Calculational Design of [In]Correctness Transformational Program Logics by Abstract Interpretation

We study transformational program logics for correctness and incorrectness that we extend to explicitly handle both termination and nontermination. We show that the logics are abstract interpretations of the right image transformer for a natural relational semantics covering both finite and infinite executions. This understanding of logics as abstractions of a semantics facilitates their comparisons through their respective abstractions of the semantics (rather that the much more difficult comparison through their formal proof systems). More importantly, the formalization provides a calculational method for constructively designing the sound and complete formal proof system by abstraction of the semantics. As an example, we extend Hoare logic to cover all possible behaviors of nondeterministic programs and design a new precondition (in)correctness logic.


INTRODUCTION
In verification, the focus is on which program properties can be expressed and proved.We discuss transformational (or Hoare's style) logics characterized by formulas expressing program properties that relate initial/input values of variables to their final/output values, nontermination, or runtime errors (or inversely final to initial) and a Hilbert-style proof system [Hilbert and Ackermann 1959, §10] to prove that a program has a property expressed by a formula of the logic (but not that a given program does not have a property expressed by a formula of the logic or that no program can have this property [Kim et al. 2023]).Examples are Hoare's logic [Hoare 1969] and the reverse Hoare logic [de Vries and Koutavas 2011] aka incorrectness logic [O'Hearn 2020].

The Classic Proof-Theoretic Approach
The "classic approach" to the design of a Hoare style logic follows the proof-theoretic semantics in logic originated by Hilbert, Gentzen, Prawitz, and others [Piecha and Schroeder-Heister 2019].The true program properties are the provable ones, which is also the idea of "axiomatic semantics" [Winskel 1993], that is, Floyd's idea that a program proof method is "Assigning Meaning to Programs" [Floyd 1967].First the syntax of program properties is defined (e.g.{ } , { } { }, [ ] [ ]).Then proof rules are postulated (e.g."If ⊢ { } and ⊢ ⊃ then ⊢ { } " [Hoare 1969, page 578]).Finally, soundness and completeness theorems are proved to relate the logic properties to a more concrete/refined semantics (e.g. years after its design, Hoare logic [Hoare 1969] was proved sound by Donahue [Donahue 1976] (with respect to a denotational semantics) and sound and relatively complete by Pratt [Pratt 1976] (with respect to a relational semantics excluding nontermination) and Cook [Cook 1978[Cook , 1981] ] (with respect to an operational trace semantics)).This design method has perdured over time, even if, nowadays, soundness and completeness proofs are often published together with the logic (e.g.[Bruni et al. 2023;Dardinier 2023;de Vries and Koutavas 2011;Gotsman et al. 2011;Möller et al. 2021;O'Hearn 2020;Vanegue 2022;Zhang et al. 2022;Zhang and Kaminski 2022;Zilberstein et al. 2023] a.o.).Therefore, in this "classic approach" the program properties of interest (partial correctness, total correctness, incorrectness, etc) are the one provable by the proof system, while soundness and completeness theorems aims at connecting the provable properties to the program semantics.

The Model-Theoretic Semantic Abstraction Approach
In this paper, we consider an alternative "semantic abstraction approach" which is based on Tarski's truth paradigm [Tarski 1933] in model theory and the abstract interpretation of the semantics of languages [Cousot 2021;Cousot and Cousot 1977].First, a formal semantics is specified for the language (preferable using structural fixpoints or deductive proof systems).This induces a collecting semantics defining the strongest (hyper) property of programs.Then the program properties of interest for the logic are specified by a Galois connection abstracting the collecting (hyper) properties.The abstraction is usually the composition of several primitive ones, in the spirit of [Cousot and Cousot 2014].Varying the primitives and their composition yields different logics.At this point, the logic is precisely and fully determined since all expressible properties of all programs have been formally specified.For example, the logic can be compared and combined with other logics (see e.g.Figs. 1, 2, 3 and the taxonomy in Sect.I.3.14).Finally the rules of the proof system are designed by calculus using fixpoint abstraction (Sect.II.2), fixpoint induction principles (Sect.II.3), and Peter Aczel [Aczel 1977] construction of deductive rule-based systems from fixpoints, or conversely (Sect.II.5).
The advantage is that reasoning on abstractions of program properties is much more concise and easy than reasoning on proof systems.This clearly appears e.g. in Fig. 2 comparing 40 logics by combining only 8 abstractions (plus one, common to all logics defining "transformational").Fig. 2 is itself part of the lattice of abstract interpretations of [Cousot and Cousot 1977, section 8] including many logics whose abstraction is given in this paper.Another advantage is that the proof system is derived by calculus so sound and complete by construction.

The Structure of the Paper
The paper has two main parts.In the first part, we characterize the semantics of a transformational logics, i.e. the true formulas (a theory in logic), as an abstract interpretation of the program (collecting) semantics.This allows us to provide a taxonomy of transformational semantics by comparing their abstractions, without referring to their proof systems.
After showing that theories of logics are set abstractions of the program (collecting) semantics in the first part, we have to design the corresponding proof systems in the second part.
Aczel has shown that deductive rule-based systems and set-theoretic fixpoint definitions are equivalent [Aczel 1977].Therefore we first define the program semantics in fixpoint form, then abstract this semantics to get a fixpoint definition of the theory of the logic, and finally apply Aczel's method to derive the equivalent proof system.The proof system is then sound and complete by construction.
States ∈ Σ ≜ X → V (also called environments) map variables x ∈ X to their values (x) in V including integers, Z ⊆ V. We let / ∈ Σ denote nontermination with Σ ≜ Σ ∪ { }.We deliberately leave unspecified the syntax and semantics of arithmetic expressions A A ∈ Σ → V and Boolean expressions B B ∈ ℘(Σ) ≃ Σ → {true, false}.The only assumption on expressions is the absence of side effects.
The relational semantics S of a command S ∈ S is an element of ℘(Σ × Σ ).Formally, ⟨ , ′ ⟩ ∈ S means that an execution of the nondeterministic command S from initial state ∈ Σ may terminate in final state ′ ∈ Σ or may not terminate when ′ = .(The relational semantics could have been proven to be the abstraction of a finite and infinite trace semantics [Cousot 2021].)The right-image .{ ′ ∈ Σ | ⟨ , ′ ⟩ ∈ S } of the natural relational semantics S is isomorphic to Plotkin's natural denotational semantics [Plotkin 1976].Such natural relational semantics have been originated by Park [Park 1979].
We follow the tradition established by Plotkin [Plotkin 2004a,b] to define the program semantics by structural induction (i.e. by induction on the program syntax) using a deductive system of rules.We extend the semantics of the deductive system using bi-induction combining induction for terminating executions and co-induction for nonterminating ones [Cousot and Cousot 1992, 1995, 2009].

