On Hoare Logic and Kleene Algebra with Tests

Dexter Kozen

Cornell University

Weshow that Kleene algebra with tests KAT subsumes prop ositional Hoare logic PHL Thus

the sp ecialized syntax and deductive apparatus of Hoare logic are inessential and can b e replaced

by simple equational reasoning In addition weshow that all relationally valid inference rules are

derivable in KAT and that deciding the relational validity of suchrulesisPSPACE complete

Categories and Sub ject Descriptors D Software Engineering To ols and Techniques

structured programming D Software Engineering Program Vericationcorrectness

proofs D Software Engineering Language Constructs and Featurescontrol structures

F Logics and Meanings of Programs Sp ecifying and Verifying and Reasoning ab out

chanical verication pre and postcon Programsassertions invariants logics of programs me

ditions specication techniques F Logics and Meanings of Programs Semantics of

Programming Languagesalgebraic approaches to semantics F Logics and Meanings of

Programs Studies of Program Constructscontrol primitives I Algebraic Manipula

tion Expressions and Their Representationssimplication of expressions I Algebraic

Manipulation Languages and Systemsspecialpurpose algebraic systems I Algebraic

Manipulation Automatic Programmingprogram modication program synthesis program

transformation program verication

General Terms Design Languages TheoryVerication

Additional Key W ords and Phrases Dynamic logic Hoare logic Kleene algebra Kleene algebra

with tests sp ecication

INTRODUCTION

Hoarelogicintro duced by C A R Hoare in Hoare was the rst for

mal system for the sp ecication and verication of wellstructured programs This

pioneering work initiated the eld of program correctness and inspired dozens of

technical articles Co ok Clarke et al Cousot For this achievement

among others Hoare received the Turing Award in

Hoare logic uses a sp ecialized syntax involving partial correctness assertions

The supp ort of the National Science Foundation under grant CCR is gratefully

acknowledged This pap er is a revised and expanded version of Kozen Address

Department of Computer Science Cornell University Ithaca NY USA Email

kozencscornelledu

Permission to make digital or hard copies of part or all of this work for p ersonal or classro om use is

granted without fee provided that copies are not made or distributed for prot or direct commercial

advantage and that copies show this notice on the rst page or initial screen of a display along

with the full citation Copyrights for comp onents of this work owned by others than ACM must

b e honored Abstracting with credit is p ermitted Tocopy otherwise to republish to p ost on

servers to redistribute to lists or to use any comp onentofthiswork in other works requires prior

sp ecic p ermission andor a fee Permissions may b e requested from Publications Dept ACM

Inc Broadway New York NY USA fax or permissionsacmorg

D Kozen

PCAs of the form fbg p fcg and a deductive apparatus consisting of a system

of sp ecialized rules of inference Under certain conditions these rules are relatively

complete Co ok essentially the prop ositional fragment of the logic can be

used to reduce partial correctness assertions to static assertions ab out the under

lying domain of computation

In this pap er we show that this prop ositional fragment which we call propo

sitional Hoare logic PHL is subsumed by Kleene algebra with tests KAT an

equational algebraic system intro duced in Kozen The reduction transforms

PCAs to ordinary equations and the sp ecialized rules of inference to equational

implications universal Horn formulas The transformed rules are all derivable in

KAT by pure equational reasoning More generally we show that all Hoarestyle

inference rules of the form

fb g p fc g fb g p fc g

n n n

fbg p fcg

that are valid over relational mo dels are derivable in KAT this is trivially false for

PHL We also show that deciding the relational validityofsuch rules is PSPACE

complete

A Kleene algebra with tests is dened simply as a Kleene algebra with an em

b edded Bo olean subalgebra Possible interpretations include the various standard

relational and tracebased mo dels used in program semantics and KAT is complete

for the equational theory of these mo dels Kozen and Smith This work shows

that the reasoning p ower represented by prop ositional Hoare logic is captured in a

concise purely equational system KAT that is complete over various natural classes

of interpretations and whose exact complexityisknown Thus for all practical pur

p oses KAT can b e used in place of the Hoare rules in program correctness pro ofs

