A COMPLETE AXIOMATIC SYSTEM FOR PROVING ... - CiteSeerX
A COMPLETE AXIOMATIC SYSTEM FOR PROVING DEDUCTIONS ABOUT RECUI~IVE Fq:IOGRNIS
David Harel + Massachusetts I n s t i t u t e of Technology, Cambridge,MR 82139 Amir Pnueli T e I - A v i v U n i v e r s i t y , TeI-Avlv, I s r a e l and Jonathan Stavi B a r - l l a n U n i v e r s i t y , Ramat-Gan,|srael Abstract. enough to express a l l needed a s s e r t i o n s . Various d e f i n i t i o n s of t h i s s t r e n g t h are exoressiveness o f L (Cook[3]), or t i d i n e s s of a l l programs ( P r a t t [ Z S ] ) . Cook[3] showed that f i r s t order a r i t h m e t i c i s expressive, thus proving completeness o f H fop t h i s important special case of L. E x t e n s i o n s o f Hoare'a system to cover r e c u r s i o n and mutual rmcursion have a l s o been proved complete under s i m i l a r c o n d i t l o n s (see G o r e l l c k [ 7 ] , Harel e t a I [9] }.
Denoting a version of Hoare's system f o r p r o v i n g p a r t i a l correctness of r e c u r s i v e programs by H , Ns present an extension JD Nhich may be thought o f as H u { ^ , v , ] , Y } u H -1, i n c l u d i n g the r u l e s o f H, four special purpose r u l e s and inverse r u l e s t o those of Hoare. D is shown to be a complete system ( i n Cook's sense) for proving deductions o f the form e 1, . . . . r n ~ # over a language, the w f f * n of which are a s s e r t i o n s in some a s s e r t i o n language L and p a r t i a l correctness s p e c i f i c a t i o n s o f the form p { = l q . A l l v a l i d formulae of L are taken as axioms of D. I t is shown that D is s u f f i c i e n t f o r p r o v i n g p a r t i a l correctness, t o t a l c o r r e c t n e s s and program equivalence as Nell as o t h e r Important p r o p e r t i e s of programs, the proofs of which are Impossible In H. The e n t i r e p r e s e n t a t i o n i s Norked out in the framework of n o n d e t e r m i n i a t i c programs employing i t e r a t i o n and mutually r e c u r e i v e procedures.
I,
A s u i t a b l e such system H can in f a c t be thought of as a formal system for proving the c o r r e c t n e s s of deductions of the form G l , . . . , r n ~ p{~)q under the r e s t r i c t i o n t h a t each o f the ~i is a procedure d e c l a r a t i o n or a formula of L. Houever, .hen c o n s i d e r i n g general d e d u c t i o n s of the form ~ l , . . . , F n ~ (Nhera the ~ i may also be p a r t i a l c o r r e c t n e s s s p e c i f i c a t i o n s ) , i t is easy to come up w i t h s e m a n t i c a l l y v a l i d deductions which cannot be d e r i v e d In H. Two examples are
Introduction.
The a x i o m a t i c method of s p e c i f y i n g semantics of programs, as given by Hoare ( [ 1 8 ) . ( 1 1 ] and a l s o [12]} lends i t s e l f very s u c c e s s f u l l y t o a s p e c i f i c goa!, namely that of proving p a r t i a l c o r r e c t n e s s of s p e c i f i c programs. A convenient d e s c r i p t i o n of the method employs an a s s e r t ] o n language L and a formal proof system H having as axioms a l l l o g i c a l l y v a l i d formulae of L. A p r o o f o f a p a r t i a l correctness s p e c i f i c a t i o n R¢ p I ~ } q where p , q are N f f ' s in L , is c a r r i e d out in H by composing = from more p r i m i t i v e program segments, s t a r t i n g from a f i n i t e number of assumptions in L. A w e l l knoNn r e s u l t is that the conventional Hoers system and i t s v a r i a n t s are complete i f L is s t r o n g
(1}
plif
r then a else ~ f i l q k plif-~ then ~ else a f i } q
|2)
p l a } q , r l a l q !" pvrlcxlq (a r u l e which, w h i l e being u n d e r i v a b l e in can be shown to be superfluous f o r any concrete p r o o f of p a r t i a l correctness, l g a r a s h i e t a1112]).
H,
These examples i l l u s t r a t e the absense ( i n H) o f mechanisms f o r (1) e x t r a c t i n g i n f o r m a t i o n from a specification p{~}q about p a r t s of a (where ~ i s a complex program segment}, and (2) combining the i n f o r m a t i o n given in d i f f e r e n t s p e c i f i c a t i o n s about
The Nork o f t h i s author was p a r t i a l l y s u p p o r t e d by NSF under c o n t r a c t !1CS7S-18~1.
249
the same program segment. H can be seen to be complete only f o r "simple" deductions, in which the antecedents cJ include for each given a, a t most one s p e c i f i c a t i o n of tihe form p l ~ l q , and a l l such ~ ' s are simple s p e c i f i c a t i o n s c o n s i s t i n g of a s i n g l e assignment or c a l l statement, or a s i n g l e oroaram eeoment v a r i a b l e (PSV), which i s a symbol s t a n d i n g f o r an a r b i t r a r y program segment.
II.
Suntax The alphabet Z contains symbols f o r i n d i v i d u a l constants and v a r i a b l e s , f u n c t i o n s and p r e d i c a t e s , connectives and o p e r a t o r s . L=L(Z) i s a l o g i c a l language w i t h e q u a l i t y over Z (having a t l e a s t the pouer of the f i r s t order language over 2 ) . A N e l l - f o r m e d formals of L u i l l be c a l l e d a I o o i c a l Nff ( L - w f f ) . P=P(Z) is a programming language over Z, w i t h the f o l l o w i n g syntax:
In Section I I we present our system D which i e an e x t e n s i o n of Hoare's system, and in S e c t i o n I I ! show t h a t D is sound and complete f o r d e d u c t i o n ( r 1 . . . . . #n
FD~
Iff
#1 . . . . . #n k r ) ,
t h a t i s , G can be proved in D from assumptions ~l,...,~n, i f f ~ Is true In every model s a t i s f y i n g rl,...,~ partial
<statement>::=<elementary action> I <procedure c a l l > I <statement>;<statement> J ifthen<statement>else<statement>fi I whiiQdo<statement>od
n . Here tho # i can themselves be any correctness specifications.
The completeness r e s u l t is shown by p r o v i n g a s e r i e s of more r e s t r i c t e d theorems, h o l d i n g f o r l u c c e s s l v e l y r i c h e r subsystems of D , thus c l a r i f y i n g the whole process and also achieving a s i d e e f f e c t o f I n d i c a t i n g the p r e c i s e r o l e in D played by i t s impor~ant components;.
< d e c l a r a t i o n > : : - < p r o c e d u r e name>( , ) c r o c < s t a t e m e n t > e n d . An elementaru a c t i o q is a non d e t e r m i n i s t i c assignment of the form ~(E'~(~,K',M) r e a d i n g z " a s s i g n to ~ some K' such t h a t ~ h o l d s " . This w i l l u s u a l l y be abbreviated as A(K,~), Nhere K Is the v e c t o r of v a r i a b l e s , h i c h can be m o d i f i e d by A. and ¼ ie the v e c t o r of a d d i t i o n a l v a r i a b l e s upon Nhich the assignment might depend. ,hen ~ i s o f the form K ' ' ~ ( ~ , ~ ) , A is the conventional assignment statement.
A v a r i e t y of p r o p e r t i e s of programs can be proved using D. and the completeness r e s u l t ensures us t h a t uhen L is expressive (e.g. in a r i t h m e t i c ) . a p r o o f e x i s t s f o r each v a l i d such p r o p e r t y . The f o l l o w i n g p o s s i b i l i t i e s are described in S e c t i o n IV: (i)
p r o v i n g the p a r t i a l oorrectenes of a g i v e n program.
(II)
p r o v i n g the t o t a l correctness of a g i v e n program,
(ill)
p r o v i n g the (strong) equivalence of programs,
(iv)
e s t a b l i s h i n g derived r u l e s ,
(v)
c a r r y i n g out modular proofs of program c o r r e c t n e s s given p r o p e r t i e s of segments o f the program,
(vii
s i m p l i f y i n g complex program segments and e s t a b l i s h i n g v a l i d program t r a n s f o r m a t i o n s .
The Susteu,
A orocedure c a l l is a statement of the form c a l l P(K,~), where P i s a procedure name, K i s a v e c t o r of actual name parameters ( v a r i a b l e s ) , and 18 a v e c t o r of actual value parameters ( t e r m s ) . The E'S a r e assumed to be d i s t i n c t and the ~ ' e t o be independant of the K's. A boolean is a q u a n t i f i e r - f r e e
L-wff.
A P-seoment M i l l simply be a statement in P. Me extend Z to Z' by adding a set of new symbols ( R 1 ; R 2 , . . . ) which stand for a r b i t r a r y P-segments, and are t h e r e f o r e c a l l e d Drooram-seament v a r i a b l e s (PSV's). The programming language P' i s an e x t e n s i o n of P obtained by a l l o u i n g statements o f the form Ri(K.~) , where ~ and ~ have a meaning s i m i l a r to t h a t given in the elementary a c t i o n s . Note t h a t the d i f f e r e n c e between a PSV and an elementary a c t i o n is that fop the l a t t e r Me are g i v e n a formula d e f i n i n g i t s e f f e c t . S i m i l a r l y . the d i f f e r e n c e between a PSV and a procedure c a l l i~ t h a t the l a t t e r may have an e x p l i c i t d e c l a r a t i o n . M e w i l l use a(K,~) to denote an a r b i t r a r y P'-segment such that K i s the v e c t o r of a l l m o d i f i a b l e v a r i a b l e s of =, and W c o n s i s t s o f a l l o t h e r v a r i a b l e s appearing in a.
S c h e m a t i c a l l y speaking. D w i l l c o n s i s t of a s u i t a b l e v e r s i o n of H for composing the conclumlon o f the deduction, four r u l e s ( ^ , v , ] , Y ) f o r c o l l e c t i n g I n f o r m a t i o n about u n s p e c i f i e d program segments, and a " m i r r o r image" of H c o n t a i n i n g inverse r u l e s f o r decomposing complex program segments appearing among the premises. D. having the f l a v o u r of a n a t u r a l deduction system, has a l l v a l i d formulae o f L am axioms.
250
A s n e c i f i c a t i o n is a c o n s t r u c t # of the form ¢ : p ( ~ , ~ , ¢ ) ( a ( ~ , & t ) l q ( 5 , ~ , Z ) , where p and q are L - N f f s and a is a P'-segment. Here the elements o f ~ are said to be the free v a r i a b l e s of the s p e c i f i c a t i o n f , ghere no confusion can a r i s e we w i l l o c c a s i o n a l g omit the ¢ ' s and regard the ~ as c o n s i s t i n g of a l l the v a r i a b l e s appearing in the s p e c i f i c a t i o n not assigned to in a. A s p e c i f i c a t i o n p { a l q Is simnle i f a is a PSV, an elementarg a c t i o n o r a c a l l statememt (aimnle statements).
Using t h i s d e f i n i t i o n , we are non a b l e to assign r e l a t i o n s to the procedure c a l l s Nhich have corresponding bodg d e c l a r a t i o n s in F. The r e l a t i o n s assigned to these procedures are the l e a s t f i x p o i n t r e l a t i o n s s o l v i n g the sgstem of mutuallg r e c u r s i v e procedure d e c l a r a t i o n s in r (here too we M i l l r e f e r to t h i s i n t e r p r e t a t i o n of such P as E). Me n o . have an i n t e r p r e t a t i o n under | for each P'-segment in r . A s p e c i f i c a t i o n P(~,W,Z) I a ( K , ~ ) I q ( K , M , ¢ ) i s t r u e under I i f VK, W(p(~,g,£)A#~(~,~*,M) ~ q ( K ' , M , £ ) ) i s t r u e (note that the free v a r i a b l e s £ have been assigned bg 1).
The formulae of our language g ( c a l l e d W . w f f ' e ) are (1) L - w f f s , (2) s p e c i f i c a t i o n s , (3) d e c l a r a t i o n s ,
A set F of W-wffs is defined to be t r u e under an i n t e r p r e t a t i o n I of F, i f a l l n o n - d e c l a r a t i o n formulae of F are true in 1. | is c a l l e d a model o f r .