Let us write judgements ⊢
Moreover, for the conditional iteration statement W ≜ while (B) S, we write ⊢ W ⇒ ′ to mean that if is a state before executing W, then ′ is reachable after 0 or more iterations of the loop body (so = ′ for 0 iterations, before entering the loop in case (2.a)).We have the axiom and inductive rule for iterations W (a) The following axioms define termination (these are axioms since the precondition has been previously established either by ⇒ or by structural induction).(3.b) is for termination by a break. (a) The following axiom and co-inductive rule define nontermination (the left rule is an axiom since the precondition has already been defined either by ⇒ or by structural induction).Rule (4.b) rightmarked ∞ is co-inductive. (a)

I.1.2 State Properties, Semantics Properties, and Collecting Semantics
We define properties in extension as the set of elements of a universe U that have this property.So false is [Grätzer 1998].
For example, properties of states ∈ Σ (considered to be the universe) belong to ℘(Σ ).The singleton { } is the property "not to terminate", ∅ is "false", { 1 , . . ., } ⊆ Σ is "to terminate with any one of the states 1 , . . ., ∈ Σ", { 1 , . . ., , } is " "to terminate with any one of the states 1 , . . ., ∈ Σ or not to terminate", Σ is to terminate, Σ is "true" i.e. "to terminate with any state in Σ or not to terminate" (the common alternative to terminate with an error is assumed to be encoded with some specific values in the set Σ of states).

I.2 GALOIS CONNECTIONS
Galois connections [Cousot 2021, Ch. 11] are used throughout the paper.They formalize correspondences between program properties which preserve implication and one is less precise/expressive than the other.The interest is that proofs in the abstract are valid in the concrete (or equivalent in case of Galois isomorphisms).Moreover, there is a most precise way to abstract any concrete property or logic, which provides a guideline for calculational design of logics from a program semantics.The definition and properties of Galois connections are recalled in the appendix A .

I.3 THE DESIGN OF A NATURAL TRANSFORMATIONAL LOGIC THEORY BY
COMPOSING ABSTRACTIONS OF THE NATURAL RELATIONAL SEMANTICS A program logic consists of formal statements some of which are true and constitute the theory of the logic.Our objective in this section is to characterize the theory of transformational logics by abstraction of the natural relational collecting semantics.This abstraction is obtained by composition of basic Galois connections and functors introduced in this section.
By adding auxiliary variables (see Sect.E.1 in the appendix), this specification can also be partially formulated by two Hoare triples { = ⩾ 0 ∧ = 1} fact { =! } (although not ensuring termination) and { < 0 ∧ = 1} fact {false} (ensuring nontermination) but the conjunction of Hoare triples is not a Hoare triple and anyway the partial specification cannot preclude nontermination when ⩾ 0.
This specification cannot be expressed by Manna and Pnueli [Manna and Pnueli 1974] logic since the program is not totally correct.
The theory of the adequate logic (that we call the natural transformational over approximation logic) will be formally specified in (13) as The proof system of this logic is designed in Sect.II.8.1.∎

I.3.1 Collecting Semantics to Semantics Abstraction
The collecting semantics of a program component is its strongest property, so transformational logic statements are weaker abstract properties that we specify by composition of Galois connections.The first abstraction abstracts hyper properties into properties.Let D be a set (e.g.D = Σ × Σ for the natural relational semantics of Sect.I.1.1).There is a Galois connection where ( ) ≜ ⋃ is surjective and ∎ Our first abstraction is therefore ({|S| } ) = ({ S }) = S where this natural relational semantics defines in Sect.I.1.1 specifies the program properties of interest.

I.3.2 Semantics to Relational Postcondition Transformer Post Abstraction
While the natural relational semantics establishes a relation between initial and final states or nontermination, the postcondition transformers establish a relation between properties of initial states and properties of final states or nontermination.The postcondition may be an assertion on final states only (as in Hoare partial correctness logic [Hoare 1969]) or a relation between initial and final states (as in Manna partial correctness [Manna 1971]).The postcondition may also include nontermination.Although Hoare logic is assertional, the initial values of variables can be recorded into auxiliary variables (see Sect.E.1 in the appendix).We start with the relational case since assertional property transformers are abstractions of relational ones (as shown in Sect.I.3.6).
The relational postcondition transformer Post is also called the relational forward/right-image/ post-image/strongest consequent/strongest post condition.
Post( ({|S| } )) = Post S is a relation between initial states related to 0 satisfying the precondition and final states ′ related to 0 upon termination of S or ′ = in case of nontermination.This is the basis for the natural relational transformational logic (as in example I.3.1 and Sect.II.8.1), except for the use of a transformer instead of logic triples.We will later prove in (35) that Post is the lower adjoint of a Galois connection.
Example I.3.3.Incrementation is characterized by Post(x = x+1)(x = x 0 ) = (x = x 0 + 1) which, representing the semantics and relational properties as sets, is Post({⟨ , Here, 0 is the initial value of the variables before the assignment but, in general, this initial relation can be arbitrary.More generally, Floyd's strongest postcondition for assignment where G ( ) ≜ . ( such that ⟨ , ⟩ ∈ ) is uniquely well-defined since is a functional relation.

We have
is the set of pairs ⟨ , ⟩ such that is the strongest relational postcondition of for the natural relational semantics S .It is not a program logic since, as was the case for transformers, it is missing a consequence rule.
Example I.3.4.Floyd/Hoare logic rules [Hoare 1978] provide the strongest assertional post-condition except for the iteration and consequence rule, e.g., { }skip{ } is { }skip{post( skip ) } (see (10) below for the classic definition of post).But excluding the consequence rule and using the following iteration rule (for bounded nondeterminism) would yield the strongest post condition in all cases.∎
In contrast, as first shown by Turing [Morris and Jones 1984;Turing 1950], using executions properties is the basis for elegant and concise program correctness proofs since it allows for approximations.This is even implicitly acknowledged by the most enthusiastic supporter of transformers.Edsger W. D. Dijkstra in [Dijkstra 1976] has chapters 0 to 4 defining predicate transformers until chapter 5 introducing properties weakening by implication (i.e. one form of approximation) as well as the "Fundamental Invariance Theorem for Loops" (i.e.fixpoint induction Th.II.3.1 replacing the strongest loop invariant by weaker ones).Moreover, in chapter 6, it is explained how "to choose an appropriate proof for termination" (for bounded nondeterminism).Iterative program design and proofs are only considered after over approximation (invariance) and under approximation (for termination) have been introduced, from chapter 7 on.We have to do the same, but for any transformer (including Post S ).
For that purpose, we introduce weakening and strengthening abstractions.Consequence rules, understood as an abstraction losing precision on program properties, will be a specific instance for a specific transformer.We also need compatible general induction principles to handle loops (of which invariance and (non)termination will be specific instances).Such induction principles are not relative to expressivity but to proofs, and so will be considered in part 2 of the paper.I.3.4.1 The Over Approximation Abstraction.Pairs of properties ⟨ , ⟩ ∈ ∈ ℘(℘(X ) × ℘(Y)) can be approximated by weakening or strengthening and/or .For Hoare logic [Hoare 1969], we can strengthen by ′ ⊆ and weaken by ′ such that ⊆ ′ .This is the over approximation abstraction post(⊇, ) and the component wise ordering ⊑, ⪯ on pairs If ∈ ℘(X × Y), we have the classic Galois connection where pre( ) = { | ∀ .⟨ , ⟩ ∈ ⇒ ∈ } (see example C.1 in the appendix).The theory of the natural transformational over approximation logic is therefore for any initial state related to 0 by the precondition and any final state ′ of S, possibly , the pair ⟨ 0 , ′ ⟩ satisfies the postcondition , as considered in example I.3.1.The difference with the interpretation of Manna and Pnueli total correctness logic [Manna and Pnueli 1974] is that we may have ⟨ 0 , ⟩ ∈ thus allowing possible nontermination for some initial pair of states ⟨ 0 , ⟩ of .Therefore we can both express both total and partial correctness plus nontermination when = Σ × { }.With this convention, only one of Dijkstra's weakest preconditions transformers [Dijkstra 1975[Dijkstra , 1976;;Dijkstra and Scholten 1990] is needed since wlp(S, ) = wp(S, ∪ { }).This is similar to the classic characterization of Hoare logic by a forward transformer, { }S{ } if and only if post S ⇒ given by [Pratt 1976, equation (S), p. 110] or, equivalently by (12), ⇒ pre S [Pratt 1976, equation (w), p. 110] (except that in (13), and are relational and take nontermination into account).By (12), the abstraction post(⊇, ⊆) is the lower adjoint of a Galois connection.