Related Work

Equational logic p ossesses a rich theory and is the sub ject of numerous pap ers

versatility in program sp ecication and and texts Taylor Its power and

verication are widely recognized ODonnell Goguen and Malcolm

The equational nature of Hoare logic has b een observed previously Manes and

Arbib Manes and Arbib formulate Hoare logic in partially additive semirings

and categories The enco ding of the PCA fbg p fcg as the equation bpc is

observed there They consider only relational mo dels and the treatment of iteration

is innitary Blo om and Esik Blo om and Esik reduce Hoare logic to the

equational logic of iteration theories They do not restrict their attention to while

programs but capture all owchart schemes requiring extra notation for insertion

tupling and pro jection Their developmentisdonein the framework of category

theory Semantic mo dels consist of morphisms in algebraic theories a particular

kind of category Other related work can b e found in Blo om and Esik Main

and Black

The enco ding of the while programming constructs using the regular op erators

and tests originated with prop ositional dynamic logic PDL Fischer and Ladner

Although strictly less expressivethan PDL KAT hasanumber of advantages

i it isolates the equational part of PDLallowing program equivalence pro ofs to b e

expressed in their natural form ii it conveniently overloads the op erators

On Hoare Logic and Kleene Algebra with Tests

allowing concise and elegant algebraic pro ofs iii it is PSPACE complete Cohen

et al whereas PDL is EXPTIME complete Fischer and Ladner iv

interpretations are not restricted to relational mo dels but may be any algebraic

structure satisfying the axioms and v it admits various general and useful alge

braic constructions such as the formation of algebras of matrices over a KATwhich

among other things allows a natural enco ding of automata

Halp ern and Reif Halp ern and Reif prove PSPACE completeness of strict

deterministic PDL but neither the upp er nor the lower b ound of our PSPACE

completeness result follows from theirs Not only are PDL semantics restricted

to relational mo dels but the arguments of Halp ern and Reif dep end on an

additional nonalgebraic restriction the relations interpreting atomic programs must

b e singlevalued Without this restriction even if only while programs are allowed

PDL is exp onential time hard In contrast KAT imp oses no such restrictions

In Section we review the denitions of Hoare logic and Kleene algebra with

tests In Section we reduce PHL to KAT and derive the Hoare rules as theorems

of KAT In Section we strengthen this result to showthat KAT is complete for

relationally valid rules of the form In Section weprove that the problem of

deciding the relational validityofsuch rules is PSPACE complete

PRELIMINARY DEFINITIONS

Hoare Logic

Hoare logic is a system for reasoning inductively ab out wellstructured programs

A comprehensiveintro duction can b e found in Cousot

A common choice of programming language in Hoare logic is the language of

while programs The rstorder version of this language contains a simple assign

q and ment x e conditional test if b then p else q sequential comp osition p

a lo oping construct while b do p

The basic assertion of Hoare logic is the partial correctness assertion PCA

fbg p fcg

where b and c are formulas and p is a program Intuitively this statement asserts

that whenever b holds b efore the execution of the program p then if and when p

halts c is guaranteed to hold of the output state It do es not assert that p must

halt

Semantically programs p in Hoare logic and dynamic logic DL are usually in

terpreted as binary inputoutput relations p on a domain of computation M and

assertions are interpreted as subsets of M Co ok Pratt The denition of

M M M M

the relation p is inductive on the structure of p for example p q p q

the ordinary relational comp osition of the relations corresp onding to p and q The