(Note t h a t g-gffe= cannot be combined bg l o g i c a l connectives.)
A t u p l e S - ( # l , . . . ~ n , # ) where ~ is not a d e c l a r a t i o n , is c a l l e d a v a l i d deduction ( w r i t t e n ~1 ..... * n k r ) , i f ~ is true in a n , i n t e r p r e t a t i o n | of S Nhich is a model of
Semantics An I n t e r [ = r e t a t i o n of a set F of M-wffs ,, a tup,.
..... % , %
.....
1~1 . . . . . ~n l "
%>,
Me denote a P'-segment a c o n t a i n i n g the
. h e r e 0 is a nor,emptg domain, ~ is an i n t e r p r e t a t i o n ot: a l l i n d i v i d u a l s ( i n c l u d i n g c o n s t a n t s and free v a r i a b l e s ) , f u n c t i o n and p r e d i c a t e sgmbols of L, each B i ( K , K ' , ~ ) i s a r e l a t i o n f o r a PS¥ Ri(K, W) appearing in F, and each E i ( K , ~ ' , M ) i s a r e l a t i o n for a procedure Pi t h a t appears in F, b u t does not have a c o r r e s p o n d i n g d e c l a r a t i o n in F BI and El descrlbe the e f f e c t of the P'--segments R i and c a l l P I r e s p e c t l v e l g , under | .
statements c a l l P l ( K l , ~ l ) . . . . . callPn(Kn,J n) bg a ( " c a l l P l " , . . . . " c a l l P n " ) , and the elementar W a c t i o n ~ ( K ' ( ~ ( ~ . ~ ) ~ # ( ~ ' . I ) ) bg [~.#](K,~). Me now present our sgstem D. The b a s i c statements to be proved in D are deductions of the form F ~ ~ Nhere F is a set of W-wffs, and a n o n - d e c l a r a t i o n M-Nff. Our inference r u l e s are rule-schemata in Mhich a , ~ , . . , stand f o r a r b i t r a r y P'-segments and p , q , . . , f o r a r b i t r a r g L-Mfrs.
Me now show how an i n t e r p r e t a t i o n I assigns t r u t h values to £i-Nffs. An L - w f f is assigned a t r u t h value by [ in the standard Nag. A program segment a(K,~) a l l of whose procedure c a l l s are i n t e r p r e t e d (see below), is i n t e r p r e t e d under ] as a r e l a t i o n Pa in the f o l l o w i n g Nag ( r e l a t i o n a l n o t a t i o n from e.g. deBakker and M e e r t e n s [ 1 ] ) t For an ele~entarg a c t i o n A
AXIOMS
A1
where p Is anW I o g l c a l l g v a l i d L - w f f .
PA " ~
(the i n t e r p r e t a t i o n ~ gives to ~), For a PSV R i For a proceduro Pi
FP
A2
pR i . Bi
where ~ Je not a d e c l a r a t i o n .
PcallP I " Ei
A3
Pa;~ " PaP~ '
Frame axiom p(¢)ia(~,~}p(¢)
P i f r then (x else 13 .f_j. " rPc¢ U r ' p ~ ,
. h e r e ~ a ~ K are d i s j o i n t .
Pwhile r d~. ¢~ od " (rPc()* r ' .
251
OG
Substitution
RULES DF INFERENCE L1
P I- p l x , u)la(x,14)lq(~,u)
Introduction
(a) r I- p (z, u) la (z, 14)I q 17.,u)
rh¢l.
Nhere & le d i s j o i n t from ¼ and is f r e e f o r in p and q.
r , ¢ 2 F" ¢1 1.2
r I- plx,¼) l a ( x , u ) l q l x , u )
hodue Ponens (b)
r , ¢ 2 F ¢1
,
r I" p l ~ . t ) ( a l z l . t ) l q l x . t )
r h¢ 2
uhere i is a vector of terms Nhich is f r e e f o r M in p and q. and does not depend on 2-
r h ~1 mhere p and q are L-Nffe. L3
D7
Deduction r,
p~q
and
r I- p:q
rhp=~
r("callP")
r . pl*q
Elementarg Action
I]8
r ~ p(~,g,¢}Nl~(~,~,,14) ~ q(~',14,¢)
A-rule r I- p is) ql . . . . . r I- p Is) qn
r I- p(~,u,y.){A(x,14)lq(x,u.¢) D2
n~8
Consequence
n r F pla) ^ q i i-1
r h p~s , r I - . I=1 r , r I- r : ~
r I- p l a l q 03
, P oroc = ( " c a l l P " ) e n d I- + l c a l l P } ~
(Here F ( [ ~ . ~ ] ) is F , i t h the elementary a c t i o n [ ~ . ~ ] ( Z . I ) s u b s t i t u t e d for occurenciee of callP(;.i). A c l a r i f i c a t i o n of r u l e D7 appears at the end of the Section.)
Mhere p and q are L-Nffs. D1
Recureion
I)9
ComposI t i on
v-rule r I- p l l a l q . . . . . r i- p n l o l q n>8
r I- p l a ) s + r h s l ~ l q n r I- v p l l e l q i=1
P h ple;~lq 04
Conditional (08 and I)9 reduce to r I- p l a l t r u e and r ~. f a l s e l o l q r e s p e c t i v e l g uhen n - 8 ) .
r F p^rl(xlq , r F p^~r'l~lq r h pill 05
D18
r then a e l s e ~ LLIq
V-rule
P I- p l a l q
I t e r a t |on
r I- p I~) (Vu) q
r I- par la) p
u not f r e e in p or r . and does not appear in a.
r ~- pluhl l e r do a odlp^-.r
252
Dll
016
l-rule
Inverse Recurslon F([J,~)
P F pi=lq
g not free In q, and does not appear in ~.
where | and ~ do not appear In any other component of the r u l e .
Inverse Elementary Action ,
A proof in D is a sequence of deductions FI ~ ~i i-1,2,... , where any l i n e ( I . e . deduction) is an axiom or is derived from previous l i n e s by one of the Inference r u l e s . A deduction F F • Is said to be d e r i v a b l e in D ( w r i t t e n r FD , ) i f i t is a l i n e of a
)
1' , P (Z~, U, V__.)IA Ix, u) I q Ix, u, y.) I- (r
013
Inverse Composition
p r o o f in D. Our formulation of D7 employs the s u b s t i t u t i o n of [~.#] for "caHP" in the proof of the body ¢. This corresponds to the f a m i l i a r n o t i o n of assuming # { c a l l P l # when proving =. Employing the same s u b s t i t u t i o n for the premises used in proving =. provides us with a concise way of c o n s t r u c t i n g a recursion r u l e for mutually r e c u r s i v e procedures which avoids r e f e r i n g to a l l n procedures (as Is done in [7] and [ 9 ] ) . In order to i l l u s t r a t e the wag in which D7 (and s i m i l a r l y D18) is used, consider two procedures Pt and P2' w i t h d e c l a r a t i o n s Pi Droc = l ( " ~ l " , " c a l l P 2 " ) e n d 1SIS2. A framework for a proof of a is:
P, p l = l ~ l q F • where X does not appear In ang other component of the r u l e . Note that 013 (and s i m i l a r l y for the other Inverse r u l e s ) Is an i n d i r e c t May of expressing the more natural P F pl==~lq
callPl-Speclflcation
P F 3X(pl=lX ^ Xl~lq)
the conclusion of uhich is u n f o r t u n a t e l y not ~ e l l formed In g.
D14
(1)
F ~2{=2([ttl,fl], [~2.#2]))f2,
(2)
P2 , r o c ¢ ( 2 ( [ ¢ l , ÷ l ] , " c a l l P 2 " ) e n d F ¢21callP2l#2 ,
(3)
P2 DrOC = 2 ( [ ~ l , # t ) , " c a l l P z " ) e n d
Inverse Conditional F , p ^ r l a l q . p^-.rl~lq F ]r . p l i f
DIS
F u
F ( " c a l I P " ) , P uroc = ( " c a l l P " ) e n d F G
F ~ (3M)p l = l q
D12
. I{=([I,~))~
F $ I ( = I ( [ $ 1 , ÷ I I , ; L L L P 2 ) I # 1,
r then = else 13 f i l q F ¢
(4)
P1 oroc a 1 end , P2 Droc ~2 end F $1Iga-LLPtIft.
Inverse I t e r a t i o n P , p:~), , ]Wr{el). , ] ~ - r ~ q
Lines (2) and (4) are proved using 07 w i t h an empty F, and F consisting of the P 2 - d s c l a r a t i o n respectively.
F ~r
P , plmhile r do ~ odlq ~ ¢
The f o l l o w i n g (standardlg v e r i f i e d ) f a c t is very useful in proving deductions i n v o l v i n g u n s p e c i f i e d program segments=
mhere ~ does not appear in any other component of the r u l e .
S u b s t i t u t i o n Theorem - I f F FD ¢, and F' and G" are obtained by r e p l a c i n g a l l occursncies of a PSV R by an a r b i t r a r y P'-segment in F and r . then r'
253
FD ~ ' .
I
I I I . Results.
Proof - Given a v a l i d deduction w¢ r 1 . . . . . 0 , n k 0, we reduce the problem as follows= (1) The absence of procedure d e c l a r a t i o n s among the premises means that each c a l l statement can be regarded as a new PSV. This f o l l o w s from the a r b i t r a r y i n t e r p r e t a t i o n s both PSV's and c a l l ' s can take on. in a model of 0,1.....0,n. (2) Use r u l e D12 to replace everg e l e m e n t a r g - s t a t e m e n t s p e c i f i c a t i o n p{A}q by an L-Mff. (Here. as well as at other p o i n t s in the paper, we d e s c r i b e the natural order of the d e r i v a t i o n . F o r m a l l y . t h i s a p p l i c a t i o n of r u l e D12. f o r example, appears at the end of the p r o o f in D. N e v e r t h e l e s s . we may t h i n k of t h i s stage as b e i n g f i r s t in the d e r i v a t i o n process.) We are l e f t w i t h premises c o n s i s t i n g of P S V - s p e c i f i c a t i o n s of the form p{R}q, and L - u f f s . Denote bg • the c o n j u n c t i o n of the l a t t e r . Formally. ¢ can be d e r i v e d by u s i n g D8 w i t h the i d e n t i t g program and p=true. (3) [ f 0, is an L - w f f then the v a l i d i t y o f the d e d u c t i o n M is e q u i v a l e n t to the v a l i d i t y of some L - M f f . This can be seen bg c o n s i d e r i n g an i n t e r p r e t a t i o n in which each PSV is assigned the emptg r e l a t i o n , in t h i s case a l l s p e c i f i c a t i o n premises hold and t h e r e f o r e ~e must have ¢ h 0,. Nhich is e q u i v a l e n t to the v a l i d i t y of ¢m¢. which in turn is an axiom in A1. Using L2. is obtained. (4) Emploging a s i m i l a r argument ~ i t h an i n t e r p r e t a t i o n assigning the emptg r e l a t i o n to a l l PSY's not appearing in ~. we can omit any P S Y - s p e c i f i c a t i o n for a PSY not appearing in ~ . Me are now l e f t w i t h a s i t u a t i o n of the form
One of our basic assumptions throughout, i s t h a t the language L is expressive (Cook(3]). This means t h a t fop each P-segment ¢ in the c o n t e x t o f a g i v e n set of declarations=, i t is p o s s i b l e to express as an L - w f f the r e l a t i o n p~ computed by 6. i . e . L has cons;tructs powerful enough to express the * . U. composition and f i x p o i n t o p e r a t o r s . A s p e c i a l important case of an expressive language i s (as p o i n t e d out bg Cook) f i r s t order a r i t h m e t i c . A l l subsgstems considered in t h i s s e c t i o n have A1-A3 as axioms. L1-L3 as l o g i c a l r u l e s and d i f f e r onlg in t h e i r D - r u l e s , Consider the system O J which c o n s i s t s of r u l e s D1-D5, O l ~s a version of the usual Hoare sgetem f o r p r o v i n g p a r t i a l corectness of programs ~ i t h r e g u l a r c o n t r o l s t r u c t u r e , and f o r i t um have the f o l l o w i n g r e s u l t (proved e.g. in [ 1 , 3 , 9 , 1 5 ] ) : Theorem 1 - I f
~1''"'0,n
~1 . . . . . f n k 0,
are L - w f f s ,
iff
then
0,1 . . . . . 0,n F D | f
°
I
C o n s i d e r D 2 c o n s i s t i n g of D1-D7. This i e an e x t e n s i o n of Hoara's method to deal w i t h m u t u a l l y e e c u r s i v e procedures. A p r o o f of Theorem 2 can be found f o r s i m i l a r versions in Harel et a l [ S ] or Gorellck[7].