I.3.4.2
The Under Approximation Abstraction.For the natural transformational under approximation logic, as well as reverse Hoare logic [de Vries and Koutavas 2011] aka incorrectness logic [O'Hearn 2020], we can weaken by ′ ⊇ and strengthen by ′ such that ⊇ ′ .This is the The theory of the natural transformational under approximation logic is therefore that is, for any initial state related to 0 satisfying the precondition and any final state ′ related to 0 , possibly , if the pair ⟨ 0 , ′ ⟩ satisfies the postcondition then there exists an execution of S from to ′ (possibly non termination).The difference with reverse Hoare logic [de Vries and Koutavas 2011] aka incorrectness logic [O'Hearn 2020] is that we may have ⟨ , ⟩ ∈ thus allowing possible nontermination for some initial states ⟨ 0 , ⟩ of so we can both express total and partial correctness plus nontermination when = Σ × { }.
Up to the use of relations instead of assertions and the consideration of nontermination , this is similar to the classic characterization of reverse Hoare logic aka incorrectness logic by a forward transformer, { }S{ } if and only if ⇒ post( S ) given by [de Vries and Koutavas 2011, section 5] and [O'Hearn 2020, Lemma 3.( 2)], showing that both logics have the same semantics/theory (again up to nontermination and relational postconditions).By ( 12), the abstraction post(⊆, ⊇) is the lower adjoint of a Galois connection.

I.3.4.3
The Incorrectness Logic is Insufficient to Prove That All Alarms in Static Analysis Are True or False Alarms.Incorrectness logic [O'Hearn 2020] "was motivated in large part by the aim of providing a logical foundation for bug-catching program analyses" [Le et al. 2022].In particular incorrectness logic is useful to prove that alarms in static analyzers are true alarms.This consists in showing that the alarm is definitely reachable from some input.However, not all alarms are reachable from initial states since static analyses are over approximating reachable states so that unreachable code under the precondition may produce false alarms.
Example I.3.5.Consider the factorial of example I.3.1 specified by { = 1} fact { > 0}.This contract is obviously satisfied since on exit =! > 0. However, an interval analysis of this program with initially n ∈ Z is totally imprecise and will produce an alarm on program exit with postcondition = f ⩽ 0. This is a false alarm since the loop exit is unreachable.This unreachability is not provable by incorrectness logic.This is provable by Hoare logic as { < 0 ∧ = 1} fact {false} but then we don't want to use two different logics to prove incorrectness, the main motivation for recent work on combining logics (e.g.[Bruni et al. 2023;Maksimovic et al. 2023;Milanese and Ranzato 2022;Zilberstein et al. 2023], etc).This is also provable by the natural transformational under approximation logic which extends incorrectness logic to nontermination, that is, in the assertional form of Sect.I.3.6,{ } ⊆ Post fact { < 0 ∧ = 1}, see example II.8.2.∎

I.3.5 To Terminate or Not to Terminate Abstraction for Properties
Total correctness excludes nontermination while partial correctness allows it.This corresponds to different abstractions of the natural relational semantics.
I.3.5.1 The Termination Exclusion Abstraction.We can exclude the possibility of nontermination by the abstraction excluding from the postcondition.This is an abstraction by the Galois connection  (Manna and Pnueli total correctness logic).By eliminating the nontermination possibility from the postcondition of the natural transformational over approximation logic (13), we get Manna and Pnueli logic [Manna and Pnueli 1974]

⟨℘(℘(Σ
that is, for any initial state ⟨ 0 , ⟩ satisfying the precondition , execution terminates in a final state ′ such that the pair ⟨ 0 , ′ ⟩ satisfies the postcondition ∩ Σ × Σ).This is relational total correctness since nontermination is excluded.∎ Another abstraction to specify total correctness is to consider a transformer for a modified semantics S ∪ {⟨ 0 , ′ ⟩ | ⟨ , ⟩ ∈ S ∧ ′ ∈ Σ} returning any possible result in case of nontermination [Plotkin 1979] using Smyth powerdomain [Smyth 1978] so that it is impossible to make any conclusion on final values in case of possible nontermination for an initial state.However, this is an impractical basis for static analysis since the abstraction introduces great imprecision.

I.3.5.2 The Termination Inclusion Abstraction. We can include the possibility of nontermination by the abstraction
allowing the possibility of nontermination for all input states by adding to the postcondition.This is an abstraction by a Galois connection with Example I.3.7 (Manna relational partial correctness logic).Manna's relational partial correctness logic [Manna 1971] includes the nontermination possibility for all input states.Its theory is when using the angelic semantics S i.e. any terminating execution started within satisfies .∎ So to prove partial correctness, we essentially add the possibility of nontermination to postconditions in ℘(Σ × Σ ).However, for partial correctness, postconditions are traditionally chosen in Example I.3.8 (Manna relational partial correctness logic, continuing example I.3.7).In that case, the theory of Manna's logic is