meaning of the PCA is the same as the meaning of the DL formula b pc

where is ordinary prop ositional implication and the mo dal construct pc is in

terpreted in the mo del M as the set of states s suchthat for all s t p the

output state t satises c

Hoare logic provides a system of sp ecialized rules for deriving valid PCAs one

rule for each programming construct The verication pro cess is inductiveonthe

structure of programs The traditional Hoare inference rules are

D Kozen

Assignment rule

fbxeg x e fbg

Composition rule

fbg p fcg fcg q fdg

fbg p q fdg

Conditional rule

fb cg p fdg fb cg q fdg

fcg if b then p else q fdg

While rule

fb cg p fcg

fcg while b do p fb cg

Weakening rule

b b fbg p fcg c c

fb g p fc g

Prop ositional Hoare logic PHL consists of atomic prop osition and program sym

b ols the usual prop ositional connectives while program constructs and PCAs

built from these Atomic programs are interpreted as binary relations on a set M

and atomic prop ositions are interpreted as subsets of M The deduction system of

PHL consists of the comp osition conditional while and weakening rules

and prop ositional logic The assignment rule is omitted since there is no rst

order relational structure over whichtointerpret program variables in practice its

role is played byPCAsover atomic programs that are p ostulated as assumptions

In PHLwe are concerned with the problem of determining the validityofrules

of the form

fb g p fc g fb g p fc g

n n n

fbg p fcg

over relational interpretations The premises fb g p fc g take the place of the

i i i

assignment rule and are an essential part of the formulation

Kleene Algebra

Kleene algebra KA is the algebra of regular expressions Kleene Conway

The axiomatization used here is from Kozen A Kleene algebra is an

algebraic structure K that is an idemp otent semiring under

satisfying

pp p

p p p

r p q r q pr

q rp r qp r

where refers to the natural partial order on K

def

p q p q q

On Hoare Logic and Kleene Algebra with Tests

The op eration gives the supremum with resp ect to the natural order Instead

of and we mighttake the equivalent axioms

pr r p r r

rp r rp r

These axioms say essentially that behaves like the Kleene asterate op erator of

formal language theory or the reexive transitive closure op erator of relational

algebra

Kleene algebra is a versatile system with many useful interpretations Standard

mo dels include the family of regular sets over a nite alphab et the family of binary

relations on a set and the family of n n matrices over another Kleene algebra

Other more unusual interpretations include the min algebra used in shortest

path algorithms and mo dels consisting of conv ex p olyhedra used in computational

geometry Iwano and Steiglitz

The following are some typical identities that hold in all Kleene algebras

p q p p q

pq p pqp

pq pqp q

p pp p

All the op erators are monotone with resp ect to In other words if p q then

pr qr rp rq p r q r andp q for any r

The completeness result of Kozen says that all true identities between

regular expressions interpreted as regular sets of strings are derivable from the

axioms of Kleene algebra In other words the algebra of regular sets of strings over

the nite alphab et is the free Kleene algebra on generators The axioms are

also complete for the equational theory of relational mo dels

See Kozen for a more thorough intro duction

Kleene Algebra with Tests

Kleene algebras with tests KATwere intro duced in Kozen and their theory

further develop ed in Kozen and Smith Cohen et al A Kleene algebra

with tests is just a Kleene algebra with an emb edded Bo olean subalgebra That is

it is a twosorted structure

K B

suchthat

K is a Kleene algebra

B is a Bo olean algebra and

B K

The Bo olean complementation op erator is dened only on B Elements of B are

called tests The letters p q rs denote arbitrary elements of K and a b c denote

tests

This deceptively simple denition actually carries a lot of information in a concise

package The op erators each playtwo roles applied to arbitrary elements

D Kozen

of K they refer to nondeterministic choice comp osition fail and skip resp ectively

and applied to tests they take on the additional meaning of Bo olean disjunction

conjunction falsity and truth resp ectively These two usages do not conictfor

example sequential testing of b and c is the same as testing their conjunctionand

their co existence admits considerable economy of expression

The enco ding of the while program constructs is as in PDL Fischer and Ladner

def

p q pq

def

if b then p else q bp bq

def

while b do p bp b

For applications in program verication the standard interpretation would b e a

Kleene algebra of binary relations on a set and the Bo olean algebra of subsets of