~
] f 0 , 1 ' ' ' ' ' 0 , n :are L - w f f b o r p r o c e d u r e d e c l a r a t i o n s , then
•
(1'1. . . . . 0,n ~' ¢'
iff
0'1 . . . . . #'n I ' D 2 ,r .
Rk-epeciflcations
where = is a P'-segment i n v o l v i n g PSV's R1, . . . . Rk. Denote the s p e c i f i c a t i o n premises bg F. These premises c o n t a i n a l l a v a i l a b l e i n f o r m a t i o n about R1 . . . . .Rk. Ms t h e r e f o r e c o n s t r u c t f o r each l s i S k an " a p p r o x i m a t i o n from above" pR i to the r e l a t i o n computed by R i .
Theorem 3 - I f ~1 . . . . . r n are L - w f f s or simple s p e c i f i c a t i o n s , then iff
,...,
I" Pkx(R 1 . . . . . Rk)}q
Me now c o n s i d e r D 3 which c o n s i s t s of r u l e s 01-[]6 and DS-Dl2...
¢rl . . . . . 0,n I. u
, Rl-epeciflcatlone
I
FR i , i l l
be an L-Mff which can e a s i l y be
seen to be true in any model of F . and hence in any model of { ¢ . F } . This is the sense in Nhich i t le an a p p r o x i m a t i o n . We H i l l e i m p l l f g n o t a t i o n by r e f e r l n g to the case Nhere k-1 and to R1 as R. N i t h the understanding that the f o l l o w i n g can be done f o r a l l k PSV's for ang k.
wI . . . . . ~n I ' D 3 ¢ "
(Note - in t h i s and the f o l l o w i n g theorems we omit the p r o o f s of the soundness d i r e c t i o n . The r e a d e r i s urged to convince h i m s e l f t h a t the r u l e s are indeed sound, a r i g o r o u s proof of t h i s would be based on S c o t t ' s i n d u c t i o n p r i n c i p l e in a s t a n d a r d Nag. Rather. the proofs presented are designed to demonstrate the completeness d i r e c t i o n In a c o n s t r u c t i v e manner}.
Assume that F is the set pj(~.U.~){R(~.~)lqj(~.g.~) lsjsm. This can be brought about by using DG and c o l l e c t i n g f r e e v a r i a b l e s in ~. Define
254
m
1' F plelq
lSR(X,X' ,u) =Vv ^ (pj (~.,u,v)~qj (~' ,M,v) ) j=l
1' F (¥u) p Is} (¥u) q
C l e a r l g /JR serves to " c o l l e c t information" about the PSV R. Define AR as the elementary action X,-¢x'/jR(X,X',U).
u not free in 1', and does not appear in e.
Obviouslg /JAR=/JR.
011'
From the MaN AR Nas defined, i t is clear that for every j Me have I= p iAR}q.. j Thus under {he s u b s t i t u t i o n that replaces the PSV R by the P-segment AR, every i n t e r p r e t a t i o n s a t i s f y i n g 11" also s a t i s f i e s 1' , and therefore also s a t i s f i e s p{e(AR)} q. Hence ir I- p{e(AR)Iq, and bg Theorem I there e x i s t s a proof (*}
]i-rule ]' F pialq 1' F (]u) p lel (]u) q u does not appear In e.
r I-DI ple(ARIlq.
NoN (for any s) replace every subproof of SIARIS-/JR in the proof of (•) bgt
glthout loss of generality [having in mind the standard techniques used in proving Theorem 1, in e.g. [1,3,9,15]), Ne man assume that in the process of proving the deduction (~) in DI, the strongest consequent approach gas adopted, in Mhich everg subderivation of a simple AR-speclfication le preceeded by a derivation of a s p e c i f i c a t i o n of the form SlAR}SO/jR for some e, mhere for s(X,u) and /jR(X,X',U) ge define eO/jR(X,U)13x' (s(~' ,U)^/JR(X' ,x,u) ). (See e . g . [ I ] ) .
1' I" Pj (x' ,u,v)3pj (Zt,U,Y.) IR(x,u)] pj (x" ,u,y.Imqj ( x , u , v ) for everg l<j<m,
(Use A3 Nith "Pj(X',U,Y-), and 08')
1' l" VY.(Pj (x' ,u,v)3pj (x,u, y.) ) {R (x, u) } Yy.(pj ( x ' , u, y.) :)q j (x, u, y.) )
1' }- s i x ' , u ) ^
m ^
(018')
Yv(pj Ix' ,u,y.):~f)j (x,u,y.)) (R(x,u)!
j=t I f Me non manage to replace everg such subproof bg a proof in 0 3 of sIR}S°pR from assumptions F and substitute R for AR elseghere, then t h i s modified proof of (s} serves as our proof of 1',¢ 1"03 ple(R)}q. Indeed t h i s can be done using the fol IoNing four derived rules of D3z
m
S(X' ,u)^ ^Vy.(p j (x' ,u,y.)3qj ( x , u , v ) )
j=l (Use A3 Mith s ( x ' , u ) , and 08') m
08'
1' I- 3x' (e (~', u) ^ ^ Vy.(pj (X', u, y.) 3pj (X, ¼, v) ) ) IR (X, ¼) }
N~-rule
j=l
1' I" Pl {=1 qt . . . . .
F k
08'
1' I" Pn lel qn
m
3B' (S(X' ,U)^ ^Yv (pj (X' ,U, y.) 3q j (~, U, y.) ) ) J=1
n n ^ Pi{el ^ ql I=1 I=1
m
1' ~- e(x,u):)3x' (e(x' ,u)^ a Vy.(pj (x' ,u,y.)mpj (x,u,y.)) )
l=l
w-rule
(A1 and L1)
1. k Pl 1=} ql . . . . .
1' F Pn (el qn
1. I- e(x,u) (R(x,u)l (s-/j R) (x,u}
n>8 n n ]P F v Pi {if} v ql I =1
018'
(011')
(02).
1
We remark here that r e s t r i c t i n g the premises to have no free variables not appearing in e ( i . e . no ~), makes possible a d i f f e r e n t proof of Theorem 3 uh|ch does not use rules 018-011.
i =1
W-rule
We no, consider
255
04
consisting of D1-011.
Theorem 4 - I f ~L . . . . . Cn are L - w f f s , simple s p e c i f i c a t i o n s or declarations for procedure names not appearing in these simple s p e c i f i c a t i o n s (but p o s s i b l y in ~, and in other d e c l a r a t i o n s ) , then (rl . . . . . ~n I= •
Iff
e l ' . . . . ~n
FD4 x - ~ { c a l I P i l # p i (~8,x,u).
iltm-1},f
Given H (m) consider the f i r s t m-1 d e c l a r a t i o n s w i t h APm s u b s t i t u t e d for "callPm"
FD4 ~' "
(denote t h i s by H(m-1)(A Proof - Assume given w: ~1 . . . . . Cn k ~, w i t h procedure declarations PI opec a i end 1Siam, among the premises. D4 i l l u s t r a t e s the e x t r a f e a t u r e of c a l l ' s (in ~) to procedures w i t h given bodies, thus forcling the use of D7. Me M i l l f i n d a s i m i l a r approxlma~Lion for each such #Pi procedure. As before regard each c a l l to a procedure other titan the P i ' s as a new PSV. Me now c o n s t r u c t FR for every PSV R, and as above, s u b s t i t u t e AR for each appearance of R in m. Denote the r e s u l t i n g modilfled body of PI by a I, and modifled ¢ by ~ ' ,
) ). I t is not d i f f i c u l t Pm
to see that ~" ' Ix'zl8 lcal IPll #PI (z~6'x'u)
lslsm-ll
I= x - ~ (% (APm)I/=Pro(~8' ~' u), and hence by Theorem 3 ¢ , (~-381callPil/APi (~8,~,g)
1siam-l}
FD3 ~-z~8 l~, lAPs) ! #Pm (zlS' X, U). However by the inductive hypothesis, for every 1siam-1 ¢ , Hlm'lllAPm) FD4 ~'~SIF,sl-LLPli#PII~8,~,g 1o
This system of m PSV-frse d e c l a r a t i o n s now gives r i s e to a l e a s t - f i x p o i n t s o l u t i o n , in the form of m r e l a t i o n s . Denote the L - w f f e q u i v a l e n t s to these r e l a t i o n s by FPi 1siam. Define
Me t h e r e f o r e have . Hlm-ll(APm)
FD4 ~'z~Olff,m(APm)l~Pm(~.~.¼).
APi to be the e l e m e n t a r g a c t i o n ~ ' C ~ p i ( ~ , ~ ' , R ) . and applying r u l e D7 MS obtain
(For C l a r i t y throughout t h i s proof we omit i n d i c e s o f ~,~' and ~ , } . Denoting as before by • and F the L - g f f and s p e c i f i c a t i o n premises r e s p e c t i v e l y , We now observe that any i n t e r p r e t a t i o n | s a t i s f y i n g , s a t i s f i e s (substituted) P. Recalling the d e f i n i t i o n of the r e l a t i o n that | assigns to each Pi" we have ¢ k ~ " , where ~ " is ~ ' f u r t h e r modified bg s u b s t i t u t i n g APi for
r , H (m)
• FDI
~""
Consider DS, consisting of r u l e s D1-D15.
Denoting the d e c l a r a t i o n premises of w by H, we w i l l o b t a i n a proof of g in D4 bg f i r s t r e p l a c i n g ( i n the proof of (~ol~))subproofs of ¢ FD# slAPi}eOFp I by proofs of
Theorem ~ - I f # l , . . . , ~ n are as in Theorem 4 w i t h o u t the requirement that s p e c i f i c a t i o n s be simple, then
¢,H FD4 s l c a l l P l l S - F p ., I
and then dealing w i t h PSV's as in Theorem 3. Me M i l l r e a l l y show how ~-z!8{callP I } F P i ( ~ , ~ , R )
r t . . . . . ~rn I= er
can be derived in D4 from • and H, where .~ is a vector of new symbols. Easy a p p l i c a t i o n s of A3,D8' and 011' M i l l give s ~ a l l P i l s o F p i. Me prove that
1
The process described in the last two theorems can be summarized as a process for "composing" a complex conclusion from simple premises. We now begin the process of "decomposing" complex premises.
c a l l P i , 1slam. Therefore there e x i s t s a proof (==)
FD4 ~-~slcallPm}PPm(~8,~,~).
Iff
erI . . . . . =rn I-D5 er .
Proof - A l l non-simple s p e c i f i c a t i o n s among the premises are decomposed using r u l e s D12-D15 (see remark a f t e r Theorem G) to obtain only simple specifications (the v a l i d i t y of the deduction implies that the new symbols introduced at t h i s sfage g i l l disappear in the process of d e r i v i n g u ) . Theorem 4 can now be applied.
H . f FD4 ~-38{callPi}FPi(ZlS.~.R)
by Induction on m. For m~l assume that i f H c o n t a i n s l - 1 d e c l a r a t i o n s I=1 . . . . 'Pm-1 (denoted H i m - l ) ) , then for every 1slam-1
256
IV. Th9 Power of D,
Our main r e s u l t is
Me g i l l t r g to be e l i g h t l g more s p e c i f i c about our claims as to what can be done in D.
Theorem G ~1 . . . . . ~n k •
Iff
• 1 . . . . . =rn FD ¢ .
