Predicate transformer semantics
Predicate transformer semantics were introduced by Edsger Dijkstra in his seminal paper "Guarded commands, nondeterminacy and formal derivation of programs". They define the semantics of an imperative programming paradigm by assigning to each statement in this language a corresponding predicate transformer: a total function between two predicates on the state space of the statement. In this sense, predicate transformer semantics are a kind of denotational semantics. Actually, in guarded commands, Dijkstra uses only one kind of predicate transformer: the wellknown weakest preconditions (see below).
Semantics  

Computing  


Moreover, predicate transformer semantics are a reformulation of Floyd–Hoare logic. Whereas Hoare logic is presented as a deductive system, predicate transformer semantics (either by weakestpreconditions or by strongestpostconditions see below) are complete strategies to build valid deductions of Hoare logic. In other words, they provide an effective algorithm to reduce the problem of verifying a Hoare triple to the problem of proving a firstorder formula. Technically, predicate transformer semantics perform a kind of symbolic execution of statements into predicates: execution runs backward in the case of weakestpreconditions, or runs forward in the case of strongestpostconditions.
Weakest preconditions
Definition
Given a statement S, the weakestprecondition of S is a function mapping any postcondition R to a precondition P. Actually, the result of this function, denoted , is the "weakest" precondition on the initial state ensuring that execution of S terminates in a final state satisfying R.
More formally, let us use variable x to denote abusively the tuple of variables involved in statement S. Then, a given Hoare triple is provable in Hoare logic for total correctness if and only if the firstorder predicate below holds:
 Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "/mathoid/local/v1/":): {\displaystyle \forall x, P \Rightarrow wp(S,R)}
Formally, weakestpreconditions are defined recursively over the abstract syntax of statements. Actually, weakestprecondition semantics is a continuationpassing style semantics of state transformers where the predicate in parameter is a continuation.
Skip
Abort
Assignment
We give below two equivalent weakestpreconditions for the assignment statement. In these formulas, is a copy of R where free occurrences of x are replaced by E. Hence, here, expression E is implicitly coerced into a valid term of the underlying logic: it is thus a pure expression, totally defined, terminating and without side effect.
 version 1:
where y is a fresh variable (representing the final value of variable x) 
 version 2:
The first version avoids a potential duplication of E in R, whereas the second version is simpler when there is at most a single occurrence of x in R. The first version also reveals a deep duality between weakestprecondition and strongestpostcondition (see below).
An example of a valid calculation of wp (using version 2) for assignments with integer valued variable x is:
This means that in order for the postcondition x > 10 to be true after the assignment, the precondition x > 15 must be true before the assignment. This is also the "weakest precondition", in that it is the "weakest" restriction on the value of x which makes x > 10 true after the assignment.
Sequence
For example,
Conditional
As example:
While loop
Partial Correctness
Ignoring termination for a moment, we can define the rule for the weakest liberal precondition, denoted wlp, using a predicate I, called the loop invariant, typically supplied by the programmer:
This simply states that (1) the invariant must hold at the start of the loop; (2) additionally, for any initial state y, the invariant and guard taken together be strong enough to establish the weakest precondition necessary for the loop body to be able to reestablish the invariant; (3) finally, if and when the loop terminates in a given state y, the fact that the loop guard is false along with the invariant should be able to establish the required postcondition.
Total Correctness
To show total correctness, we also have to show that the loop terminates. For this we define a wellfounded relation on the state space denoted "<" and called loop variant. Hence, we have:
Failed to parse (MathML with SVG or PNG fallback (recommended for modern browsers and accessibility tools): Invalid response ("Math extension cannot connect to Restbase.") from server "/mathoid/local/v1/":): {\displaystyle wp(\textbf{while}\ E\ \textbf{do}\ S\ \textbf{done}, R)\ =\ \begin{array}[t]{l} I\\ \wedge\ \forall y, ((E \wedge I) \Rightarrow wp(S,I \wedge x < y))[x \leftarrow y]\\ \wedge\ \forall y, ((\neg E \wedge I) \Rightarrow R)[x \leftarrow y] \end{array}}
where y is a fresh tuple of variables 
Informally, in the above conjunction of three formulas:
 the first one means that invariant I must initially hold;
 the second one means that the body of the loop (e.g. statement S) must preserve the invariant and decrease the variant: here, variable y represents the initial state of the body execution;
 the last one means that R must be established at the end of the loop: here, variable y represents the final state of the loop.