the identity relation One could also consider trace mo dels in which the Kleene

elements are sets of traces sequences of states and the Bo olean elements are sets

of states traces of length As with KA one can form the algebra MatK Bn

of n n matrices over a KAT K B the Bo olean elements of this structure are the

diagonal matrices over B There is also a languagetheoretic mo del that plays the

same role in KAT that the regular sets of strings over a nite alphab et playin KA

namely the family of regular sets of guarded strings over a nite alphab et with

guards from a set B This is the free KAT on generators B that is the equational

theory of this structure is exactly the set of all equational consequences of the KAT

axioms Moreover KAT is complete for the equational theory of relational mo dels

Kozen and Smith

KAT AND HOARE LOGIC

In this section we enco de Hoare logic in KAT and derivethe Hoare comp osition

conditional while and weakening rules as theorems of KAT We will strengthen

this result in Section by showing that KAT can derive all relationally valid rules

of the form

The PCA fbg p fcg is enco ded in KAT by the equation

bp c

c has no Intuitivelythissays that the program p with preguard b and p ostguard

halting execution An equivalentformulation is

bp bpc

whichsays intuitively that testing c after executing bp is always redundant

The equivalence of and can b e argued easily in KAT This equivalence

was previously observed by Manes and Arbib Manes and Arbib Assuming

bp bpc c by the axiom a a and Bo olean algebra

c by distributivity bpc bp

bpc by and the axiom a a

On Hoare Logic and Kleene Algebra with Tests

Conversely assuming

c bpcc by bp

bp by asso ciativity and Bo olean algebra

by the axiom a

The equation is equivalent to the inequality bp bpc since the reverse

inequality is a theorem of KAT it follows immediately from the axiom c of

Bo olean algebra and monotonicityofmultiplication

Using and the Hoare rules take the following form

Composition rule

bp bpc cq cq d bpq bpq d

Conditional rule

bcp bcpd bcq bcq d cbp bq cbp bq d

While rule

bcp bcpc cbp b cbp b bc

Weakening rule

b b bp bpc c c b p b pc

These implications are to be interpreted as universal Horn formulas that is the

variables are implicitly universally quantied To establish the adequacy of the

translation weshow that enco ding the Hoare rules are theorems

of KAT

Theorem The universal Horn formulas aretheorems of KAT

Proof First wederive Assuming the premises

bp bpc

cq cq d

wehave

bpq bpcq by

bpcq d by

bpq d by

Thus the implication holds

For assume the premises

bcp bcpd

bcq bcq d

Then

bq cbp cbq by distributivity cbp

bcp bcq by commutativity of tests

D Kozen

bcq d by and bcpd

cbpd cbqd by commutativity of tests

cbp bq d by distributivity

For by trivial simplications it suces to show

cbp cbpc cbp cbp c

Assume

cbp cbpc

By we need only show

c cbp cbp cbp c

But

c cbp cbp c cbp cbpc by and monotonicity

cc cbp cbpc by Bo olean algebra

c bp cbpc by distributivity

c bp bpc by monotonicity

cbp c by

Finally for we can rewrite the rule as

b b bp c c c b pc

which follows immediately from the monotonicityofmultiplication

A COMPLETENESS THEOREM

Theorem says that for any pro of rule of PHL or more generally for anyruleof

the form

fb g p fc g fb g p fc g

n n n

fbg p fcg

derivable in PHL the corresp onding equational implication universal Horn for

mula

c b p c bpc b p

n n n

is a theorem of KAT In this section we strengthen this result to show Corollary

that al l universal Horn formulas of the form

r r p q

that are relationally valid true in all relational mo dels are theorems of KAT in

other words KAT is complete for universal Horn formulas of the form over

relational interpretations This result subsumes Theorem since the Hoare rules

are relationally valid Corollary is trivially false for PHL for example the rule

fcg if b then p else p fcg

fcg p fcg

On Hoare Logic and Kleene Algebra with Tests

is not derivable since the Hoare rules only increase the length of programs

In Kozen and Smith based on a technique of Cohen Cohen for KA

weshowed that a formula of KAT of the form is valid over all mo dels i it is

valid over continuous mo dels moreover its validityover either class of mo dels is