(i} ( p a r t i a l correctness} Given a orooram (P1 . . . . ,Pn,a) c o n s i s t i n g of n d e c l a r a t i o n s and a statement a, and some L-Nffs ~ l , . . . , e m , a p r o o f t h a t the program is p a r t i a l l y c o r r e c t w i t h r e s p e c t to p and q, assuming the el are t r u e , ie c a r r i e d out simplg bg proving in D
Proof - The onlg nem feature here is the p o s s i b i l i t g of having c a l l statements among the s p e c i f i c a t i o n premises, mith given d e c l a r a t i o n s ( I m p l g i n g that t h e i r "meaning" Is f i x e d , and theg can no longer be regarded as PSV'e}. Rule D1G i s a p p l i e d to a l l such procedures, e f f e c t i v e l g g e t t i n g r i d of the c a l l ' s , and " t r a d i n g " them in fop nem b o d g - s p e c i f i c a t i o n s . The s i t u a t i o n is non p r e o i s e l g t h a t described in the hgpothesie of Theorem 5. Here too ~he v a l i d i t g of the o r i g i n a l deduction i m p l i e s t h a t the new ,sgmbols | and A (standing f o r the l e a s t f i x p o i n t s ) w i l l disappear In the d e r i v a t i o n process. |
PI* ....
Pn' ~'1 .....
4re I- pl(xlq
(ii} ( t o t a l c o r r e c t n e s s } , Given a program and L - w f f e as in ( i ) , a proof that a i s t o t a l l g c o r r e c t assuming the L - w f f e true, can be c a r r i e d out bW p r o v i n g in D Pl,...,Pn,ei,...,~m, p(~,¼,~)~(~,¼)la(~,~}l-q(~,U,Z}
Note the decompose-collect-compose e~mmetry of the e n t i r e d e r i v a t i o n process described in the above theorems= (1} (2] (3) (4} (5) (S)
F
V~,¼(-~(~,~)}.
Another wag is bg using constant sgmbole (a,~} and p r o v i n g in D Pl,...,Pn,fi,...,~m, P(a,~,~) , (~,~}=(~,u} { a ( 3 , ~ ) } - q ( ~ , ~ , K )
" t r a d e " c a l l ' s for bodies decompose bodies and premises c o l l e c t PSY i n f o r m a t i o n compose bodies " t r a d e " bodies f o r c a l l ' s compose conclusion.
F false.
Me wish to c l a r i f g t h i s somewhat e u p r i e i n g r e s u l t as r e l a t e d to the commonly accepted view t h a t t e r m i n a t i o n of programs w i t h loops or r e c u r e i o n must emplog some form of i n d u c t i o n on a u e l l founded set. The f a c t is that the i n d u c t i o n has been b u r i e d deep in L, and i t s u t i l i z a t i o n is no longer the concern of the user of D. Rather, an i n d u c t i v e argument might be handy when the v a l i d formulae (taken by us as axioms A1} are to be proved in L. Me i l l u s t r a t e t h i s p o i n t . Take L to be the language of a r i t h m e t i c , and prove t h a t a= ~ h i l e x>8 do x~x-1 od is t o t a l l g c o r r e c t u i t h r e s p e c t to p(x}= xZ8 and q(x}= x=8. Subgoallng (using the second f o r m u l a t i o n above}, we o b t a i n the deduction az8 , x = a l a l - x = 8 ~ f a l s e . A p p l i c a t i o n s of D15 and 012 y i e l d az8 , Yx(x=a~X(x)) , Yx(X(x)^xSS~-x=8) , V x ( ~ ( x ) ^ x > 8 ~ ( x - 1 ) } ~ f a l s e . This, in t u r n , is e q u i v a l e n t to proving (a~8 ^ Y x ( x - a ~ ( x ] ] ^ Yx(~(x)^xsS~-,x-8) ^ Yx(X(x)^x>8~(x-1))} ~ false, a valid L-wff
As remarked above, step (2] shone up in a formal p r o o f as the composition of the premises. This Is a consequence of the deductive c h a r a c t e r o f D, the decomposed premises being " c a r r i e d along" throughout the d e r i v a t i o n and composed towards the end. However, Ne p r e f e r to regard t h i s step as "decomposition" because i t te u s u a l l g c a r r i e d out f i r s t in a manner s i m i l a r to subgoaling. A glance a t the p r o o f in the Appendix might help c l a r i f g t h i s remark. ge rdmark here that r e s t r i c t i n g L to be f i r s t o r d e r can deetrog the completeness, as shoHn in [ 9 ] , a r e s u l t Nhich reminds one of (and in f a c t subsumes, and as such provides a hen p r o o f of) Wands r e s u l t [16]. This r e s u l t and the r a t h e r obvious f a c t that i f L is weak second o r d e r then i t |e e x p r e s s i v e , should now be c l a r i f i e d bg the h l a r a r c h g r e s u l t appearing in (8].
(and hence an axiom of D ) , which can e a s i l y be proved in a r i t h m e t i c using an induction axiom. Another complete formal system in which t o t a l c o r r e c t n e s s can be proved is t h a t i n t r o d u c e d by P r a t t [ 1 5 ] and proved complete in Harel e t a l [ 8 ] , P r a t t ' s approach is to formulate a uniform
257
i n d u c t i o n p r i n c i p l e e x p l i c i t l y in the system, in the form of a r u l e which is analogous to OS. and Nhich composes a s p e c i f i c a t i o n about the loop dual to p a r t i a l correctnes=s. )n D. the dual to DS is D1S ( s l m i l a r l g for recurslve c a l l s ) . , h i c h merely "breaks up" the loop. providing a l l the i n f o r m a t i o n the loop s p e c i f i c a t i o n c a r r i e s u i t h i t . and leaves the r e s t to the logic: of the underlying language.
(ill)
(equivalence)
[P1 . . . . . Pn . a ) '
can
is possible to denote the established segment bg a PSV and make the premises simple, t h i s having the e f f e c t of shortening the proof and adding to i t s clarity.
(vi) ( s i m p l i f i c a t i o n and transformations) Using D. I t is possible to v a l i d a t e general program transformations. Once a s u f f i c i e n t set of transformations has been established, t h i s set can then be used to s i m p l i f y , develop and synthesize c o r r e c t programs. (See [ 2 ] . [ 4 ] . [ G ] and [13] for the use of such sets). A l t e r n a t i v e l y D can be p a r t of a program development system in ghich the user may c r e a t e and v a l i d a t e h i s o,n transformations and apply them Immediately to v e r i f i e d program segments,
Take programs
(11 . . . . Tm'a)"
Their strong equivalence (see Manna(14)). be proved in D bg proving
Pt' . . . . Pn'T1 . . . . .T m . I|=}X I- t i l l ) . Some simple examples of such transformations are ghere I and A are a ns. predicate symbols, and p r o v i n g the dual ( . i t h = and ~ exchanged). For example the reader m~ght care to prove
p|if
[ P uroc i f . p ( x ) then x + f ( x ) ; c a l l P I c a l l P e l s e x+x f i end, T o r o c ) f plx) then x + f ( x ) l c a l l T e l s e x+x f i e n d , l(x) lcal/PlX(x)] F I(x) lcallTlXlx)
r then = else = f i ! q I- p l a l q
p | u h l l e -I) d o = od; I~}q F P{l~lq
pill and i t s dual (a proof of t h i s equivalence is g i v e n in the Appendix). or I ( x 0 y ) l g h i l e r ( x ) do x~-f(x) o d l . h i l e s(y) do g~-g(y ) odl)dx.g) I- ~(x.g) l , h l l e r ( x ) v e ( g ) do i f r ( x ) then x~-f(x) else y.-g(y) f l od)X(x0y)
r then = else ~ f l l q F p l l f - . r then ~ else ~ f i l q
Other examples are transformations for r e c u r s l o n removal (See(2)).
and i t s dual. (In both examples me , r i t e the elementary a c t i o n . i t h r e l a t i o n x ' - f ( x ) as x ~ f ( x ) . ) V|. Conclusion. (iv) (derived r u l e s ) . Here ,e make use of a mete-theorem , h i c h states that i f ¢ r t . . . . . ( r n I- (r. then the f o l i o , i n , is a v a l i d inference r u l e of Ds
r
I-
¢1 .....
We have presented a complete system D, in . h i c h [besides p r o v i d i n g for other important but eomeHhat less spectacular p o s s i b i l i t i e s ) equivalence and p a r t i a l as well as t o t a l correctness of programs can be proved.
r b Cn
The n o t i o n of proof from assumptions can be regarded as a natural and important extension of the b e t t e r kno.n notion of proofs of program correctness using H o a r e - l i k e systems. ] f one chooses to take the view that Hoare's method e s s e n t i a l l y "cheats" by reducing the problem of proving a p a r t i a l correctness s p s c l f i c a t i o n to t h a t of proving a formula of L, then .e might say t h a t D extends the "cheating" too, and reduces the problem of proving a deduction over p a r t i a l correctness s p e c i f i c a t i o n s to that of proving a deduction in L. and therefore r e q u i r e s a s l i g h t l y stronger l o g i c a l component than Is needed In
PF¢ For example proving I~r~e , p^-+r~l . t^r~s , t^-.r:~q , s l(d t I" pl•=hi le r do (x odlq in D . e s t a b l i s h e s the corresponding derived r u l e .
(v) (modular proofs). Take as a premise a n , t h i n g p r e v i o u s l y established and prove the d e s i r e d conclusion as a consequent. Sometimes i t
258
Hoare'a system. The proofs of soundness and completeness of D reduce to the t r a d i t i o n a l p r o o f s of the same f o r Hoare's system Nhen D Is s t r i p p e d of i t s e x t r a features. The r e l a t i o n s h i p can be s c h e m a t i c a l l y seen by viewing D in the f o l l o w i n g p i c t o r i a l Nay=
D
-
H u (^,v,3,Vl
u H -1
^
^
A
I I
I I
I decompose
I
I
I
collect
I
(11) (12) (13) (14) (15) (1G)
r r r I'
. , . . r , r ,
(17) (18) (19) (28)
T T T T
(21) T
compose
(22) T
Aooendlx.
(23) T
Me show hog to prove the equivalence o f the f o l l o w i n g t , o procedures=
This e s t a b l i s h e s ~ne d i r e c t i o n . The o t h e r i s very s i m i l a r and uses F - I T^-,p:>I , 7 ^ p l x ~ f x ) A , A I [ ~ , & ] } | , ~ 1 [ ~ , | ] } # 1. Me now also need another f a c t about a c a l l to T besides true([~,|]i-p. The new fact is needed in o r d e r t o show t h a t the second c a l l to P leaves x unchanged. A s u i t a b l e s p e c i f i c a t i o n ( , h i c h is proved as in l i n e (22) above) Is X=VA-,p(x) l [ f , I ] } x - v , where V i s f r e e . Me omit the d e t a i l s of t h i s d i r e c t i o n .
P oroc .Lf.p(x) then x ~ f ( x ) ; c a l l P ; c a l l P e l s e x~x f l end, and T , r o c i f p(x) then x~f(x)s c a l l T else x~x L L e n d . Me make use of the f o l l o w i n g d e r i v e d r u l e
DR
r I" plo{lq
,
r I" r l ( p , q ] l s
r I" rl0{ls
Acknogledoements. Me wish to thank Nachum Oershowitz f o r suggestions f o l l o w i n g a d e t a i l e d reading of a p r e v i o u s v e r s i o n of the paper. The f i r s t author b e n e f i t e d from many r e l a t e d discussions w i t h Vaughan R. P r a t t .