Relational to Assertional Abstraction
Since they relate initial pairs ⟨ 0 , ⟩ to final pairs ⟨ 0 , ′ ⟩, 0 ∈ X , ∈ Y, and ′ ∈ Z, relational logics have their theory in a set ℘(℘(X × Y) × ℘(X × Z)) while assertional logic theories are in ) where e.g. the postcondition is on final states and unrelated to the initial ones.This is an abstraction by projection on the second component .
At this point we have got the theory of Hoare logic as the abstraction  6), page 749] (generalizing [Harel 1979] using naturals to unbounded nondeterminism using ordinals, equivalently a variant function in well-founded sets, as first considered by Turing [Turing 1950] and Floyd [Floyd 1967]).
∎ Similarly, we can define an abstraction by projection on the first component so that by composition of Galois connections and isomorphisms (proposition B.1) and by the forthcoming (27), we have Galois connection similar to (23) for ⟨ ↓ 1 , ↓ 1 ⟩.
One may wonder why, for such a well-known result, we have considered so many successive abstractions (six when including the abstraction (5) of the collecting semantics into the relational semantics).There are three main reasons.
(1) The composition of Galois connections and isomorphisms is a Galois connection (Prop.B.1 in the appendix).Since abstractions preserves existing joins and concretizations preserve existing meets, we get "healthiness conditions" (such as [Hoare 1978, (H2), page 469]) as theorems, not hypotheses.In absence of a Galois connection, there would be no unique, most precise approximation, of the collecting semantics by a formula of the logic (e.g.[Gotsman et al. 2011]); (2) By varying slightly the abstractions, we get a hierarchy of transformational logics (which extends the hierarchy of semantics in [Cousot 2002]), that we can compare without even knowing their proof systems.This is the objective for the rest of this part I on the theories of logics; (3) Knowing the program semantics and its abstraction to the theory of a logic, we can constructively design, by calculus, a sound and complete proof system for this logic.This will be developed in part II.

I.3.7 The Forward Transformational Logics Hierarchy
We have built the theories of logics in Fig. 1 by composition of abstractions.The relational and assertional logics are considered equivalent in practice by using an auxiliary program with phantom variables recording the values of the initial or final variables (see Sect.E.1 in the appendix).By allowing the explicit use of nontermination in the postcondition, the over/under approximating antecedent/consequent logics subsume their approximations by 2 or 2 / and ↓ 2 (including the logics marked by circled numbers that do not look to have been considered in the literature).The same way that false is satisfied by no element of the universe in logic, some transformational logics have this emptiness property, meaning that some programs satisfy no formula of the logic.This is the case of a nonterminating program for Manna and Pnueli total correctness logic [Manna and Pnueli 1974].Emptiness may look awkward since using the deductive system to prove any specification will always fail.
The same way that true is satisfied by all elements of the universe in logic, transformational logics may have the universality property, meaning that there exist programs for which any pair ⟨ , ⟩ for that program is in the logic (i.e. is satisfied in logical terms).For example, in Hoare logic, { } while (true) skip { } is satisfied for all and .[ ] S [false] is always true in incorrectness logic [O'Hearn 2020].Universality may look awkward since using the deductive system to prove this obvious fact may be very complicated.
These phenomena have been criticized (e.g.emptiness for necessary preconditions [Cousot et al. 2013[Cousot et al. , 2011] ] in [O'Hearn 2020, section, page 10:28]) but are inherent to semantic approximation.I.3.8.2 Correctness Versus Incorrectness.The use of a logic to prove correctness or incorrectness is not intrinsic but depending upon the application domain.For example, termination is required for most programs so that Manna and Pnueli logic is a correctness logic [Manna and Pnueli 1974].However, operating systems should not terminate, and proving the contrary by Manna and Pnueli logic [Manna and Pnueli 1974] would make it an incorrectness logic.Another example is the incorrectness logic [O'Hearn 2020] which has the same theory as the reverse Hoare logic used by [de Vries and Koutavas 2011] to prove correctness.The qualification of under or over approximation instead of correctness or incorrectness logics looks more independent of specific applications, as suggested by [Maksimovic et al. 2023].

I.3.9 Backward Logics
Backward logics originates from the inversion abstraction (using the inverse program semantics ( S ) −1 ) or the dual complement abstraction (stating the impossibility of the negation of a property, which is called the duality principle for programs by Pratt [Pratt 1976, p. 110]) and the conjugate in [Dijkstra and Scholten 1990, equation (2) page 82].They correspond to the commutative diagram of [Cousot and Cousot 1977, page 241], also found on [Cousot and Cousot 1982, page 98] (where inversion is −1 and complement is ~), diagrams which are extended to Fig. 2. I.3.9.1 The Inversion Abstraction.As noticed by [Pratt 1976, section 1.2], the inversion isomorphism transforms forward antecedent-consequent logics into backward consequent-antecedent logics.For that purpose, let us define the relation isomorphic abstraction −1 , its pointwise extension .−1 , and the inverse transformer abstraction so that we have the following Galois isomorphisms ..

⊆⟩
Using these Galois isomorphisms (28), we define the precondition transformer so that Pre( ) is the set of initial states related to from which it is possible to reach a final state ′ related to satisfying the consequent through a transition by .

⊇⟩
⊆ is the pointwise extension of ⊆, that is, .
⊆ is the pointwise extension of .⊆, etc.Using this Galois connection (33), we define the dual complement transformers ..
The classic transformers (38) are illustrated by Fig. 4 in the appendix A .Given a relation ∈ ℘(X × Y), in addition to (12), these classic transformers are also connected as follows [Cousot 2021, Chapter 12 The incorrectness Hoare logic is designed in Sect.J.1 in the appendix.∎ All transformers in (35), (12), and (39) inherit the properties of Galois connections.For example, the lower adjoint preserves arbitrary joins and dually the upper adjoint preserves arbitrary meets.This implies, for example, the healthiness conditions postulated for transformers [Dijkstra and Scholten 1990;Hoare 1978].
RemaRK I.3.12.By (12), pre preserves joins (∪) but maybe not meets (∩).Same for post.A ∎ I.3.12To Terminate or Not to Terminate Abstraction for Transformers We have shown in Sect.I.3.5 that we can abstract antecedant-consequence pairs by ( 15) or ( 18) to take nontermination into account (e.g. total correctness) or not (partial correctness).An equivalent alternative uses the natural semantics S or the angelic one S in (1).We can also abstract transformers, which we do in the assertional case, by . ⊆⟩ I.3.13Abstract Logics Finally logics may refer to any abstraction of the antecedents and consequents of a transformational logics.For example, [Cousot et al. 2012] is an abstraction of Hoare logic such that { ¯ } S { ¯ } means Hoare triple { 1 ( ¯ )} S { 2 ( ¯ )}.Without appropriate hypotheses on the abstraction, some rules of Hoare logic like disjunction and conjunction may be invalid in the abstract, see counterexamples and sufficient hypotheses in [Cousot et al. 2012, pages 219-221].Similarly, [Gotsman et al. 2011] provides a counterexample showing the unsoundness of the conjunction rule.This is an argument for the use of a principled method for designing logics.
Another abstract logic [Bruni et al. 2023] combines an over approximation (for correctness) and an under approximation (for incorrectness) in the same abstract domain.The "(relax)" rule requires that the under approximation uses abstract properties ( ) that exactly represent concrete properties by requiring that ○ ( ) = .This restricts the concrete points that can be used in the under approximation, and will be a source of incompleteness and imprecision for most static analyses.
Under approximation is the order semidual of an over approximation, with abstraction ⟨℘(Σ ), ⊒⟩ exploited e.g. in [Ball et al. 2005].The study by [Ascari et al. 2022] provides a number of classic abstract domain examples showing the imprecision of such under approximation static analyses, but for few exceptions like [Asadi et al. 2021;Miné 2014].
These under approximation approaches are based on Th.II.3.6 for fixpoint under approximation by transfinite iterates.Termination proofs do not use an under approximation but instead an over approximation and a variant function as, e.g., in Th.II.3.8.Alternatively, over approximating static analysis is classic and variant functions can also be inferred by abstract interpretation