equivalenttothevalidity of a pure equation We strengthen this result byshowing

that this equivalence still holds when mo dels are further restricted to relational

mo dels The deductive completeness of KAT over relationally valid formulas of the

form follows as a corollary

Let T denote the set of terms of the language of KAT over primitive prop osi

tions fa a g and primitive tests B fb b g Let r r pq

m k n

T Let u a a and let r r The formula is equivalent

B m i

to r p q Consider the four conditions

KAT r p q

REL r p q

p ur u q ur u

It do es not matter whether is preceded by KAT KAT orREL since the equa

tional theories of these classes coincide Kozen and Smith It was shown in

Kozen and Smith that the metastatements and are equivalent

We wish to add to this list

The algebra G of regular sets of guarded strings over B and the standard

interpretation G T G were dened in Kozen and Smith We briey

B B

review the denitions here An atom of B is a term of the form c c c where c

k i

is either b or b An atom represents an atom of the free Bo olean algebra generated

i i

by B Atoms are denoted A guarded string over B is a term of the

form

p p p

n n n

where each p andeach is an atom This includes the case n so atoms

i i

are guarded strings If x y are guarded strings and then their pro duct is

xy If then the pro duct do es not exist We can form the Kleene algebra

of all sets of guarded strings with op erations

def

A B A B

def

AB fx y j x A y B g

def

A A

def

fatoms of B g

This b ecomes a KAT by taking the Bo olean algebra of tests to be the powerset

of the set The map G is dened to be the unique homomorphic map on T

extending

def

Ga fa j are atoms of Bg a

D Kozen

def

Gb f j bg b B

where b denotes that b o ccurs p ositively in The algebra G is dened to b e

the image of T under the map G It was shown in Kozen and Smith that

G is the free KAT on generators B in the sense that for any terms s t T

B B

s t GsGt

Note that Gu is the set of all guarded strings over B

Theorem The metastatements areequivalent

REL KAT KAT the implications hold Proof Since

trivially Also it is clear that

KAT p ur u q ur u r p q

therefore as well It thus remains to show that Writing

equations as pairs of inequalities it suces to show

REL r p q p q ur u

To show we construct a relational mo del R on states Gu Gur u Note

that if x y z Gusuch that xy z Gu Gur u then y Gu Gur u If

Gu Gur u then we are done since in that case Gp Gu Gur u and the

righthand side of follows immediately from SimilarlyifG Gur u

then Gu Guur u Gur u and the same argument applies We can therefore

assume without loss of generality that b oth Gu Gur uandG Gur uare

nonempty

The atomic symb ols are interpreted in R as follows

def

R a f x xa j xa Gu Gur ug a

def

R b fx x j x x Gu Gur u bg b B

The interpretations of comp ound expressions are dened inductively in the standard