Define r as the set I't^-,p~ , ~^plx*-fx)),, ~(['r,l])~ , xl[f,I]ll , $I[%1]1$l. Me r e f e r to the d e c l a r a t i o n of P as P D r o c . . . e n d , and s i m i l a r l y for T. (1) (2) (3) (4) (s) (s)
r r r r r r
(7) r (8) r (9) ]['
(18) r
true l [-t, &] l -,p . ~,-t0 F I L3,L2(7,18) L3 (and mS) t r u e l ( ~ . l ] l - , p I- (w~-'p) :~ D2(4,12) truel[-t.l]l-,p F kl[%l]}l t r u e l [ q r . & ] l ~ p F -f^p{x*-fx; [ I f , | ) } | D3(1,131 hyp., 01 t r u e f [ ? , l ] l - p F -f^-,p {xq-x} | t r u e ( [ * t , | ] l - , p I" $ l i f p then x~-fx; [It,|) e l s e x~-x f i l l D4 (14,15) D r o c . , . e n d , r , t r u e l ( ' r . & ) } - , p I- *tlcal I T I i D7 ~ r o c . . . e n d , r , t r u e l [ - t . & ] l ~ p I- ~ I I [ I r . I ) ) ÷ hgp. D r o c . . . e n d , r , t r u e l [ ~ . l ] } - , p I- ( i l c a l l T ) # DR D r o c . . . e n d , ~ , l i f p then x~-fx; [,f,|]+ [ T , | ] else x~-x f i } l , # ( [ 1 , & ] } # , t r u e l [ ~ , l ] ) - , p h # l c a l ITI# hyp.,D12,D13,D14 o r o c . . . e n d , P Droc...end , ~ { c a l l P l # , t r u e l c a l IPl-,p h t t l c a l ITI# D16 Droc..oend , P ~ r o c . . . e n d , $ { c a l l P l # I" t r u e I c a l l P l ~ p (This is proved from P DrOC..,erld as a standard p a r t i a l c o r r e c t n e s s proof. Me omit the d e t a i l s . ) m r o c . . . e n d , P o r o c . . . e r l d , ~ { c a l l P ) ÷ I" ~{calJTl# L2(21,22).
t r u e l [ , f . | ] l - , p I" "r^plx~-fxlA hyp. t r u e l [ - f , l ] I - , p I" ).{[-t.&]}# hyp. t r u e l [ - / . & ] l - , p I- t r u e { [ % | l i m p hgp. true ( [% &] l -,p I" kl[lr.&]lW~-,p D2.08(2.3) true l [?,&] }-,p ]- p l [ * t , I ] ) l hgp. t r u e ( [ ~ , & ) } ~p I" Yx, x ' ( j z ( x ) ^ ( l f ( x ) : ~ ( x ' ) ) ~ I ( x ' ) ) D12 , true([1.,&]l-p F ~('t~) ~ & A1,L2(gith x'-x) , true l [ T , | ] i -p , p,-P,'r I- (7^-p}:di hyp.,L1 , true l [ l , I ] }-,p , jz,-,p,'t I- | L2(ge also use L3, and D8 w i t h the empty program to c r e a t e a c o n j u n c t i o n of the hypotheses) , true { [-t,&] } - p . p,-,p I-,r:~l L3
REFERENCES
[1) J . g . de Bakker and L. G. L. T. Meertene. "On the Completeness of the I n d u c t i v e A s s e r t i o n Method". Journal of Computer & System Sciences. 11. 323-367. (1976). (2] R . M . B u r s t a l l and J. O a r l l n g t o n . "Some T r a n l f o r m a t i o n s for Developing Recursive Programs'. Proc. I n t e r n a t i o n a l Conference on R e l i a b l e Software. LA C a l i f . . (1976).
259
[3] S.A. Cook, "Soundness and Completeneee of an Axiom Sgstem for Progra~ Vsrification",TR-SS (a revision of "Axiomatic .and Interpretive Semantics for an Algol Fragment", TR-79, (1975)), Oept. of Computer Science, Universltg of Toronto, Canada, (197G).
[15] V.R. Pratt, "Semantical Considerations on Flogd-Hoare Logic", Proceedings 17th Symp. on Found. of Computer Science, Houston, Texas 18'3-121, (197G).
[1G] M. Mand, "A Now Incompleteness Result for Hoare's System", Proceedings 8th ACM Symp. TheorW of Computing, 87-91 (lS7G).
[4] J. Darlington, "Application of Program Transformation to Program Sgnthesis", Proving and Improving Programs, Colloques Iria, (1975). [5] R . g . Floyd,, "Assigning Meaning to Programs", In J.T.SchMartz (ed.)Mathematical Aspects of Computer Science. Proceedings Sgmp. in Appl. Math. 1S, Prov. R.]., American Mathematical Society, 1S-32 (1SG7). [G] S . L . Gerhart, "Correctness-Preserving Program Transformations", Proc. of the 2nd Symposium on Principles of Programming Languages, Pals Alto, Calif., (1975). [7] G.A. Gorelick, "A Complete Axiomatic System for Proving Assertions about Recursive and Non-Recureive Programs", TR-7S, Dept. of Computer Science, Unlv. of Toronto (1975). [8] D. Harel, A. R. Meyer and V. R. Pratt, "Computability and Completeness in Logics of Programs", Proceedings of 9th Annual ACM Sgmp. on Theory of Computing, (1977). [9] D. Harel, A. Pnuell and J. Stavi, "Completeness Issues for Inductive Assertions and Hoarm's Method", Technical Report, Dept. of Mathematical Sciences, TeI-Avlv Univ., Israel (197G}.
(1B] C . A . R . Hoare, "An Axiomatic Basis for Computer Programming", CACM12, $7G-588 (19G9}. [11] C . A . R . Hoare, "Procedures and Parameters= An Axiomatic Approach", In E. Engeler(ed.}, Sgmp. on Semantics of Algorithmic Languages, LNM 188, Berlin, Springer, 182-11G (1971). [12] S. Igaraehl, R.L. London and D.C. Luckham~ "Automatic Program Verification It A Logical Basle and its Implementation", Acta Informatica 4, 145-182 (1975}. [13] O.E. Knuth, "Structured Programming with Goto Statements". Computing SurveWs, Yol 8, No 4, pp.2GI-3B1, (1974). [14] Z. Manna, "Mathematical Theory of Computation', McGrawH i l l , (1974).
260
David Harel + Massachusetts I n s t i t u t e of Technology, Cambridge,MR 82139 Amir Pnueli T e I - A v i v U n i v e r s i t y , TeI-Avlv, I s r a e l and Jonathan Stavi B a r - l l a n U n i v e r s i t y , Ramat-Gan,|srael Abstract. enough to express a l l needed a s s e r t i o n s . Various d e f i n i t i o n s of t h i s s t r e n g t h are exoressiveness o f L (Cook[3]), or t i d i n e s s of a l l programs ( P r a t t [ Z S ] ) . Cook[3] showed that f i r s t order a r i t h m e t i c i s expressive, thus proving completeness o f H fop t h i s important special case of L. E x t e n s i o n s o f Hoare'a system to cover r e c u r s i o n and mutual rmcursion have a l s o been proved complete under s i m i l a r c o n d i t l o n s (see G o r e l l c k [ 7 ] , Harel e t a I [9] }.
Denoting a version of Hoare's system f o r p r o v i n g p a r t i a l correctness of r e c u r s i v e programs by H , Ns present an extension JD Nhich may be thought o f as H u { ^ , v , ] , Y } u H -1, i n c l u d i n g the r u l e s o f H, four special purpose r u l e s and inverse r u l e s t o those of Hoare. D is shown to be a complete system ( i n Cook's sense) for proving deductions o f the form e 1, . . . . r n ~ # over a language, the w f f * n of which are a s s e r t i o n s in some a s s e r t i o n language L and p a r t i a l correctness s p e c i f i c a t i o n s o f the form p { = l q . A l l v a l i d formulae of L are taken as axioms of D. I t is shown that D is s u f f i c i e n t f o r p r o v i n g p a r t i a l correctness, t o t a l c o r r e c t n e s s and program equivalence as Nell as o t h e r Important p r o p e r t i e s of programs, the proofs of which are Impossible In H. The e n t i r e p r e s e n t a t i o n i s Norked out in the framework of n o n d e t e r m i n i a t i c programs employing i t e r a t i o n and mutually r e c u r e i v e procedures.
I,
A s u i t a b l e such system H can in f a c t be thought of as a formal system for proving the c o r r e c t n e s s of deductions of the form G l , . . . , r n ~ p{~)q under the r e s t r i c t i o n t h a t each o f the ~i is a procedure d e c l a r a t i o n or a formula of L. Houever, .hen c o n s i d e r i n g general d e d u c t i o n s of the form ~ l , . . . , F n ~ (Nhera the ~ i may also be p a r t i a l c o r r e c t n e s s s p e c i f i c a t i o n s ) , i t is easy to come up w i t h s e m a n t i c a l l y v a l i d deductions which cannot be d e r i v e d In H. Two examples are
Introduction.
The a x i o m a t i c method of s p e c i f y i n g semantics of programs, as given by Hoare ( [ 1 8 ) . ( 1 1 ] and a l s o [12]} lends i t s e l f very s u c c e s s f u l l y t o a s p e c i f i c goa!, namely that of proving p a r t i a l c o r r e c t n e s s of s p e c i f i c programs. A convenient d e s c r i p t i o n of the method employs an a s s e r t ] o n language L and a formal proof system H having as axioms a l l l o g i c a l l y v a l i d formulae of L. A p r o o f o f a p a r t i a l correctness s p e c i f i c a t i o n R¢ p I ~ } q where p , q are N f f ' s in L , is c a r r i e d out in H by composing = from more p r i m i t i v e program segments, s t a r t i n g from a f i n i t e number of assumptions in L. A w e l l knoNn r e s u l t is that the conventional Hoers system and i t s v a r i a n t s are complete i f L is s t r o n g
(1}
plif
r then a else ~ f i l q k plif-~ then ~ else a f i } q
|2)
p l a } q , r l a l q !" pvrlcxlq (a r u l e which, w h i l e being u n d e r i v a b l e in can be shown to be superfluous f o r any concrete p r o o f of p a r t i a l correctness, l g a r a s h i e t a1112]).
H,
These examples i l l u s t r a t e the absense ( i n H) o f mechanisms f o r (1) e x t r a c t i n g i n f o r m a t i o n from a specification p{~}q about p a r t s of a (where ~ i s a complex program segment}, and (2) combining the i n f o r m a t i o n given in d i f f e r e n t s p e c i f i c a t i o n s about
The Nork o f t h i s author was p a r t i a l l y s u p p o r t e d by NSF under c o n t r a c t !1CS7S-18~1.
249
the same program segment. H can be seen to be complete only f o r "simple" deductions, in which the antecedents cJ include for each given a, a t most one s p e c i f i c a t i o n of tihe form p l ~ l q , and a l l such ~ ' s are simple s p e c i f i c a t i o n s c o n s i s t i n g of a s i n g l e assignment or c a l l statement, or a s i n g l e oroaram eeoment v a r i a b l e (PSV), which i s a symbol s t a n d i n g f o r an a r b i t r a r y program segment.
II.
Suntax The alphabet Z contains symbols f o r i n d i v i d u a l constants and v a r i a b l e s , f u n c t i o n s and p r e d i c a t e s , connectives and o p e r a t o r s . L=L(Z) i s a l o g i c a l language w i t h e q u a l i t y over Z (having a t l e a s t the pouer of the f i r s t order language over 2 ) . A N e l l - f o r m e d formals of L u i l l be c a l l e d a I o o i c a l Nff ( L - w f f ) . P=P(Z) is a programming language over Z, w i t h the f o l l o w i n g syntax:
In Section I I we present our system D which i e an e x t e n s i o n of Hoare's system, and in S e c t i o n I I ! show t h a t D is sound and complete f o r d e d u c t i o n ( r 1 . . . . . #n
FD~
Iff
#1 . . . . . #n k r ) ,
t h a t i s , G can be proved in D from assumptions ~l,...,~n, i f f ~ Is true In every model s a t i s f y i n g rl,...,~ partial
<statement>::=<elementary action> I <procedure c a l l > I <statement>;<statement> J ifthen<statement>else<statement>fi I whiiQdo<statement>od
n . Here tho # i can themselves be any correctness specifications.
The completeness r e s u l t is shown by p r o v i n g a s e r i e s of more r e s t r i c t e d theorems, h o l d i n g f o r l u c c e s s l v e l y r i c h e r subsystems of D , thus c l a r i f y i n g the whole process and also achieving a s i d e e f f e c t o f I n d i c a t i n g the p r e c i s e r o l e in D played by i t s impor~ant components;.
< d e c l a r a t i o n > : : - < p r o c e d u r e name>( , ) c r o c < s t a t e m e n t > e n d . An elementaru a c t i o q is a non d e t e r m i n i s t i c assignment of the form ~(E'~(~,K',M) r e a d i n g z " a s s i g n to ~ some K' such t h a t ~ h o l d s " . This w i l l u s u a l l y be abbreviated as A(K,~), Nhere K Is the v e c t o r of v a r i a b l e s , h i c h can be m o d i f i e d by A. and ¼ ie the v e c t o r of a d d i t i o n a l v a r i a b l e s upon Nhich the assignment might depend. ,hen ~ i s o f the form K ' ' ~ ( ~ , ~ ) , A is the conventional assignment statement.
