Predicate transformer semantics were introduced by Edsger Dijkstra in his seminal paper "Guarded commands, nondeterminacy and formal derivation of programs". They define the semantics of an imperative programming paradigm by assigning to each statement in this language a corresponding predicate transformer: a total function between two predicates on the state space of the statement. In this sense, predicate transformer semantics are a kind of denotational semantics. Actually, in guarded commands, Dijkstra uses only one kind of predicate transformer: the well-known weakest preconditions (see below). Moreover, predicate transformer semantics are a reformulation of Floyd–Hoare logic. Whereas Hoare logic is presented as a deductive system, predicate transformer semantics (either by weakest-preconditions or by strongest-postconditions see below) are complete strategies to build valid deductions of Hoare logic. In other words, they provide an effective algorithm to reduce the problem of verifying a Hoare triple to the problem of proving a first-order formula. Technically, predicate transformer semantics perform a kind of symbolic execution of statements into predicates: execution runs backward in the case of weakest-preconditions, or runs forward in the case of strongest-postconditions. Given a statement S, the weakest-precondition of S is a function mapping any postcondition R to a precondition P. Actually, the result of this function, denoted w p ( S , R ) {\displaystyle wp(S,R)} , is the "weakest" precondition on the initial state ensuring that execution of S terminates in a final state satisfying R. More formally, let us use variable x to denote abusively the tuple of variables involved in statement S. Then, a given Hoare triple { P } S { R } {\displaystyle \{P\}S\{R\}} is provable in Hoare logic for total correctness if and only if the first-order predicate below holds: ∀ x , P ⇒ w p ( S , R ) {\displaystyle \forall x,P\Rightarrow wp(S,R)} Formally, weakest-preconditions are defined recursively over the abstract syntax of statements. Actually, weakest-precondition semantics is a continuation-passing style semantics of state transformers where the predicate in parameter is a continuation. We give below two equivalent weakest-preconditions for the assignment statement. In these formulas, R [ x ← E ] {\displaystyle R[x\leftarrow E]} is a copy of R where free occurrences of x are replaced by E. Hence, here, expression E is implicitly coerced into a valid term of the underlying logic: it is thus a pure expression, totally defined, terminating and without side effect. version 1:version 2:The first version avoids a potential duplication of E in R, whereas the second version is simpler when there is at most a single occurrence of x in R. The first version also reveals a deep duality between weakest-precondition and strongest-postcondition (see below). An example of a valid calculation of wp (using version 2) for assignments with integer valued variable x is: w p ( x := x − 5 , x > 10 ) = x − 5 > 10 ⇔ x > 15 {\displaystyle {\begin{array}{rcl}wp(x:=x-5,x>10)&=&x-5>10\\&\Leftrightarrow &x>15\end{array}}} This means that in order for the postcondition x > 10 to be true after the assignment, the precondition x > 15 must be true before the assignment. This is also the "weakest precondition", in that it is the "weakest" restriction on the value of x which makes x > 10 true after the assignment. For example, w p ( x := x − 5 ; x := x ∗ 2 , x > 20 ) = w p ( x := x − 5 , w p ( x := x ∗ 2 , x > 20 ) ) = w p ( x := x − 5 , x ∗ 2 > 20 ) = ( x − 5 ) ∗ 2 > 20 = x > 15 {\displaystyle {\begin{array}{rcl}wp(x:=x-5;x:=x*2\ ,\ x>20)&=&wp(x:=x-5,wp(x:=x*2,x>20))\\&=&wp(x:=x-5,x*2>20)\\&=&(x-5)*2>20\\&=&x>15\end{array}}} As example: w p ( if x < y then x := y else skip end , x ≥ y ) = ( x < y ⇒ w p ( x := y , x ≥ y ) ) ∧ ( ¬ ( x < y ) ⇒ w p ( skip , x ≥ y ) ) = ( x < y ⇒ y ≥ y ) ∧ ( ¬ ( x < y ) ⇒ x ≥ y ) ⇔ true {\displaystyle {\begin{array}{rcl}wp({\textbf {if}}\ x 15 ) = ∃ y , x = y − 5 ∧ y > 15 ⇔ x > 10 {\displaystyle sp(x:=x-5,x>15)\ =\ \exists y,x=y-5\wedge y>15\ \Leftrightarrow \ x>10} On sequence, it appears that sp runs forward (whereas wp runs backward): Leslie Lamport has suggested win and sin as predicate transformers for concurrent programming. This section presents some characteristic properties of predicate transformers. Below, T denotes a predicate transformer (a function between two predicates on the state space) and P a predicate. For instance, T(P) may denote wp(S,P) or sp(S,P). We keep x as the variable of the state space. Predicate transformers of interest (wp, wlp, and sp) are monotonic. A predicate transformer T is monotonic if and only if: ( ∀ x , P ⇒ Q ) ⇒ ( ∀ x , T ( P ) ⇒ T ( Q ) ) {\displaystyle (\forall x,P\Rightarrow Q)\Rightarrow (\forall x,T(P)\Rightarrow T(Q))} This property is related to the consequence rule of Hoare logic. A predicate transformer T is strict iff: T ( f a l s e ) ⇔ f a l s e {\displaystyle T(\mathbf {false} )\ \Leftrightarrow \ \mathbf {false} } For instance, wp is strict, whereas wlp is generally not. In particular, if statement S may not terminate then w l p ( S , f a l s e ) {\displaystyle wlp(S,\mathbf {false} )} is satisfiable. We have w l p ( w h i l e t r u e d o s k i p d o n e , f a l s e ) ⇔ t r u e {\displaystyle wlp(\mathbf {while} \ \mathbf {true} \ \mathbf {do} \ \mathbf {skip} \ \mathbf {done} ,\mathbf {false} )\ \Leftrightarrow \mathbf {true} } Indeed, true is a valid invariant of that loop. A predicate transformer T is terminating iff: T ( t r u e ) ⇔ t r u e {\displaystyle T(\mathbf {true} )\ \Leftrightarrow \ \mathbf {true} } Actually, this terminology makes sense only for strict predicate transformers: indeed, w p ( S , t r u e ) {\displaystyle wp(S,\mathbf {true} )} is the weakest-precondition ensuring termination of S. It seems that naming this property non-aborting would be more appropriate: in total correctness, non-termination is abortion, whereas in partial correctness, it is not. A predicate transformer T is conjunctive iff: T ( P ∧ Q ) ⇔ ( T ( P ) ∧ T ( Q ) ) {\displaystyle T(P\wedge Q)\ \Leftrightarrow \ (T(P)\wedge T(Q))} This is the case for w p ( S , . ) {\displaystyle wp(S,.)} , even if statement S is non-deterministic as a selection statement or a specification statement. A predicate transformer T is disjunctive iff: T ( P ∨ Q ) ⇔ ( T ( P ) ∨ T ( Q ) ) {\displaystyle T(P\vee Q)\ \Leftrightarrow \ (T(P)\vee T(Q))} This is generally not the case of w p ( S , . ) {\displaystyle wp(S,.)} when S is non-deterministic. Indeed, consider a non-deterministic statement S choosing an arbitrary boolean. This statement is given here as the following selection statement: S = i f t r u e → x := 0 [ ] t r u e → x := 1 f i {\displaystyle S\ =\ \mathbf {if} \ \mathbf {true} \rightarrow x:=0\ [\!]\ \mathbf {true} \rightarrow x:=1\ \mathbf {fi} } Then, w p ( S , R ) {\displaystyle wp(S,R)} reduces to the formula R [ x ← 0 ] ∧ R [ x ← 1 ] {\displaystyle R[x\leftarrow 0]\wedge R[x\leftarrow 1]} . Hence, w p ( S , x = 0 ∨ x = 1 ) {\displaystyle wp(S,\ x=0\vee x=1)} reduces to the tautology ( 0 = 0 ∨ 0 = 1 ) ∧ ( 1 = 0 ∨ 1 = 1 ) {\displaystyle (0=0\vee 0=1)\wedge (1=0\vee 1=1)} Whereas, the formula w p ( S , x = 0 ) ∨ w p ( S , x = 1 ) {\displaystyle wp(S,x=0)\vee wp(S,x=1)} reduces to the wrong proposition ( 0 = 0 ∧ 1 = 0 ) ∨ ( 1 = 0 ∧ 1 = 1 ) {\displaystyle (0=0\wedge 1=0)\vee (1=0\wedge 1=1)} . The same counter-example can be reproduced using a specification statement (see above) instead: S = t r u e | {\displaystyle S\ =\ \mathbf {true} \ |} @ y . y ∈ { 0 , 1 } → x := y {\displaystyle y.\ y\in \{0,1\}\rightarrow x:=y} Computations of weakest-preconditions are largely used to statically check assertions in programs using a theorem-prover (like SMT-solvers or proof assistants): see Frama-C or ESC/Java2. Unlike many other semantic formalisms, predicate transformer semantics was not designed as an investigation into foundations of computation. Rather, it was intended to provide programmers with a methodology to develop their programs as "correct by construction" in a "calculation style". This "top-down" style was advocated by Dijkstra and N. Wirth. It has been formalized further by R.-J. Back and others in the refinement calculus. Some tools like B-Method now provide automated reasoning in order to promote this methodology. In the meta-theory of Hoare logic, weakest-preconditions appear as a key notion in the proof of relative completeness. In predicate transformers semantics, expressions are restricted to terms of the logic (see above). However, this restriction seems too strong for most existing programming languages, where expressions may have side effects (call to a function having a side effect), may not terminate or abort (like division by zero). There are many proposals to extend weakest-preconditions or strongest-postconditions for imperative expression languages and in particular for monads. Among them, Hoare Type Theory combines Hoare logic for a Haskell-like language, separation logic and type theory. This system is currently implemented as a Coq library called Ynot. In this language, evaluation of expressions corresponds to computations of strongest-postconditions. Probabilistic Predicate Transformers are an extension of predicate transformers for probabilistic programs. Indeed, such programs have many applications in cryptography (hiding of information using some randomized noise), distributed systems (symmetry breaking).