way for relational mo dels

Wenow show that for any t T

R t fx xy j xy Gu Gur u y Gtg

by induction on the structure of t For primitive programs a and tests b

R a fx xa j xa Gu Gur ug

fx xa j xa Gu Gur ug

fx xy j xy Gu Gur u y Gag

Gbg R b fx x j x x Gu Gur u

fx x j x Gu Gur u Gbg

fx xy j xy Gu Gur u y Gbg

For the constants and wehave

fx xy j xy Gu Gur u y Gg

On Hoare Logic and Kleene Algebra with Tests

R fx x j x Gu Gur ug

fx xy j xy Gu Gur u y Gg

For comp ound expressions

R s t R s R t

fx xy j xy Gu Gur u y Gsg

u Gur u y Gtg fx xy j xy G

fx xy j xy Gu Gur u y Gs Gtg

fx xy j xy Gu Gur u y Gs tg

R st R s R t

fx xz j xz Gu Gur u z Gsg

fy yw j yw Gu Gur u w Gtg

fx xz w j xz w Gu Gur u z Gs w Gtg

fx xy j xy Gu Gur u y Gstg

R t R t

fx xy j xy Gu Gur u y Gt g

Wenow show Supp ose the lefthand side holds By

def

R r fx xy j xy Gu Gur u y Gr g

By the lefthand side of R p R q In particular for any x Gp Gur u

x R p therefore x R q as well thus x Gq Gur u But this

says Gp Gur uGq Gur u thus Gp Gq Gur uGq ur u

It follows from that the righthand side of holds

Corollary KAT is deductively complete for formulas of the form over

relational models

Proof If the formula is valid over relational mo dels then by Theorem

holds Since KAT is complete for valid equations

KAT p ur u q ur u

But clearly

KAT p ur u q ur u r p q

therefore

KAT r p q

D Kozen

COMPLEXITY

As dened in Section the decision problem for PHL is to determine whether

agiven rule of the form is valid over all relational interpretations Note that

PSPACE hardness do es not follow immediately from the PSPACE hardness of the

equational theory since the conclusion fbg p fcg is of a restricted form q

Indeed E Cohen has shown Cohen that the complexityofvalid equations

of the form q in KAT is NP complete

Theorem The decision problem for PHL is PSPACEcomplete

Proof The reduction of Sections and transforms the decision problem for

PHL to the problem of the universal validityofHornformulas of the form As

shown in Section this can b e reduced to testing the validity of a single equation

without premises The equational theory of KAT is decidable in PSPACE Cohen

et al thus the decision problem for PHL is in PSPACE

Wenowshow that the problem is PSPACE hard This holds even if the premises

fb g p fc g are restricted to refer only to atomic programs and even if they are

i i i

restricted to refer only to a single atomic program p We give a direct enco ding

of the computation of a p olynomial spaceb ounded onetap e deterministic Turing

machine in an instance of the decision problem for PHL Our approach is similar to

Halp ern and Reif using the premises fb g p fc g to circumvent the determi

i i i

nacy assumption E Cohen Cohen has given an alternative hardness pro of

using the universality problem for regular expressions

Consider the computation of a p olynomiallyspaceb ounded onetap e determin

istic Turing machine M on some input x of length n Let N b e a p olynomial b ound

on the amount of space used by M on input x Let Q b e the set of states of M let

b e its tap e alphab et let s b e its start state and let t b e its unique halt state We

use p olynomially many atomic prop ositional symbols with the following intuitive

meanings

T the i tap e cell currently contains symbol a i N a

H the tap e head is currently scanning the ith tap e cell i N

S the machine is currently in state q q Q

Let p b e an atomic program Intuitively p represents the action of one step of M

We will devise a set of assumptions that will saythat p faithfully mo dels

the action of M The PCA will say that if started in state s on input x the

program

while the current state is not t do p

fails The PCA will b e a logical consequence of i M do es not halt

on input x

The start conguration of M on x consists of a left endmarker written on tap e

cell the input x a a written on cells through nandthe remainder of

the tap e lled with the blank symbol t out to the N cell The machine starts in

state s scanning the left endmarker This situation is captured by the prop ositional

formula

def

start T T T S H

ia it s

in n iN

On Hoare Logic and Kleene Algebra with Tests

We will need a formula to ensure that M is in at most one state that it is

scanning at most one tap e cell and that there is at most one symbol written on

each tap e cell

def

format T T S S

ia ib p q

iN a b p q

H H

i j

ij N

We include the PCA

fformat g p fformatg

as one of the assumptions to ensure that format is an invariantof p and therefore

preserved throughout the simulation of M

Supp ose the transition function of M says that when scanning a cell containing

symbol a in state p M prints the symbol b on that cell moves right and enters

state q We capture this constraintby the family of PCAs

fT H S g p fT H S g i N

ia i p ib i q

All these PCAs are included for each p ossible transition of the machine there are