A v a r i e t y of p r o p e r t i e s of programs can be proved using D. and the completeness r e s u l t ensures us t h a t uhen L is expressive (e.g. in a r i t h m e t i c ) . a p r o o f e x i s t s f o r each v a l i d such p r o p e r t y . The f o l l o w i n g p o s s i b i l i t i e s are described in S e c t i o n IV: (i)
p r o v i n g the p a r t i a l oorrectenes of a g i v e n program.
(II)
p r o v i n g the t o t a l correctness of a g i v e n program,
(ill)
p r o v i n g the (strong) equivalence of programs,
(iv)
e s t a b l i s h i n g derived r u l e s ,
(v)
c a r r y i n g out modular proofs of program c o r r e c t n e s s given p r o p e r t i e s of segments o f the program,
(vii
s i m p l i f y i n g complex program segments and e s t a b l i s h i n g v a l i d program t r a n s f o r m a t i o n s .
The Susteu,
A orocedure c a l l is a statement of the form c a l l P(K,~), where P i s a procedure name, K i s a v e c t o r of actual name parameters ( v a r i a b l e s ) , and 18 a v e c t o r of actual value parameters ( t e r m s ) . The E'S a r e assumed to be d i s t i n c t and the ~ ' e t o be independant of the K's. A boolean is a q u a n t i f i e r - f r e e
L-wff.
A P-seoment M i l l simply be a statement in P. Me extend Z to Z' by adding a set of new symbols ( R 1 ; R 2 , . . . ) which stand for a r b i t r a r y P-segments, and are t h e r e f o r e c a l l e d Drooram-seament v a r i a b l e s (PSV's). The programming language P' i s an e x t e n s i o n of P obtained by a l l o u i n g statements o f the form Ri(K.~) , where ~ and ~ have a meaning s i m i l a r to t h a t given in the elementary a c t i o n s . Note t h a t the d i f f e r e n c e between a PSV and an elementary a c t i o n is that fop the l a t t e r Me are g i v e n a formula d e f i n i n g i t s e f f e c t . S i m i l a r l y . the d i f f e r e n c e between a PSV and a procedure c a l l i~ t h a t the l a t t e r may have an e x p l i c i t d e c l a r a t i o n . M e w i l l use a(K,~) to denote an a r b i t r a r y P'-segment such that K i s the v e c t o r of a l l m o d i f i a b l e v a r i a b l e s of =, and W c o n s i s t s o f a l l o t h e r v a r i a b l e s appearing in a.
S c h e m a t i c a l l y speaking. D w i l l c o n s i s t of a s u i t a b l e v e r s i o n of H for composing the conclumlon o f the deduction, four r u l e s ( ^ , v , ] , Y ) f o r c o l l e c t i n g I n f o r m a t i o n about u n s p e c i f i e d program segments, and a " m i r r o r image" of H c o n t a i n i n g inverse r u l e s f o r decomposing complex program segments appearing among the premises. D. having the f l a v o u r of a n a t u r a l deduction system, has a l l v a l i d formulae o f L am axioms.
250
A s n e c i f i c a t i o n is a c o n s t r u c t # of the form ¢ : p ( ~ , ~ , ¢ ) ( a ( ~ , & t ) l q ( 5 , ~ , Z ) , where p and q are L - N f f s and a is a P'-segment. Here the elements o f ~ are said to be the free v a r i a b l e s of the s p e c i f i c a t i o n f , ghere no confusion can a r i s e we w i l l o c c a s i o n a l g omit the ¢ ' s and regard the ~ as c o n s i s t i n g of a l l the v a r i a b l e s appearing in the s p e c i f i c a t i o n not assigned to in a. A s p e c i f i c a t i o n p { a l q Is simnle i f a is a PSV, an elementarg a c t i o n o r a c a l l statememt (aimnle statements).
Using t h i s d e f i n i t i o n , we are non a b l e to assign r e l a t i o n s to the procedure c a l l s Nhich have corresponding bodg d e c l a r a t i o n s in F. The r e l a t i o n s assigned to these procedures are the l e a s t f i x p o i n t r e l a t i o n s s o l v i n g the sgstem of mutuallg r e c u r s i v e procedure d e c l a r a t i o n s in r (here too we M i l l r e f e r to t h i s i n t e r p r e t a t i o n of such P as E). Me n o . have an i n t e r p r e t a t i o n under | for each P'-segment in r . A s p e c i f i c a t i o n P(~,W,Z) I a ( K , ~ ) I q ( K , M , ¢ ) i s t r u e under I i f VK, W(p(~,g,£)A#~(~,~*,M) ~ q ( K ' , M , £ ) ) i s t r u e (note that the free v a r i a b l e s £ have been assigned bg 1).
The formulae of our language g ( c a l l e d W . w f f ' e ) are (1) L - w f f s , (2) s p e c i f i c a t i o n s , (3) d e c l a r a t i o n s ,
A set F of W-wffs is defined to be t r u e under an i n t e r p r e t a t i o n I of F, i f a l l n o n - d e c l a r a t i o n formulae of F are true in 1. | is c a l l e d a model o f r .
(Note t h a t g-gffe= cannot be combined bg l o g i c a l connectives.)
A t u p l e S - ( # l , . . . ~ n , # ) where ~ is not a d e c l a r a t i o n , is c a l l e d a v a l i d deduction ( w r i t t e n ~1 ..... * n k r ) , i f ~ is true in a n , i n t e r p r e t a t i o n | of S Nhich is a model of
Semantics An I n t e r [ = r e t a t i o n of a set F of M-wffs ,, a tup,.
..... % , %
.....
1~1 . . . . . ~n l "
%>,
Me denote a P'-segment a c o n t a i n i n g the
. h e r e 0 is a nor,emptg domain, ~ is an i n t e r p r e t a t i o n ot: a l l i n d i v i d u a l s ( i n c l u d i n g c o n s t a n t s and free v a r i a b l e s ) , f u n c t i o n and p r e d i c a t e sgmbols of L, each B i ( K , K ' , ~ ) i s a r e l a t i o n f o r a PS¥ Ri(K, W) appearing in F, and each E i ( K , ~ ' , M ) i s a r e l a t i o n for a procedure Pi t h a t appears in F, b u t does not have a c o r r e s p o n d i n g d e c l a r a t i o n in F BI and El descrlbe the e f f e c t of the P'--segments R i and c a l l P I r e s p e c t l v e l g , under | .
statements c a l l P l ( K l , ~ l ) . . . . . callPn(Kn,J n) bg a ( " c a l l P l " , . . . . " c a l l P n " ) , and the elementar W a c t i o n ~ ( K ' ( ~ ( ~ . ~ ) ~ # ( ~ ' . I ) ) bg [~.#](K,~). Me now present our sgstem D. The b a s i c statements to be proved in D are deductions of the form F ~ ~ Nhere F is a set of W-wffs, and a n o n - d e c l a r a t i o n M-Nff. Our inference r u l e s are rule-schemata in Mhich a , ~ , . . , stand f o r a r b i t r a r y P'-segments and p , q , . . , f o r a r b i t r a r g L-Mfrs.
Me now show how an i n t e r p r e t a t i o n I assigns t r u t h values to £i-Nffs. An L - w f f is assigned a t r u t h value by [ in the standard Nag. A program segment a(K,~) a l l of whose procedure c a l l s are i n t e r p r e t e d (see below), is i n t e r p r e t e d under ] as a r e l a t i o n Pa in the f o l l o w i n g Nag ( r e l a t i o n a l n o t a t i o n from e.g. deBakker and M e e r t e n s [ 1 ] ) t For an ele~entarg a c t i o n A
AXIOMS
A1
where p Is anW I o g l c a l l g v a l i d L - w f f .
PA " ~
(the i n t e r p r e t a t i o n ~ gives to ~), For a PSV R i For a proceduro Pi
FP
A2
pR i . Bi
where ~ Je not a d e c l a r a t i o n .
PcallP I " Ei
A3
Pa;~ " PaP~ '
Frame axiom p(¢)ia(~,~}p(¢)
P i f r then (x else 13 .f_j. " rPc¢ U r ' p ~ ,
. h e r e ~ a ~ K are d i s j o i n t .
Pwhile r d~. ¢~ od " (rPc()* r ' .
251
OG
Substitution
RULES DF INFERENCE L1
P I- p l x , u)la(x,14)lq(~,u)
Introduction
(a) r I- p (z, u) la (z, 14)I q 17.,u)
rh¢l.
Nhere & le d i s j o i n t from ¼ and is f r e e f o r in p and q.
r , ¢ 2 F" ¢1 1.2
r I- plx,¼) l a ( x , u ) l q l x , u )
hodue Ponens (b)
r , ¢ 2 F ¢1
,
r I" p l ~ . t ) ( a l z l . t ) l q l x . t )
r h¢ 2
uhere i is a vector of terms Nhich is f r e e f o r M in p and q. and does not depend on 2-
r h ~1 mhere p and q are L-Nffe. L3
D7
Deduction r,
p~q
and
r I- p:q
rhp=~
r("callP")
r . pl*q
Elementarg Action
I]8
r ~ p(~,g,¢}Nl~(~,~,,14) ~ q(~',14,¢)
A-rule r I- p is) ql . . . . . r I- p Is) qn
r I- p(~,u,y.){A(x,14)lq(x,u.¢) D2
n~8
Consequence
n r F pla) ^ q i i-1
r h p~s , r I - . I=1 r , r I- r : ~
r I- p l a l q 03
, P oroc = ( " c a l l P " ) e n d I- + l c a l l P } ~
(Here F ( [ ~ . ~ ] ) is F , i t h the elementary a c t i o n [ ~ . ~ ] ( Z . I ) s u b s t i t u t e d for occurenciee of callP(;.i). A c l a r i f i c a t i o n of r u l e D7 appears at the end of the Section.)
Mhere p and q are L-Nffs. D1
Recureion
I)9
ComposI t i on
v-rule r I- p l l a l q . . . . . r i- p n l o l q n>8
r I- p l a ) s + r h s l ~ l q n r I- v p l l e l q i=1
P h ple;~lq 04
Conditional (08 and I)9 reduce to r I- p l a l t r u e and r ~. f a l s e l o l q r e s p e c t i v e l g uhen n - 8 ) .
r F p^rl(xlq , r F p^~r'l~lq r h pill 05
D18
r then a e l s e ~ LLIq
V-rule
P I- p l a l q
I t e r a t |on
r I- p I~) (Vu) q
r I- par la) p
u not f r e e in p or r . and does not appear in a.
r ~- pluhl l e r do a odlp^-.r
252
Dll
016
l-rule
Inverse Recurslon F([J,~)
P F pi=lq
g not free In q, and does not appear in ~.
where | and ~ do not appear In any other component of the r u l e .
Inverse Elementary Action ,
A proof in D is a sequence of deductions FI ~ ~i i-1,2,... , where any l i n e ( I . e . deduction) is an axiom or is derived from previous l i n e s by one of the Inference r u l e s . A deduction F F • Is said to be d e r i v a b l e in D ( w r i t t e n r FD , ) i f i t is a l i n e of a
)
1' , P (Z~, U, V__.)IA Ix, u) I q Ix, u, y.) I- (r
013
Inverse Composition
p r o o f in D. Our formulation of D7 employs the s u b s t i t u t i o n of [~.#] for "caHP" in the proof of the body ¢. This corresponds to the f a m i l i a r n o t i o n of assuming # { c a l l P l # when proving =. Employing the same s u b s t i t u t i o n for the premises used in proving =. provides us with a concise way of c o n s t r u c t i n g a recursion r u l e for mutually r e c u r s i v e procedures which avoids r e f e r i n g to a l l n procedures (as Is done in [7] and [ 9 ] ) . In order to i l l u s t r a t e the wag in which D7 (and s i m i l a r l y D18) is used, consider two procedures Pt and P2' w i t h d e c l a r a t i o n s Pi Droc = l ( " ~ l " , " c a l l P 2 " ) e n d 1SIS2. A framework for a proof of a is:
P, p l = l ~ l q F • where X does not appear In ang other component of the r u l e . Note that 013 (and s i m i l a r l y for the other Inverse r u l e s ) Is an i n d i r e c t May of expressing the more natural P F pl==~lq
callPl-Speclflcation
P F 3X(pl=lX ^ Xl~lq)
the conclusion of uhich is u n f o r t u n a t e l y not ~ e l l formed In g.
