has a proof from the axioms of algorith-
mic logic.
Proof. In the proof of 5.3 we use the axiom Ax21 and rules R3 and R4
of algorithmic logic. It follows from the axiom Ax21 that for every natural
number i
(if γ then K fi)i (¬γ ∧ α) =⇒ while γ do K done α.
A proof of this fact we gave in example 4.1.5. Applying the rule R4 we derive
the
S implication
if γ then K fi (α ∧ ¬γ) =⇒while γ do K done α.
The reverse implication is also provable. For every natural number i the
102 CHAPTER 5. OTHER LOGICS OF PROGRAMS

following formula is a tautology

(if γ then K fi)i (¬γ ∧ α) =⇒ (if γ then K fi)i (¬γ ∧ α).
By axiom Ax22 and by propositional calculus we infer that for every natural
number i the following implication
S is a tautology
i
(if γ then K fi) (¬γ ∧ α) =⇒ if γ then K fi (¬γ ∧ α)
Now, we can apply the rule S R3 and obtain
while γ do K done α =⇒ if γ then K fi (¬γ ∧ α).
It is easy to remark that the formulas Pr3 , Pr4 , A3 , A4 , A5 are known already
axioms of AL. One can ask whether the Dijkstra’s formalism and algorithmic
logic are equivalent. It turns out that all properties listed by Dijkstra can
be proved from axioms of AL. Moreover the property Pr5 of continuity is
provable in an extension of AL which admits the infinite disjunction and
conjunctions. Without any additional assumptions we prove:
W W
M ( αr ) ⇔ ( M α s )
r≥0 s≥0
W
Assume that for a certain valuation v the formula M ( αr ) is satisfied
r≥0
by
W v. Then by the definition of semantics of algorithmic formulas the formula
αr ar is satisfied by the valuation MA (v) - the result of program M . But
r≥0 W
the formula αr is satisfied if for a certain s ≥ 0 the formula αs is satisfied.
r≥0 W
We have that for a certain s the valuation MA (v) satisfies αs . Hence the
W s≥0
valuation v satisfies M αs . The other implication is provable in a similar
s≥0
way.

Our next remarks concern the property Pr1 called by Dijkstra the law
of excluded miracle. Since the implication false =⇒M false is a tautology,
what remains to be proved is (Mfalse)=>false. Let us recall, that (α ∧ ¬α)
⇔ false. Note, that for every program M and every formula a, holds
M (α ∧ ¬α) ⇔ Ma ∧ M¬α (axiom Ax14).
By another axiom M¬α =⇒ ¬Ma. Hence
M (α ∧ ¬α) =⇒ Ma ∧ ¬Ma
Applying the axiom (α ∧¬α) =⇒ β we derive the implication M false =⇒
false what finishes the formal proof of the law of excluded miracle.
Let us return to the properties Pr2 and Pr5 , they are inference rules. The
property Pr5 of continuity has infinitely many premises. We have shown that
the premises are not necessary for the distributivity of program over infinite
disjunction. However the infinite disjunction itself must be characterised
in some way. It is not difficult to guess that for this, one needs a rule with
infinitely many premises. In an extended algorithmic logic one can derive the
5.3. DIJKSTRA’S CALCULUS OF WEAKEST PRECONDITIONS 103

equivalence A6 from axiom Ax2 1 and rule R3 . We do not think however that
such extension is needed. It seems redundant. In the light of our previous
considerations, we see that semantic properties of programs can be expressed
and studied in a language of finite expressions.
Another question arises: is the statement of Dijkstra that properties Pr1
- Pr5 and axioms A1 - A6 define the semantics well argued? D.Harel [24]
has studied the question and came to the conclusion that among many pos-
sible strategies of visiting trees of non-deterministic computations only one
method of visiting satisfies the axioms of Dijkstra, and therefore, concludes
Harel, the axioms of Dijkstra define the semantics of non-deterministic com-
putations. For us the problem was not definitely solved, for where the trees
of computations are coming from? This was a motivation for the research,
the results of which are presented in section 4.4. The results of 4.4 present
the stronger consequences of admitting algorithmic axioms. The meaning
of the programming connectives: composition, branching, iteration and also
of atomic instructions (assignment) is uniquely determined by the require-
ment that a realisation of the language satisfied the axioms of AL. In the
present moment we do not know whether a similar result can be proved for
non-deterministic computations.