Termination

The next concept defines from which states a command is required to terminate when running in a specific environment. This notion is particularly useful for the definition of the rely command in Section 3.5, because that definition pulls apart the concerns of behavioural preservation and termination.

The weakest precondition for termination of program c in an environment r is formalised as a predicate, stops(c, r). The concept is akin to Dijkstra’s weakest precondition [31], but it does not restrict the final state in which the program must terminate.

Definition 3.38 (Stops). For any command c and relation r, stops(c, r) is the weakest predicate such that from states satisfying stops(c, r), the command c is guaranteed to stop in an environment r.

(⊢ p ⇒ stops(c, r)) ⇔ ({p} ; ⟨true⟩⋆⊑[r] c)

Remark. The precondition {stops(c, r)} is interpreted as the weakest precondition for ensuring that c only performs a finite number of program steps when started in an envir- onment r. That is, if the environment does not unfairly interrupt c, and c does not abort, then its execution ends in a termination step (υ). This interpretation follows from the use of atomic steps in the definition of stops. The program⟨true⟩ can only perform one program step followed by a termination step, but it admits any number of environment steps before the program step takes place. The program⟨true⟩⋆_{can perform a finite number of program steps}

(zero or more), admitting any number of environment steps in between program steps. The operator stops is monotonic on both arguments. Thus, if we know that a program c stops in an environment r, we also know that it stops in any environment that is more restrictive than r. Similarly, if we know that c stops in an environment r, and we know that d refines c in the environment r, we also know that d stops in the environment r.

Law 3.39 (Term-Monotonic). For any relations r, r0and r1, and commands c and d,

⊢ r0⇒ r1∨ idrel =⇒ ⊢ stops(c, r1) ⇒ stops(c, r0) (3.39a)

c⊑[r] d =⇒ ⊢ stops(c, r) ⇒ stops(d, r) (3.39b)

The next two equivalences allow one to absorb the precondition command from the argument taken by stops.

Lemma 3.40 (Term-Equivalences). For any predicate p, relation r and commands c, c0and

c₁,

stops(c0; c1, r) = stops(c0; {stops(c1, r)}, r) (3.40a)

stops({p} ; c, r) = p ∧ stops(c, r) (3.40b)

A postcondition ([q]) terminates in a stuttering environment r, or aborts if the environment rdoes any step that changes the state.

Lemma 3.41 (Term-Postcondition). For any relations q and r,

stops([q], r) = (

true, if ⊢ r ⇒ idrel

false, otherwise. (3.42)

An atomic command ⟨p, q⟩ stops in an environment r if its precondition p holds in the state where it is executed.

Lemma 3.43 (Term-Atomic). For any predicate p, and relations q and r, such that p is preserved by relation r,

stops(⟨p, q⟩, r) = p

A test [[e]] only fails to terminate in an environment r if the evaluation of e results in undefined. If a test [[e]] starts its execution from a state that satisfies a predicate p, such that p is both preserved by r and strong enough to ensure that e is well-defined, then [[e]] terminates.

Lemma (contrib.) 3.44 (Term-Test). Let p be a predicate p, b a boolean expression, and r a relation r, and remember that notion of defined expressions is introduced in Definition 2.6 on page 28. If p is preserved by r and⊢ p ⇒ defined b, then

⊢ p ⇒ stops([[b]], r)

Law (contrib.) 3.45 (Term-Precondition). For any predicate p and relation r, stops({p}, r) = p

If a precondition p is strong enough to ensure the termination of c0; c1in an environment z,

then it necessarily ensures that the execution of c0will terminate in a state from where the

3.3 Basic refinement laws 83

Lemma (contrib.) 3.46 (Distribute-Stops-Sequential). For any predicate p and com- mands c₀and c₁, such that⊢ p ⇒ stops(c0; c1, z),

{p} ; c0∼[z] {p} ; c0; {stops(c1, z)}

The next lemma states that if the parallel composition of finite interference r ∨ idrel with a program guarded by a precondition p terminates in an environment z when iterated for a potentially infinite number of times, then the potentially infinite iteration of the guarded program also terminates in an environment z ∨ r. The insight behind this lemma is that, potentially infinite iteration distributes to the branches of parallel composition, and the potentially infinite iteration of finite interference results in potentially infinite interference. This lemma is used to prove that the rely command distributes over iteration (law 3.85 on page 99).

Lemma 3.47 (Term-Iteration). For any predicate p, relations r and z, and command c, such that⊢ p ⇒ stops(c, z ∨ r),

⊢ stops(({p} ; c ∥ ⟨r ∨ idrel⟩⋆)ω +_{, z) ⇒ stops(({p} ; c)}ω +_{, z ∨ r)}

If the sequential composition c ; d stops in an environment z, then the first component of the sequential composition also does. Note that we cannot conclude that the second component of the sequential composition always stops in an environment z if c ; d does it; the reason is that the termination of d may be conditional on the state in which c terminates.

Law (contrib.) 3.48 (Term-Sequential). For any commands c and d and relation z, ⊢ stops(c ; d, z) ⇒ stops(c, z)

A specification uses X · [p, q] stops when executed from a state that satisfies p in an environment that protects all variables in X.

Lemma 3.49 (Term-Uses). For any command predicate p, ⊢ p ⇒ stops(uses X · [p, q], idset X)

The addition of finite interference that respects r0or r1to a program c that already terminates

in an environment (r0∨ r1) does not affect the termination of c.

Law 3.50 (Term-In-Context). For any relation r and command c, stops(c ∥ ⟨r ∨ idrel⟩⋆, r) = stops(c, r)

For any predicate p, the execution of the postcondition command [p] in an environment idrel terminates in a state where p holds.

Law (contrib.) 3.51 (Term-Post-Precondition). For any predicate p, stops([p‘] ; {p}, idrel) = true

Law (contrib.) 3.52 (Term-Sequential-Special-Case). For any predicate p, relations r, r₀, r₁, q and z,

⊢ p ⇒ stops(c, r) ∧ ⊢ stops(d, r) =⇒ ⊢ p ⇒ stops(c ; d, r)

Law 3.52 is useful to reason about termination of sequential compositions where the rightmost program always terminate, and one has only to care about the termination of the leftmost program to ensure the termination of the composition, e.g. c ; ⟨q⟩.

The laws in this section allow one to algebraically reason about the termination of com- mands, and are particularly useful to prove laws involving the rely command in Section 3.5. They can also be used to compute the weakest precondition for termination of composed specifications, for example, consider the concrete program:

[x = 0, (x = 1)′] ; [x = 1, x′= x + 1] ∥ ⟨idrel⟩⋆

The weakest precondition for its termination in a non-interfering environment is {x = 0}. The key laws involved in the computation of the weakest precondition are laws 3.50 (Term- In-Context), 3.40 (Term-Equivalences), 3.41 (Term-Postcondition), 3.45 (Term-Precondition) and 3.51 (Term-Post-Precondition).