D14
(1)
F ~2{=2([ttl,fl], [~2.#2]))f2,
(2)
P2 , r o c ¢ ( 2 ( [ ¢ l , ÷ l ] , " c a l l P 2 " ) e n d F ¢21callP2l#2 ,
(3)
P2 DrOC = 2 ( [ ~ l , # t ) , " c a l l P z " ) e n d
Inverse Conditional F , p ^ r l a l q . p^-.rl~lq F ]r . p l i f
DIS
F u
F ( " c a l I P " ) , P uroc = ( " c a l l P " ) e n d F G
F ~ (3M)p l = l q
D12
. I{=([I,~))~
F $ I ( = I ( [ $ 1 , ÷ I I , ; L L L P 2 ) I # 1,
r then = else 13 f i l q F ¢
(4)
P1 oroc a 1 end , P2 Droc ~2 end F $1Iga-LLPtIft.
Inverse I t e r a t i o n P , p:~), , ]Wr{el). , ] ~ - r ~ q
Lines (2) and (4) are proved using 07 w i t h an empty F, and F consisting of the P 2 - d s c l a r a t i o n respectively.
F ~r
P , plmhile r do ~ odlq ~ ¢
The f o l l o w i n g (standardlg v e r i f i e d ) f a c t is very useful in proving deductions i n v o l v i n g u n s p e c i f i e d program segments=
mhere ~ does not appear in any other component of the r u l e .
S u b s t i t u t i o n Theorem - I f F FD ¢, and F' and G" are obtained by r e p l a c i n g a l l occursncies of a PSV R by an a r b i t r a r y P'-segment in F and r . then r'
253
FD ~ ' .
I
I I I . Results.
Proof - Given a v a l i d deduction w¢ r 1 . . . . . 0 , n k 0, we reduce the problem as follows= (1) The absence of procedure d e c l a r a t i o n s among the premises means that each c a l l statement can be regarded as a new PSV. This f o l l o w s from the a r b i t r a r y i n t e r p r e t a t i o n s both PSV's and c a l l ' s can take on. in a model of 0,1.....0,n. (2) Use r u l e D12 to replace everg e l e m e n t a r g - s t a t e m e n t s p e c i f i c a t i o n p{A}q by an L-Mff. (Here. as well as at other p o i n t s in the paper, we d e s c r i b e the natural order of the d e r i v a t i o n . F o r m a l l y . t h i s a p p l i c a t i o n of r u l e D12. f o r example, appears at the end of the p r o o f in D. N e v e r t h e l e s s . we may t h i n k of t h i s stage as b e i n g f i r s t in the d e r i v a t i o n process.) We are l e f t w i t h premises c o n s i s t i n g of P S V - s p e c i f i c a t i o n s of the form p{R}q, and L - u f f s . Denote bg • the c o n j u n c t i o n of the l a t t e r . Formally. ¢ can be d e r i v e d by u s i n g D8 w i t h the i d e n t i t g program and p=true. (3) [ f 0, is an L - w f f then the v a l i d i t y o f the d e d u c t i o n M is e q u i v a l e n t to the v a l i d i t y of some L - M f f . This can be seen bg c o n s i d e r i n g an i n t e r p r e t a t i o n in which each PSV is assigned the emptg r e l a t i o n , in t h i s case a l l s p e c i f i c a t i o n premises hold and t h e r e f o r e ~e must have ¢ h 0,. Nhich is e q u i v a l e n t to the v a l i d i t y of ¢m¢. which in turn is an axiom in A1. Using L2. is obtained. (4) Emploging a s i m i l a r argument ~ i t h an i n t e r p r e t a t i o n assigning the emptg r e l a t i o n to a l l PSY's not appearing in ~. we can omit any P S Y - s p e c i f i c a t i o n for a PSY not appearing in ~ . Me are now l e f t w i t h a s i t u a t i o n of the form
One of our basic assumptions throughout, i s t h a t the language L is expressive (Cook(3]). This means t h a t fop each P-segment ¢ in the c o n t e x t o f a g i v e n set of declarations=, i t is p o s s i b l e to express as an L - w f f the r e l a t i o n p~ computed by 6. i . e . L has cons;tructs powerful enough to express the * . U. composition and f i x p o i n t o p e r a t o r s . A s p e c i a l important case of an expressive language i s (as p o i n t e d out bg Cook) f i r s t order a r i t h m e t i c . A l l subsgstems considered in t h i s s e c t i o n have A1-A3 as axioms. L1-L3 as l o g i c a l r u l e s and d i f f e r onlg in t h e i r D - r u l e s , Consider the system O J which c o n s i s t s of r u l e s D1-D5, O l ~s a version of the usual Hoare sgetem f o r p r o v i n g p a r t i a l corectness of programs ~ i t h r e g u l a r c o n t r o l s t r u c t u r e , and f o r i t um have the f o l l o w i n g r e s u l t (proved e.g. in [ 1 , 3 , 9 , 1 5 ] ) : Theorem 1 - I f
~1''"'0,n
~1 . . . . . f n k 0,
are L - w f f s ,
iff
then
0,1 . . . . . 0,n F D | f
°
I
C o n s i d e r D 2 c o n s i s t i n g of D1-D7. This i e an e x t e n s i o n of Hoara's method to deal w i t h m u t u a l l y e e c u r s i v e procedures. A p r o o f of Theorem 2 can be found f o r s i m i l a r versions in Harel et a l [ S ] or Gorellck[7].
~
] f 0 , 1 ' ' ' ' ' 0 , n :are L - w f f b o r p r o c e d u r e d e c l a r a t i o n s , then
•
(1'1. . . . . 0,n ~' ¢'
iff
0'1 . . . . . #'n I ' D 2 ,r .
Rk-epeciflcations
where = is a P'-segment i n v o l v i n g PSV's R1, . . . . Rk. Denote the s p e c i f i c a t i o n premises bg F. These premises c o n t a i n a l l a v a i l a b l e i n f o r m a t i o n about R1 . . . . .Rk. Ms t h e r e f o r e c o n s t r u c t f o r each l s i S k an " a p p r o x i m a t i o n from above" pR i to the r e l a t i o n computed by R i .
Theorem 3 - I f ~1 . . . . . r n are L - w f f s or simple s p e c i f i c a t i o n s , then iff
,...,
I" Pkx(R 1 . . . . . Rk)}q
Me now c o n s i d e r D 3 which c o n s i s t s of r u l e s 01-[]6 and DS-Dl2...
¢rl . . . . . 0,n I. u
, Rl-epeciflcatlone
I
FR i , i l l
be an L-Mff which can e a s i l y be
seen to be true in any model of F . and hence in any model of { ¢ . F } . This is the sense in Nhich i t le an a p p r o x i m a t i o n . We H i l l e i m p l l f g n o t a t i o n by r e f e r l n g to the case Nhere k-1 and to R1 as R. N i t h the understanding that the f o l l o w i n g can be done f o r a l l k PSV's for ang k.
wI . . . . . ~n I ' D 3 ¢ "
(Note - in t h i s and the f o l l o w i n g theorems we omit the p r o o f s of the soundness d i r e c t i o n . The r e a d e r i s urged to convince h i m s e l f t h a t the r u l e s are indeed sound, a r i g o r o u s proof of t h i s would be based on S c o t t ' s i n d u c t i o n p r i n c i p l e in a s t a n d a r d Nag. Rather. the proofs presented are designed to demonstrate the completeness d i r e c t i o n In a c o n s t r u c t i v e manner}.
Assume that F is the set pj(~.U.~){R(~.~)lqj(~.g.~) lsjsm. This can be brought about by using DG and c o l l e c t i n g f r e e v a r i a b l e s in ~. Define
254
m
1' F plelq
lSR(X,X' ,u) =Vv ^ (pj (~.,u,v)~qj (~' ,M,v) ) j=l
1' F (¥u) p Is} (¥u) q
C l e a r l g /JR serves to " c o l l e c t information" about the PSV R. Define AR as the elementary action X,-¢x'/jR(X,X',U).
u not free in 1', and does not appear in e.
Obviouslg /JAR=/JR.
011'
From the MaN AR Nas defined, i t is clear that for every j Me have I= p iAR}q.. j Thus under {he s u b s t i t u t i o n that replaces the PSV R by the P-segment AR, every i n t e r p r e t a t i o n s a t i s f y i n g 11" also s a t i s f i e s 1' , and therefore also s a t i s f i e s p{e(AR)} q. Hence ir I- p{e(AR)Iq, and bg Theorem I there e x i s t s a proof (*}
]i-rule ]' F pialq 1' F (]u) p lel (]u) q u does not appear In e.
r I-DI ple(ARIlq.
NoN (for any s) replace every subproof of SIARIS-/JR in the proof of (•) bgt
glthout loss of generality [having in mind the standard techniques used in proving Theorem 1, in e.g. [1,3,9,15]), Ne man assume that in the process of proving the deduction (~) in DI, the strongest consequent approach gas adopted, in Mhich everg subderivation of a simple AR-speclfication le preceeded by a derivation of a s p e c i f i c a t i o n of the form SlAR}SO/jR for some e, mhere for s(X,u) and /jR(X,X',U) ge define eO/jR(X,U)13x' (s(~' ,U)^/JR(X' ,x,u) ). (See e . g . [ I ] ) .
1' I" Pj (x' ,u,v)3pj (Zt,U,Y.) IR(x,u)] pj (x" ,u,y.Imqj ( x , u , v ) for everg l<j<m,
(Use A3 Nith "Pj(X',U,Y-), and 08')
1' l" VY.(Pj (x' ,u,v)3pj (x,u, y.) ) {R (x, u) } Yy.(pj ( x ' , u, y.) :)q j (x, u, y.) )
1' }- s i x ' , u ) ^
m ^
(018')
Yv(pj Ix' ,u,y.):~f)j (x,u,y.)) (R(x,u)!
j=t I f Me non manage to replace everg such subproof bg a proof in 0 3 of sIR}S°pR from assumptions F and substitute R for AR elseghere, then t h i s modified proof of (s} serves as our proof of 1',¢ 1"03 ple(R)}q. Indeed t h i s can be done using the fol IoNing four derived rules of D3z
m
S(X' ,u)^ ^Vy.(p j (x' ,u,y.)3qj ( x , u , v ) )
j=l (Use A3 Mith s ( x ' , u ) , and 08') m
08'
1' I- 3x' (e (~', u) ^ ^ Vy.(pj (X', u, y.) 3pj (X, ¼, v) ) ) IR (X, ¼) }
N~-rule
j=l
1' I" Pl {=1 qt . . . . .
F k
08'
1' I" Pn lel qn
m
3B' (S(X' ,U)^ ^Yv (pj (X' ,U, y.) 3q j (~, U, y.) ) ) J=1
n n ^ Pi{el ^ ql I=1 I=1
m
1' ~- e(x,u):)3x' (e(x' ,u)^ a Vy.(pj (x' ,u,y.)mpj (x,u,y.)) )
l=l
w-rule
(A1 and L1)
1. k Pl 1=} ql . . . . .
1' F Pn (el qn
1. I- e(x,u) (R(x,u)l (s-/j R) (x,u}
n>8 n n ]P F v Pi {if} v ql I =1
018'
(011')
(02).
1
We remark here that r e s t r i c t i n g the premises to have no free variables not appearing in e ( i . e . no ~), makes possible a d i f f e r e n t proof of Theorem 3 uh|ch does not use rules 018-011.
i =1
W-rule
We no, consider
255
04
consisting of D1-011.