I.3.14 The Subhierarchy of Assertional Logics
Comparing logics means comparing their theories, that is their expressivity, through their respective abstractions of the collecting semantics (as formalized by fixpoint abstraction in Sect.II.2), and comparing the induction principles induced by their abstractions (as formalized in Sect.II.3 by fixpoint induction).For example, figure 3 shows that Hoare logic and subgoal induction are different but equivalent abstractions of the collecting semantics so have the same theory and equivalent but different proof systems.These abstractions yield the hierarchical taxonomy of assertional transformational logics of Fig. 3, which is a subset of Fig. 2. Fig. 3, with a larger instance in the appendix A , is commented thereafter.

Calculational Design of [In]Correctness Transformational Program Logics by Abstract Interpretation
We use universal to mean for all initial or final states and existential to mean there exists at least one initial or final state.We use reachability (often forward) for initial to final states and accessibility (often backward) for final to initial states.We use definite to mean "for all executions" and possible to mean "for some execution" (maybe none).In both cases, the qualification does not exclude possible nontermination or blocking states, which is emphasized by partial.We use total to mean that all executions must be finite.We use blocking to mean a state, which is not final, but from which execution cannot go on.No such blocking states exist in the semantics S of statements S in Sect.I.1.1 and II.1 but would correspond e.g. to an aborted execution after a runtime error (like a division by zero).
The taxonomy for direct proofs (the hypothesis implies the conclusion) is illustrated in Fig. 3.
Hoare and subgoal induction logics can be used to prove universal partial correctness ( is good, as in static accessibility analysis [Cousot and Cousot 1977]) and universal partial incorrectness ( is bad, as in necessary preconditions analyses [Cousot et al. 2013[Cousot et al. , 2011]]).Both logics can be also used to prove bounded termination, by introducing a counter incremented in loops and proved to be bounded [Luckham and Suzuki 1977].However, this is incomplete for unbounded nondeterminism.post S ⊆ ∅ ⇔ ⊆ pre S ∅ ⇔ ⊆ ¬pre S Σ ⇔ pre S Σ ⊆ ¬ is definite nontermination from all initial states (executions from any initial state of do not terminate).
Subgoal induction is exploited in necessary preconditions analyses [Cousot et al. 2013[Cousot et al. , 2011].Finding such that post S ⊆ is equivalent to finding such that ⊆ pre S for the given error postcondition , which the necessary precondition analysis does by under approximating pre S defined structurally on the programming language and using fixpoint under approximation to handle iteration and recursion.I.3.14.2Total Definite Accessibility of Some Final States From All Initial States post S ⊆ ⇔ ⊆ pre S , , ∈ ℘(Σ).Total correctness, allowing blocking states, characterizes executions from any initial state in that do terminate normally in a final state satisfying or block.Taking = Σ is universal definite termination. 7The Turing [Turing 1950] & Floyd [Floyd 1967] proof method uses an invariant and a variant function into a well-founded set.The abstraction post(⊇, ⊆) ⊆ } yields the theory of Apt and Plotkin [Apt and Plotkin 1986] logic in the assertional case (and that of Manna & Pnueli logic [Manna and Pnueli 1974] in the relational case).This claims follows from [Apt and Plotkin 1986] for an imperative language and [Cousot 2002] for arbitrary transition systems.The logic can be used to prove definite correctness or incorrectness.

I.3.14.3 Partial Possible Accessibility of All Final States
From Some Initial State ⊆ post S ⇔ ⊆ post S , , ∈ ℘(Σ).This means that for any final state ′ in there exists at least one initial state in and an execution from that will terminate in state ′ .Blocking states may be included in .Moreover, this does not preclude executions from to make nondeterministic choices terminating normally with ¬ or do not terminate at all.proofs in [de Vries and Koutavas 2011, section 6] based on a "weakest postcondition calculus" defined in [de Vries and Koutavas 2011, section 5] as "wpo( , c), [is] the weakest postcondition given a precondition and program c".So "wpo" is nothing other than post and "⟨ ⟩ ⟨ ⟩ is a valid triple if and only if ⇒ wpo( ,c)".
By [O'Hearn 2020, Fact 13], this is also incorrectness logic requiring any bug in to be possibly reachable in finitely many steps from thus discarding infinite executions as possible errors.
The difference is in the examples handled where is "good" for De Vries and Koutavas and "bad" for O'Hearn.I.3.14.4 Partial Possible Accessibility of Some Final State From All Initial States ⊆ pre S , , ∈ ℘(Σ).This prescribes that all initial states in have at least one execution that does reach . 14Dijkstra [Dijkstra 1982] shown the equivalence of post S ⊆ (that is, Turing-Floyd-Naur-Hoare partial correctness and ⊆ pre S (that is, Morris and Wegbreit subgoal induction, claiming "subgoal induction is indeed the next variation on an old theme").By (12) this should have been ⊆ pre S in general, but Dijkstra considers total deterministic programs for which pre = pre.This is also the incorrectness part of the outcome logic [Zilberstein et al. 2023], the induction principle (i −1 ) of [Cousot and Cousot 1982, p. 100], and (SIL) in [Ascari et al. 2023 , ∈ ℘(Σ), ∈ ℘(Σ ).For = Σ, this is possible termination from all initial states 17 .For = { }, this is possible nontermination from all initial states.Similarly, 11 is ⊆ pre S , named (NC) in [Ascari et al. 2023].I.3.14.6 Partial Possible Accessibility of Some Final States (or Nontermination) From Some Initial States post S ∩ ≠ ∅ for , ∈ ℘(Σ) (or post S ∩ ≠ ∅ for ∈ ℘(Σ )).This means that at least one execution from at least one initial state in does terminate in a final state satisfying Q. Taking = Σ is possible termination from some initial states.
23 Disproving a Hoare triple using the proof system would require to show that no proof does exist for this triple, a method no one ever consider.One can use incorrectness logic [O'Hearn 2020] or provide a counter-example (not supported by a logic).The Hoare incorrectness logic 23 can be used to prove that a Hoare specification is violated with a possible counter-example, since It's nothing but debugging in logic form.This is weaker that the requirements of incorrectness logic, for which the principle of denial [O'Hearn 2020, Fig. 1] . However the converse is not true since the violation of { }S{ } only require one state of definitely reaches one state not satisfying .
Other contrapositive logics or logics for disproving program properties are considered in the appendix A .