In predicate transformers semantics, invariant and variant are built by mimicking the Kleene fixedpoint theorem. Below, this construction is sketched in set theory. We assume that U is a set denoting the state space. First, we define a family of subsets of U denoted by induction over natural number k. Informally represents the set of initial states that makes R satisfied after less than k iterations of the loop:
Then, we define:
 invariant I as the predicate .
 variant as the proposition
With these definitions, reduces to formula .
However, in practice, such an abstract construction cannot be handled efficiently by theorem provers. Hence, loop invariants and variants are provided by human users, or are inferred by some abstract interpretation procedure.
Nondeterministic guarded commands
Actually, Dijkstra's Guarded Command Language (GCL) is an extension of the simple imperative language given until here with nondeterministic statements. Indeed, GCL aims to be a formal notation to define algorithms. Nondeterministic statements represent choices left to the actual implementation (in an effective programming language): properties proved on nondeterministic statements are ensured for all possible choices of implementation. In other words, weakestpreconditions of nondeterministic statements ensure
 that there exists a terminating execution (e.g. there exists an implementation),
 and, that the final state of all terminating execution satisfies the postcondition.
Notice that the definitions of weakestprecondition given above (in particular for whileloop) preserve this property.
Selection
Selection is a generalization of if statement:
Here, when two guards and are simultaneously true, then execution of this statement can run any of the associated statement or .
Repetition
Repetition is a generalization of while statement in a similar way.
Specification statement (or weakestprecondition of procedure call)
Refinement calculus extends nondeterministic statements with the notion of specification statement. Informally, this statement represents a procedure call in black box, where the body of the procedure is not known. Typically, using a syntax close to BMethod, a specification statement is written
 @
where
 x is the global variable modified by the statement,
 P is a predicate representing the precondition,
 y is a fresh logical variable, bound in Q, that represents the new value of x nondeterministically chosen by the statement,
 Q is a predicate representing a postcondition, or more exactly a guard: in Q, variable x represents the initial state and y denotes the final state.
The weakestprecondition of specification statement is given by:
@
where z is a fresh name 
Moreover, a statement S implements such a specification statement if and only if the following predicate is a tautology:
where is a fresh name (denoting the initial state) 
Indeed, in such a case, the following property is ensured for all postcondition R (this is a direct consequence of wp monotonicity, see below):
 @
Informally, this last property ensures that any proof about some statement involving a specification remains valid when replacing this specification by any of its implementations.
Other predicate transformers
Weakest liberal precondition
An important variant of the weakest precondition is the weakest liberal precondition , which yields the weakest condition under which S either does not terminate or establishes R. It therefore differs from wp in not guaranteeing termination. Hence it corresponds to Hoare logic in partial correctness: for the statement language given above, wlp differs with wp only on whileloop, in not requiring a variant (see above).
Strongest postcondition
Given S a statement and R a precondition (a predicate on the initial state), then is their strongestpostcondition: it implies any postcondition satisfied by the final state of any execution of S, for any initial state satisfying R. In other words, a Hoare triple is provable in Hoare logic if and only if the predicate below hold:
Usually, strongestpostconditions are used in partial correctness. Hence, we have the following relation between weakestliberalpreconditions and strongestpostconditions:
For example, on assignment we have:
where y is fresh 
Above, the logical variable y represents the initial value of variable x. Hence,
On sequence, it appears that sp runs forward (whereas wp runs backward):
Win and sin predicate transformers
Leslie Lamport has suggested win and sin as predicate transformers for concurrent programming.[1]
Predicate transformers properties
This section presents some characteristic properties of predicate transformers.[2] Below, T denotes a predicate transformer (a function between two predicates on the state space) and P a predicate. For instance, T(P) may denote wp(S,P) or sp(S,P). We keep x as the variable of the state space.
Monotonic
Predicate transformers of interest (wp, wlp, and sp) are monotonic. A predicate transformer T is monotonic if and only if:
This property is related to the consequence rule of Hoare logic.
Strict
A predicate transformer T is strict iff:
For instance, wp is strict, whereas wlp is generally not. In particular, if statement S may not terminate then is satisfiable. We have
Indeed, true is a valid invariant of that loop.
Terminating
A predicate transformer T is terminating iff:
Actually, this terminology makes sense only for strict predicate transformers: indeed, is the weakestprecondition ensuring termination of S.
It seems that naming this property nonaborting would be more appropriate: in total correctness, nontermination is abortion, whereas in partial correctness, it is not.
Conjunctive
A predicate transformer T is conjunctive iff:
This is the case for , even if statement S is nondeterministic as a selection statement or a specification statement.
Disjunctive
A predicate transformer T is disjunctive iff:
This is generally not the case of when S is nondeterministic. Indeed, consider a nondeterministic statement S choosing an arbitrary boolean. This statement is given here as the following selection statement:
Then, reduces to the formula .