only p olynomially many in all

Wemust also ensure that the symb ols on tap e cells not currently b eing scanned

do not change this is accomplished by the family of PCAs

f T H g p fT g i N a

ia i ia

These are the assumptions in our instance of the decision problem It

is apparent that under any interpretation of p satisfying these PCAs successive

executions of p starting from any state satisfying start format move only to

states whose values for the atomic prop ositions S T and H mo del valid cong

q ia i

urations of M andthevalues change in suchaway as to mo del the computation

of M Thus there is a reachable state satisfying S i M halts on x

Wetake as our conclusion the PCA

fstart format g while S do p ffalseg

whichsays intuitively that when started in the start conguration rep eatedly ex

ecuting p will never cause M to enter state t The PCA is therefore a logical

consequence of i M do es not halt on x

ACKNOWLEDGMENTS

I thank Krzysztof Apt Steve Blo om Ernie Cohen Zoltan Esik Jo e Halp ern Greg

Morrisett Moshe Vardi and Thomas Yan for valuable comments on an earlier

version of this pap er Kozen

REFERENCES

Bloom S L and Esik Z FloydHoare logic in iteration theories J Assoc Comput

Mach Octob er

Bloom S L and Esik Z Program correctness and matricial iteration theories In

Proc Mathematical Foundations of Programming Semantics th Int ConfVolume

of Lecture Notes in Computer Science pp SpringerVerlag

D Kozen

Clarke E M German S M and Halpern J Y Eective axiomatizations of

Hoare logics J Assoc Comput Mach

Cohen E Hyp otheses in Kleene algebra

Available as ftpftpb ellcorecompubernieresearchhomepagehtml

Cohen E Personal communication

Cohen E Kozen D and Smith F The complexity of Kleene algebra with tests

Technical Rep ort July Computer Science Department Cornell University

Conway J H Regular Algebra and Finite Machines Chapman and Hall London

Cook S A Soundness and completeness of an axiom system for program verication

SIAM J Comput February

Cousot P Metho ds and logics for proving programs In J van Leeuwen Ed Hand

boodofTheoretical Computer Science Volume B pp Amsterdam Elsevier

Fischer M J and Ladner R E Prop ositional dynamic logic of regular programs

J Comput Syst Sci

Goguen J A and Malcolm G Algebraic Semantics of Imperative Programs

Foundations of Computing MIT Press Cambridge MA

The prop ositional dynamic logic of deterministic Halpern J Y and Reif J H

wellstructured programs Theor Comput Sci

Hoare C A R An axiomatic basis for computer programming Comm Assoc

Comput Mach

Iwano K and Steiglitz K A semiring on convex p olygons and zerosum cycle

problems SIAM J Comput

Kleene S C Representation of events in nerve nets and nite automata In C E

Shannon and J McCarthy Eds Automata Studies pp Princeton NJ Princeton

UniversityPress

Kozen D A completeness theorem for Kleene algebras and the algebra of regular

events Infor and Comput May

Kozen D Kleene algebra with tests Transactions on Programming Languages and

Systems May

Kozen D On Hoare logic and Kleene algebra with tests In Proc Conf Logic in

Computer Science LICS July pp IEEE

Kozen D and Smith F Kleene algebra with tests Completeness and decidability

In D van Dalen and M Bezem Eds Pr oc th Int Workshop Computer ScienceLogic

CSL Volume of Lecture Notes in Computer Science Utrecht The Netherlands

Septemb er pp SpringerVerlag

Main M G and Black D L Semantic mo dels for total correctness and fairness

In Proc Mathematical Foundations of Programming Semantics th Int Conf Volume

of Lecture Notes in Computer Science pp SpringerVerlag

Manes E G and Arbib M A Algebraic Approaches to Program Semantics

SpringerVerlag New York

ODonnell M J Equational Logic as a Programming Language MIT Press Cam

bridge MA

Pratt V R A practical decision metho d for prop ositional dynamic logic In Proc

th Symp Theory of Comput pp ACM

Taylor W Equational logic Houston J Math iii Survey