I.3.15 The Combination of Logics
Program logics are generally composite that is, the result of combining elementary logics which are different abstractions of program executions e.g.[Bruni et al. 2023;Zilberstein et al. 2023].I.3.15.1 The Conjunction/Disjunction of Logics.We have wlp(S, ) = pre S ∩ pre S while wp(S, ) = pre S ∩ pre S since blocking states must be prevented as well as nontermination for wp, see Fig. 4 in the appendix.The relevant abstractions of transformers 1 ,  ] resulting in a single deductive system instead of two independent ones.The definition of the relational semantics in (54) will use such a grouping to set apart breaks.
The relevant Cartesian abstraction × merges two transformers into a single one.We assume that Cartesian product ( 44) ∼ (pre).The weakest liberal condition wlp(S, ) is .∩ (( pre S ) ○ , ( pre S ) ○ ) = ∩ (pre S , pre S ).∎ I.3.15.3The Reduced Product of Logics.The components are usually not independent.For example one uses invariants of Hoare logic to prove termination, or definite termination implies possible termination.Another example is adversarial logic [Vanegue 2022] to describe the possible interaction between a program and an attacker.These are reductions (45) that have been studied in the context of program analysis [Cousot 2021, chapter 29] but also apply to any abstraction, including logics, e.g.[Bruni et al. 2023].
The functor ⍟ , inspired by the reduced product in abstract interpretation [Cousot and Cousot 1979b, section 10.1], is the Cartesian product where the information of one component is propagated, in abstract form, to the other.This is useful for combining program logics dealing with properties that are not independent.
Assume two abstractions of a (collecting) semantics in ⟨S, ⊑⟩ into different transformers ⟨S, The reduced product combines two abstractions of the semantics into transformers 1 and 2 into an abstraction of the semantics into a single transformer with ⍟,⊓ ≜ ○ × where the reduction operator is By [Cousot 2021, Theorem 36.24],we have the Galois connection Proc.ACM Program.Lang., Vol. 8, No. POPL, Article 7. Publication date: January 2024.

Symbolic Inversion
Let us consider one more useful abstraction of transformers allowing for their inversion using symbolic execution.This reversal abstraction ↔ from [Cousot 1981, Theorem 10-13] allows to prove backward properties using a forward proof system by using auxiliary variables for initial values of variables (as in symbolic execution) and conversely (as an inverse symbolic execution starting with symbolic final values of variables).Given , and = post, we have A (and similarly for ∈ {pre, post, Pre}) This information can be inferred automatically by forward static analyses using affine equalities [Karr 1976] or inequalities [Cousot and Halbwachs 1978].This can be used to get a precondition pre S ensuring that a postcondition holds be defining pre Inversely, using subgoal induction, a backward execution pre This information can be used to get a postcondition post S hence holding for states reachable from the precondition as { | ∃ ∈ .∈ pre S { | x = x ∧ y = y }}.For our example, we get {⟨ , ⟩ | ∃⟨ , ⟩ ∈ .= 3 − ∧ = − 2 } which, e.g., for = {⟨ , ⟩ | = }, yields {⟨ , This calculation is mechanizable using the operations of the abstract domains for affine equalities [Karr 1976] or inequalities [Cousot and Halbwachs 1978].∎ Part II: Design of the Proof Rules of Logics by Abstraction of Their Theory Given the theory ( S ) of a logic defined by an abstraction of the natural relational semantics S , we now consider the problem of designing the proof/deductive system for that logic.The abstraction can be decomposed into ○ where abstracts the natural relational semantics S ) into an exact transformer (isomorphically its antecedant-consequent graph) which is then over or under approximated by .
We first express the natural relational semantics in structural fixpoint form in Sect.II.1.Then we use fixpoint abstraction of Sect.II.2 and structural induction to express the exact transformer ( S ) in structural fixpoint form.The approximation abstraction is then handled using the fixpoint induction principles of Sect.II.3 to under or over approximate the transformer by ○ ( S ).[Aczel 1977] has shown that set theoretic fixpoints can be expressed as proof/deductive systems and conversely.We recall his method in Sect.II.5.This yields a method of designing proof system by calculus in Sect.II.5.3.This is applied to two new example logics.The first example in section II.8.1 is a forward transformational logic to express correct reachability of a postcondition (as in Hoare and Manna partial correctness logics), termination (as in Apt & Plokin and Manna & Pnueli logics) as well as nontermination, all cases being expressible by a single formula of the logic (depending on initial values).The second example in section II.8.2 is a backward transformational logic to express correct accessibility of a postcondition or nontermination.