Hence, reduces to the tautology
Whereas, the formula reduces to the wrong proposition .
The same counterexample can be reproduced using a specification statement (see above) instead:
 @
Applications
 Computations of weakestpreconditions are largely used to statically check assertions in programs using a theoremprover (like SMTsolvers or proof assistants): see FramaC or ESC/Java2.
 Unlike many other semantic formalisms, predicate transformer semantics was not designed as an investigation into foundations of computation. Rather, it was intended to provide programmers with a methodology to develop their programs as "correct by construction" in a "calculation style". This "topdown" style was advocated by Dijkstra[3] and N. Wirth.[4] It has been formalized further by R.J. Back and others in the refinement calculus. Some tools like BMethod now provide automated reasoning in order to promote this methodology.
 In the metatheory of Hoare logic, weakestpreconditions appear as a key notion in the proof of relative completeness.[5]
Beyond predicate transformers
Weakestpreconditions and strongestpostconditions of imperative expressions
In predicate transformers semantics, expressions are restricted to terms of the logic (see above). However, this restriction seems too strong for most existing programming languages, where expressions may have side effects (call to a function having a side effect), may not terminate or abort (like division by zero). There are many proposals to extend weakestpreconditions or strongestpostconditions for imperative expression languages and in particular for monads.
Among them, Hoare Type Theory combines Hoare logic for a Haskelllike language, separation logic and type theory.[6] This system is currently implemented as a Coq library called Ynot.[7] In this language, evaluation of expressions corresponds to computations of strongestpostconditions.
Probabilistic Predicate Transformers
Probabilistic Predicate Transformers are an extension of predicate transformers for probabilistic programs. Indeed, such programs have many applications in cryptography (hiding of information using some randomized noise), distributed systems (symmetry breaking). [8]
See also
 Axiomatic semantics — includes predicate transformer semantics
 Dynamic logic — where predicate transformers appear as modalities
 Formal semantics of programming languages — an overview
Notes
 Lamport, Leslie (July 1990). "win and sin: Predicate Transformers for Concurrency". ACM Trans. Program. Lang. Syst. 12 (3): 396–428. CiteSeerX 10.1.1.33.90. doi:10.1145/78969.78970.
 Back, RalphJohan; Wright, Joakim (2012) [1978]. Refinement Calculus: A Systematic Introduction. Texts in Computer Science. Springer. ISBN 9781461216742.
 Dijkstra, Edsger W. (1968). "A Constructive Approach to the Problem of Program Correctness". BIT Numerical Mathematics. 8 (3): 174–186. doi:10.1007/bf01933419.
 Wirth, N. (April 1971). "Program development by stepwise refinement" (PDF). Comm. ACM. 14 (4): 221–7. doi:10.1145/362575.362577.
 Tutorial on Hoare Logic: a Coq library, giving a simple but formal proof that Hoare logic is sound and complete with respect to an operational semantics.
 Nanevski, Aleksandar; Morrisett, Greg; Birkedal, Lars (September 2008). "Hoare Type Theory, Polymorphism and Separation" (PDF). Journal of Functional Programming. 18 (5–6): 865–911. doi:10.1017/S0956796808006953.
 Ynot a Coq library implementing Hoare Type Theory.
 Morgan, Carroll; McIver, Annabelle; Seidel, Karen (May 1996). "Probabilistic Predicate Transformers" (PDF). ACM Trans. Program. Lang. Syst. 18 (3): 325–353. CiteSeerX 10.1.1.41.9219. doi:10.1145/229542.229547.
References
 de Bakker, J. W. (1980). Mathematical theory of program correctness. PrenticeHall. ISBN 9780135621325.
 Bonsangue, Marcello M.; Kok, Joost N. (November 1994). "The weakest precondition calculus: Recursion and duality". Formal Aspects of Computing. 6 (6): 788–800. CiteSeerX 10.1.1.27.8491. doi:10.1007/BF01213603.
 Dijkstra, Edsger W. (August 1975). "Guarded Commands, Nondeterminacy and Formal Derivation of Programs". Comm. ACM. 18 (8): 453–7. doi:10.1145/360933.360975.
 Dijkstra, Edsger W. (1976). A Discipline of Programming. Prentice Hall. ISBN 9780613924115. — A systematic introduction to a version of the guarded command language with many worked examples
 Dijkstra, Edsger W.; Scholten, Carel S. (1990). Predicate Calculus and Program Semantics. Texts and Monographs in Computer Science. SpringerVerlag. ISBN 9780387969572. — A more abstract, formal and definitive treatment
 Gries, David (1981). The Science of Programming. SpringerVerlag. ISBN 9780387964805.