II.1 STRUCTURAL FIXPOINT NATURAL RELATIONAL SEMANTICS
We define the relational natural semantic S ∈ ℘(Σ × Σ ) of statements S by structural induction on the program syntax and iteration defined as extremal fixpoints of increasing (monotone/isotone) functions on complete lattices [Tarski 1955].
The definition is in Milner/Tofte style [Milner and Tofte 1991], except that finite behaviors in ℘(Σ × Σ) are in inductive style with least fixpoints (lfp) and infinite behaviors in ℘(Σ × { }) are in co-inductive style with greatest fixpoints (gfp), as in [Cousot andCousot 1992, 2009].Milner/Tofte define both finite and infinite behaviors in co-inductive style [Leroy 2006;Milner and Tofte 1991], which looks more uniform.However, some fixpoint approximation techniques are more precise for least fixpoints than for greatest fixpoints [Cousot 2021, Chapter 18], which will be essential to prove completeness of proof methods2 .Given the assignment [x ← ] of value ∈ V to variable x ∈ X in state ∈ Σ ≜ X → V and the identity relation id ≜ {⟨ , ⟩ | ∈ Σ }, the basic statements have the following semantics.They all terminate and do not exit loops, but for break, that exits the closest outer loop (which existence must be checked syntactically) without changing the values of variables.
∈ B B } be the relational semantics of Boolean expressions.We define ( is the composition of relations, see Sect.A.1 in the appendix) For iteration, we define The transformers are defined on complete lattices, on ⟨℘(Σ × Σ), ⊆, ∅, Σ × Σ, ∪, ∩⟩ and on ⟨℘(Σ × { }), ⊆, ∅, ⃗ ∞, ∪, ∩⟩ with ⃗ ∞ ≜ Σ × { } and are ⊆-increasing, so do exist [Tarski 1955].Moreover, the natural transformer in (49) preserves arbitrary joins, so is continuous.By Scott-Kleene fixpoint theorem [Scott and Strachey 1971], its least fixpoint is the reflexive transitive closure lfp ⊆ = ⋃ ⩾0 ( B S ) = ( B S ) * . So lfp ⊆ is a relation between initial states before entering the loop and successive states at loop reentry after any number ⩾ 0 of iterations.If, after iterations, the test B ever becomes false then B = ∅ and so all later terms in the infinite disjunction are empty.
Then composing lfp ⊆ = ( B S ) * with ¬B ∪ B S in (51) yields the relation between initial and final states in case of termination or in case of a break when excuting the loop body S.
(52) states that a break exits the immediately enclosing loop, not any of the outer ones.
Composing lfp ⊆ = ( B S ) * with B S in (53) yields the possible cases of nontermination when the loop body S does not terminate after finitely many finite iterations in the loop.
Finally, the term gfp ⊆ in (53) represents infinitely many iterations of terminating body executions.Again if B becomes false after finitely many iterations then B = ∅ so that this infinite iteration term is ∅ (since ∅ is absorbant for ).As shown by [Cousot 2002, Example 22], may not be co-continuous when considering unbounded nondeterminism so that transfinite decreasing fixpoint iterations from the supremum might be necessary [Cousot and Cousot 1979a].The following lemma makes clear that gfp ⊆ characterizes (non)termination Since ∉ Σ, ( S ∪ S ) ∩ Σ = S and ( S ∪ S ) ∩ { } = S , the semantics can be defined as where ⟨℘(Σ × Σ ), ⊑, Σ × { }, Σ × Σ, ⊔, ⊓⟩ is a complete lattice for the computational ordering It follows that the definition of termination on normal exit or nontermination can be defined by a single transformer [Cousot 2002, Theorem 9] (but termination S and break S cannot be mixed without losing information).
This relational natural semantics can be extended to record a relation between the initial and current values of variables.This consists in considering the Galois connections ⟨ ↓ 2 , ↓ 2 ⟩ for assertions and ⟨ .↓ 2 , .↓ 2 ⟩ for relations in (24).This can be implemented using auxiliary variables without modification of the semantics A .
Nondeterminism can be unbounded, as discussed in the appendix A .

II.2 FIXPOINT ABSTRACTION
We recall classic fixpoint abstraction theorems [Cousot 2002], [Cousot 2021, Ch. 18] to abstract the fixpoint definition of the program relational semantics into a fixpoint definition of transformers (or their graph).Abstraction can also be applied to deductive systems A .

II.3 FIXPOINT INDUCTION
Least or greatest fixpoint definitions of the graph of transformers provide strongest or antecedentconsequent (or weakest consequent-antecedent) pairs.Then we need to take into account consequence rules, that is, approximations discussed in Sect.I.3.4.In this section, and in addition to [Cousot 2019b] and [Cousot 2021, Ch. 24], we introduce fixpoint induction methods to handle such approximations post(⊇, ⊆), post(⊆, ⊇), etc.In this section II.3, is the infimum of a poset and possibly unrelated to nontermination.
∎ By order-duality, this is sound and complete greatest fixpoint under approximation ⊑ gfp ⊑ proof method.is called an invariant (a co-invariant for greatest fixpoints).

II.3.2 Ordinals
We let ⟨O, ∈, ∅, O, ∪, ∩⟩ be the von Neumann's ordinals [von Neumann 1923], writing the more intuitive < for ∈, 0 for ∅, + 1 for the successor function, sometimes max for ∪, min for ∩, and for the first infinite limit ordinal.If necessary, a short refresher on ordinals is given in Sect.H of the appendix A .

II.3.3 Over Approximation of the Abstraction of a Least Fixpoint
To solve the problem (lfp ⊑ ) ⊑ where is a function on the domain of , we can try to use fixpoint abstraction Th.II.2.1 to get (lfp ⊑ ) = lfp ⊑ ¯ and then check lfp ⊑ ¯ ⊑ by fixpoint induction Th.II.3.1.But Th.II.2.1 requires to preserves joins, which is not always the case (for the dual problem = pre in remark I.3.12 is a counter-example).If does not preserves joins, we can nevertheless use the following theorem A .

II.3.4 Fixpoint Under Approximation by Transfinite Iterates
For under approximation of least fixpoints (or order dually under approximation of greatest fixpoints), we can use the generalization [Cousot 2019b] of Scott-Kleene induction based on transfinite induction when continuity does not apply and follows directly from the constructive version of Tarski's fixpoint theorem [Cousot and Cousot 1979a].
The condition can equivalently be expressed as ∀ ∈ O .⊑ (⊔ < + 1) which avoids to have to make the distinction between successor and limit ordinals A .

Notice that ordinals are an abstraction
well-founded sets by their rank , so that Th.II.3.6 could have assumed the existence of a well-founded set to replace the ordinals.The hypothesis that ⟨ , ∈ O⟩ is increasing is necessary in a cpo but not in a complete lattice, in which case this non-increasing sequence can be used to build an increasing one A .
Lemma II.3.7.Let ⟨ , ∈ O⟩ be a sequence in a complete lattice satisfying the hypotheses of Def.II.3.5, then there is an increasing one satisfying these same hypotheses.

II.3.5 Fixpoint Under Approximation by Bounded Iterates
For iterations, under approximations such as ⊆ post S (incorrectness logic), ⊆ pre S Σ (possible termination), ⊆ ¬pre S { } = pre S Σ (definite termination), and ⊆ pre S ∩ pre S (weakest precondition, starting from any initial state of , S "is certain to establish eventually the truth of" [Dijkstra 1976, page 17]) are fixpoint under approximations.Programmers almost never use Th.II.3.6 for proving termination using ordinals (or a well-founded set).They cannot use Hoare logic either since nontermination { }S{false} is provable by the logic but its negation ¬({ }S{false}) is not in the logic.A first method for bounded iteration uses a loop counter incremented on each iteration and an invariant proving that the counter is bounded ("time clocks" in [Knuth 1997], [Luckham and Suzuki 1977;Sokolowski 1977]).This is sound but incomplete for unbounded nondeterminism.The most popular method uses well-founded sets, which can be generalized to fixpoints A .TheoRem II.3.8 (Least Fixpoint UndeR AppRoximation with a VaRiant Function).We assume that (1) is increasing on a cpo ⟨ , ⊑, , ⊔⟩; (2) that ∈ ; (3) that there exists a sequence ⟨ , ∈ O⟩ of elements of such that 0 = , +1 ⊑ ( ) for successor ordinals, and ⊑ ⊔ < for limit ordinals ; and (4) that there exists a well-founded set ⟨ , ⪯⟩ and a variant function ∈ { | ∈ O} → such that for all < , we have / ⊑ implies ( ) ≻ ( ).Hypotheses(1) to (4) imply that ∃ < .⊑ ⊑ ⊑ lfp ⊑ .
Because < in Th.II.3.8, the proof method is sound but incomplete, as shown by the following counter example where the property holds but the proof method of Th.II.3.8, is inapplicable.
⊆ implies for all < that ( ) ≻ ( ).This infinite strictly decreasing chain is in contradiction with the well-foundness hypothesis.∎ II.3.6 Void Intersection With Fixpoint Using Variant Functions Turing and Floyd [Floyd 1967;Turing 1950] method for unbounded nondeterminism, uses reductio ad absurdum, proving that nontermination is impossible.This idea can also be generalized to fixpoints.
Notice that Th.II.3.12, as well as its proof in Sect.H of the appendix, are not the order dual of Th.II.3.10 since (6) have the same conclusion ⊓ = and the dual of the conclusion lfp ⊑ ⊓ = would be gfp ⊑ ⊔ = ⊺.

II.3.7 Fixpoint Non Emptiness
Another result to handle greatest fixpoints, e.g. to prove definite nontermination, is the following theorem A .
A fixpoint induction principle H.3 for (lfp ⊑ ) ⊓ ≠ in (39.d) is given in the appendix.A

II.4 DEDUCTIVE SYSTEMS OF PROGRAM LOGICS
Logics define the valid properties of a program as all provable facts by the formal proof system of the logic.These formal systems, introduced by Hilbert [Hilbert and Ackermann 1938, § 5], are "a system of axioms from which the remaining true sentences may be obtained by means of certain rules".Such a formal system is a finitely presented set of axioms and rules where the axioms and conclusions of the rules are terms with variables and the premisses are formulas of a logic.
The semantics/interpretation of the logic maps logical terms to elements of a mathematical structure with universe U. Logical formulas are interpreted as the subsets of U of elements satisfying the formulas.Therefore logical implication is subset inclusion ⊆ in the complete Boolean lattice ⟨℘(U), ⊆, ∅, U, ∪, ∩, ¬⟩ where ∅ is false, U true, ∪ disjunction, ∩ conjunction, and ¬ negation.The semantics/interpretation of the formal rules is a deductive system = { | ∈ Δ} where ∈ ℘(U) is the finite premise and ∈ U the conclusion of the rule.The axioms have = ∅ (false) as premises.We have ∈ ℘(℘(U) × U) where pairs ⟨ , ⟩ are conventionally written .+2 | ∈ N}.For example if 2 ∈ N is odd then 4 is odd.To prove that 2 is odd, the only way is to prove that 0 is odd which is not an axiom nor the conclusion of a rule, proving 2 not to be odd.∎

II.5 THE SEMANTICS OF DEDUCTIVE SYSTEMS
Aczel [Aczel 1977] has shown that there are two equivalent ways of defining the subset I ( ) of the universe U defined by a deductive system = { | ∈ Δ}.

II.5.1 Proof-Theoretic Semantics of Deductive Systems
In the proof-theoretic approach, I ( ) is the set of provable elements where a formal proof is a finite sequence 1 . . . of terms (i.e.elements of the universe U) such that any term is the conclusion of a rule which premise is implied by (i.e.included in ⊆) the set of previous terms in the sequence (which have been already proved, starting with axioms).Therefore → ℘(U) preserve nonempty joins and so is increasing.The fixpoint abstraction, fixpoint induction allows us to take the consequence rule into account in the design of proof rules for fixpoint semantics.So partial correctness need not be a consequence of total correctness and nontermination.∎

II.7 ON THE COMPARISON OF LOGICS
To compare logics, we first relate their theories, that is compare their expressivity, through their respective abstractions of the collecting semantics (as formalized by fixpoint abstraction in Sect.II.2).Different abstractions yield different logics, compared though their relation by Galois connections.The logics are equivalent when their theories are linked by a Galois isomorphism.An example is given in Sect.I.3.14.4 where Hoare logic and subgoal induction have the same theory but different proof method (as shown in figure 3).
The proof system of a logic is entirely determined by its theory (as proved in Sect.II.4), but up to an equivalence, since different induction principles may be used, as formalized in Sect.II.3, to exploit approximation so as to simplify induction.This is exemplified by Rem.II.6.2.Which induction principle is used is the second characteristic to compare logics.The language includes a break out of the closest enclosing loop, so the specifications have the form { } S { ∶ , ∶ } meaning that any execution of S started in a state of will terminate in a state of / , or not terminate if ∈ , or break out of S to the closest enclosing loop in a state satisfying .So = { } and = ∅ would mean definite non termination (when ≠ ∅).
To design the logic, we first formally define the meaning of specifications as an abstraction of post.Then we proceed by structural induction on the syntax of the language.Using fixpoint over approximation Th.II.3.1, the iteration rule is (Σ is Σ extended to an auxiliary variable in X for each variable in X) which is the consequence rule called Symmetry in [O'Hearn 2020, Fig. 1] and Consequence in [O'Hearn 2020, Fig. 2].

Fig
Fig. 1.Forward semantics and logics Complement Dual Abstractions.Pratt's "Duality Principle for Programs" [Pratt 1976, section 1.2], is similar the complement duality in classical logic i.e. something not false is true.This can be stated for functions by defining the complement dual abstraction ∼ of functions and its pointwise extension .∼ below, which yields the Galois connections as follows A Fig. 2. Hierarchical taxonomy of transformational logics [D'Silva and Urban 2015; Urban 2013, 2015; Urban et al. 2016; Urban and Miné 2014a,b, 2015].

Fig. 3 .
Fig. 3. Hierarchical taxonomy of transformational assertional logics D.5 Partial Possible Accessibility of All Non-Final States From Some Non-Initial State post S post S post S post S post SThe signification is that for any state not in there exists at least one initial state not in and an execution from that will terminate in state .Letting and , this is partial possible accessibility of all final states from some initial state post S from Sect.I.3.14.3.This shows that the under approximation post S is equivalent to an over approximation post S of the complement, that is, a proof by contradiction.D.6 Total Definite Accessibility of Some Final State From Some Initial State pre S pre S , This states that there is at least one initial state in from which all executions do terminate in .
The set of valid Hoare triples { }S{ } is the set of pairs ⟨ , ⟩ in H ( S ) such that any execution started in a state of , that terminates, if ever, does terminate in a state ′ of .∎ Example I.3.10.Similarly the assertional abstraction ↓ 2 of Manna and Pnueli logic (17) yields Apt and Plotkin generalization of Hoare logic to total correctness [Apt and Plotkin 1986, equation ( ]. I.3.14.5 Possible Accessibility of Some Final State or Nontermination From All Initial States ⊆ pre S The Product of Logics.One can imagine a Cartesian product { , , }S{ , } meaning that every execution of S starting with an initial state of will definitely terminate in a final state in , every execution of S starting with an initial state of will either terminate in a final state in R or not terminate, and every execution of S starting with an initial state of will never terminate.andcould further be decomposed into a product of good and bad states.Similarly, [O'Hearn 2020, section 4] uses the notation [ ] [ ∶ ][ ∶ ] as a shorthand for [ ] [ ∶ ] and [ ] [ ∶