Theorem 4 - I f ~L . . . . . Cn are L - w f f s , simple s p e c i f i c a t i o n s or declarations for procedure names not appearing in these simple s p e c i f i c a t i o n s (but p o s s i b l y in ~, and in other d e c l a r a t i o n s ) , then (rl . . . . . ~n I= •
Iff
e l ' . . . . ~n
FD4 x - ~ { c a l I P i l # p i (~8,x,u).
iltm-1},f
Given H (m) consider the f i r s t m-1 d e c l a r a t i o n s w i t h APm s u b s t i t u t e d for "callPm"
FD4 ~' "
(denote t h i s by H(m-1)(A Proof - Assume given w: ~1 . . . . . Cn k ~, w i t h procedure declarations PI opec a i end 1Siam, among the premises. D4 i l l u s t r a t e s the e x t r a f e a t u r e of c a l l ' s (in ~) to procedures w i t h given bodies, thus forcling the use of D7. Me M i l l f i n d a s i m i l a r approxlma~Lion for each such #Pi procedure. As before regard each c a l l to a procedure other titan the P i ' s as a new PSV. Me now c o n s t r u c t FR for every PSV R, and as above, s u b s t i t u t e AR for each appearance of R in m. Denote the r e s u l t i n g modilfled body of PI by a I, and modifled ¢ by ~ ' ,
) ). I t is not d i f f i c u l t Pm
to see that ~" ' Ix'zl8 lcal IPll #PI (z~6'x'u)
lslsm-ll
I= x - ~ (% (APm)I/=Pro(~8' ~' u), and hence by Theorem 3 ¢ , (~-381callPil/APi (~8,~,g)
1siam-l}
FD3 ~-z~8 l~, lAPs) ! #Pm (zlS' X, U). However by the inductive hypothesis, for every 1siam-1 ¢ , Hlm'lllAPm) FD4 ~'~SIF,sl-LLPli#PII~8,~,g 1o
This system of m PSV-frse d e c l a r a t i o n s now gives r i s e to a l e a s t - f i x p o i n t s o l u t i o n , in the form of m r e l a t i o n s . Denote the L - w f f e q u i v a l e n t s to these r e l a t i o n s by FPi 1siam. Define
Me t h e r e f o r e have . Hlm-ll(APm)
FD4 ~'z~Olff,m(APm)l~Pm(~.~.¼).
APi to be the e l e m e n t a r g a c t i o n ~ ' C ~ p i ( ~ , ~ ' , R ) . and applying r u l e D7 MS obtain
(For C l a r i t y throughout t h i s proof we omit i n d i c e s o f ~,~' and ~ , } . Denoting as before by • and F the L - g f f and s p e c i f i c a t i o n premises r e s p e c t i v e l y , We now observe that any i n t e r p r e t a t i o n | s a t i s f y i n g , s a t i s f i e s (substituted) P. Recalling the d e f i n i t i o n of the r e l a t i o n that | assigns to each Pi" we have ¢ k ~ " , where ~ " is ~ ' f u r t h e r modified bg s u b s t i t u t i n g APi for
r , H (m)
• FDI
~""
Consider DS, consisting of r u l e s D1-D15.
Denoting the d e c l a r a t i o n premises of w by H, we w i l l o b t a i n a proof of g in D4 bg f i r s t r e p l a c i n g ( i n the proof of (~ol~))subproofs of ¢ FD# slAPi}eOFp I by proofs of
Theorem ~ - I f # l , . . . , ~ n are as in Theorem 4 w i t h o u t the requirement that s p e c i f i c a t i o n s be simple, then
¢,H FD4 s l c a l l P l l S - F p ., I
and then dealing w i t h PSV's as in Theorem 3. Me M i l l r e a l l y show how ~-z!8{callP I } F P i ( ~ , ~ , R )
r t . . . . . ~rn I= er
can be derived in D4 from • and H, where .~ is a vector of new symbols. Easy a p p l i c a t i o n s of A3,D8' and 011' M i l l give s ~ a l l P i l s o F p i. Me prove that
1
The process described in the last two theorems can be summarized as a process for "composing" a complex conclusion from simple premises. We now begin the process of "decomposing" complex premises.
c a l l P i , 1slam. Therefore there e x i s t s a proof (==)
FD4 ~-~slcallPm}PPm(~8,~,~).
Iff
erI . . . . . =rn I-D5 er .
Proof - A l l non-simple s p e c i f i c a t i o n s among the premises are decomposed using r u l e s D12-D15 (see remark a f t e r Theorem G) to obtain only simple specifications (the v a l i d i t y of the deduction implies that the new symbols introduced at t h i s sfage g i l l disappear in the process of d e r i v i n g u ) . Theorem 4 can now be applied.
H . f FD4 ~-38{callPi}FPi(ZlS.~.R)
by Induction on m. For m~l assume that i f H c o n t a i n s l - 1 d e c l a r a t i o n s I=1 . . . . 'Pm-1 (denoted H i m - l ) ) , then for every 1slam-1
256
IV. Th9 Power of D,
Our main r e s u l t is
Me g i l l t r g to be e l i g h t l g more s p e c i f i c about our claims as to what can be done in D.
Theorem G ~1 . . . . . ~n k •
Iff
• 1 . . . . . =rn FD ¢ .
(i} ( p a r t i a l correctness} Given a orooram (P1 . . . . ,Pn,a) c o n s i s t i n g of n d e c l a r a t i o n s and a statement a, and some L-Nffs ~ l , . . . , e m , a p r o o f t h a t the program is p a r t i a l l y c o r r e c t w i t h r e s p e c t to p and q, assuming the el are t r u e , ie c a r r i e d out simplg bg proving in D
Proof - The onlg nem feature here is the p o s s i b i l i t g of having c a l l statements among the s p e c i f i c a t i o n premises, mith given d e c l a r a t i o n s ( I m p l g i n g that t h e i r "meaning" Is f i x e d , and theg can no longer be regarded as PSV'e}. Rule D1G i s a p p l i e d to a l l such procedures, e f f e c t i v e l g g e t t i n g r i d of the c a l l ' s , and " t r a d i n g " them in fop nem b o d g - s p e c i f i c a t i o n s . The s i t u a t i o n is non p r e o i s e l g t h a t described in the hgpothesie of Theorem 5. Here too ~he v a l i d i t g of the o r i g i n a l deduction i m p l i e s t h a t the new ,sgmbols | and A (standing f o r the l e a s t f i x p o i n t s ) w i l l disappear In the d e r i v a t i o n process. |
PI* ....
Pn' ~'1 .....
4re I- pl(xlq
(ii} ( t o t a l c o r r e c t n e s s } , Given a program and L - w f f e as in ( i ) , a proof that a i s t o t a l l g c o r r e c t assuming the L - w f f e true, can be c a r r i e d out bW p r o v i n g in D Pl,...,Pn,ei,...,~m, p(~,¼,~)~(~,¼)la(~,~}l-q(~,U,Z}
Note the decompose-collect-compose e~mmetry of the e n t i r e d e r i v a t i o n process described in the above theorems= (1} (2] (3) (4} (5) (S)
F
V~,¼(-~(~,~)}.
Another wag is bg using constant sgmbole (a,~} and p r o v i n g in D Pl,...,Pn,fi,...,~m, P(a,~,~) , (~,~}=(~,u} { a ( 3 , ~ ) } - q ( ~ , ~ , K )
" t r a d e " c a l l ' s for bodies decompose bodies and premises c o l l e c t PSY i n f o r m a t i o n compose bodies " t r a d e " bodies f o r c a l l ' s compose conclusion.
F false.
Me wish to c l a r i f g t h i s somewhat e u p r i e i n g r e s u l t as r e l a t e d to the commonly accepted view t h a t t e r m i n a t i o n of programs w i t h loops or r e c u r e i o n must emplog some form of i n d u c t i o n on a u e l l founded set. The f a c t is that the i n d u c t i o n has been b u r i e d deep in L, and i t s u t i l i z a t i o n is no longer the concern of the user of D. Rather, an i n d u c t i v e argument might be handy when the v a l i d formulae (taken by us as axioms A1} are to be proved in L. Me i l l u s t r a t e t h i s p o i n t . Take L to be the language of a r i t h m e t i c , and prove t h a t a= ~ h i l e x>8 do x~x-1 od is t o t a l l g c o r r e c t u i t h r e s p e c t to p(x}= xZ8 and q(x}= x=8. Subgoallng (using the second f o r m u l a t i o n above}, we o b t a i n the deduction az8 , x = a l a l - x = 8 ~ f a l s e . A p p l i c a t i o n s of D15 and 012 y i e l d az8 , Yx(x=a~X(x)) , Yx(X(x)^xSS~-x=8) , V x ( ~ ( x ) ^ x > 8 ~ ( x - 1 ) } ~ f a l s e . This, in t u r n , is e q u i v a l e n t to proving (a~8 ^ Y x ( x - a ~ ( x ] ] ^ Yx(~(x)^xsS~-,x-8) ^ Yx(X(x)^x>8~(x-1))} ~ false, a valid L-wff
As remarked above, step (2] shone up in a formal p r o o f as the composition of the premises. This Is a consequence of the deductive c h a r a c t e r o f D, the decomposed premises being " c a r r i e d along" throughout the d e r i v a t i o n and composed towards the end. However, Ne p r e f e r to regard t h i s step as "decomposition" because i t te u s u a l l g c a r r i e d out f i r s t in a manner s i m i l a r to subgoaling. A glance a t the p r o o f in the Appendix might help c l a r i f g t h i s remark. ge rdmark here that r e s t r i c t i n g L to be f i r s t o r d e r can deetrog the completeness, as shoHn in [ 9 ] , a r e s u l t Nhich reminds one of (and in f a c t subsumes, and as such provides a hen p r o o f of) Wands r e s u l t [16]. This r e s u l t and the r a t h e r obvious f a c t that i f L is weak second o r d e r then i t |e e x p r e s s i v e , should now be c l a r i f i e d bg the h l a r a r c h g r e s u l t appearing in (8].
(and hence an axiom of D ) , which can e a s i l y be proved in a r i t h m e t i c using an induction axiom. Another complete formal system in which t o t a l c o r r e c t n e s s can be proved is t h a t i n t r o d u c e d by P r a t t [ 1 5 ] and proved complete in Harel e t a l [ 8 ] , P r a t t ' s approach is to formulate a uniform
257
i n d u c t i o n p r i n c i p l e e x p l i c i t l y in the system, in the form of a r u l e which is analogous to OS. and Nhich composes a s p e c i f i c a t i o n about the loop dual to p a r t i a l correctnes=s. )n D. the dual to DS is D1S ( s l m i l a r l g for recurslve c a l l s ) . , h i c h merely "breaks up" the loop. providing a l l the i n f o r m a t i o n the loop s p e c i f i c a t i o n c a r r i e s u i t h i t . and leaves the r e s t to the logic: of the underlying language.
(ill)
(equivalence)
[P1 . . . . . Pn . a ) '
can
is possible to denote the established segment bg a PSV and make the premises simple, t h i s having the e f f e c t of shortening the proof and adding to i t s clarity.
(vi) ( s i m p l i f i c a t i o n and transformations) Using D. I t is possible to v a l i d a t e general program transformations. Once a s u f f i c i e n t set of transformations has been established, t h i s set can then be used to s i m p l i f y , develop and synthesize c o r r e c t programs. (See [ 2 ] . [ 4 ] . [ G ] and [13] for the use of such sets). A l t e r n a t i v e l y D can be p a r t of a program development system in ghich the user may c r e a t e and v a l i d a t e h i s o,n transformations and apply them Immediately to v e r i f i e d program segments,
Take programs
(11 . . . . Tm'a)"
Their strong equivalence (see Manna(14)). be proved in D bg proving
Pt' . . . . Pn'T1 . . . . .T m . I|=}X I- t i l l ) . Some simple examples of such transformations are ghere I and A are a ns. predicate symbols, and p r o v i n g the dual ( . i t h = and ~ exchanged). For example the reader m~ght care to prove
p|if
[ P uroc i f . p ( x ) then x + f ( x ) ; c a l l P I c a l l P e l s e x+x f i end, T o r o c ) f plx) then x + f ( x ) l c a l l T e l s e x+x f i e n d , l(x) lcal/PlX(x)] F I(x) lcallTlXlx)
r then = else = f i ! q I- p l a l q
p | u h l l e -I) d o = od; I~}q F P{l~lq
pill and i t s dual (a proof of t h i s equivalence is g i v e n in the Appendix). or I ( x 0 y ) l g h i l e r ( x ) do x~-f(x) o d l . h i l e s(y) do g~-g(y ) odl)dx.g) I- ~(x.g) l , h l l e r ( x ) v e ( g ) do i f r ( x ) then x~-f(x) else y.-g(y) f l od)X(x0y)
r then = else ~ f l l q F p l l f - . r then ~ else ~ f i l q
Other examples are transformations for r e c u r s l o n removal (See(2)).
and i t s dual. (In both examples me , r i t e the elementary a c t i o n . i t h r e l a t i o n x ' - f ( x ) as x ~ f ( x ) . ) V|. Conclusion. (iv) (derived r u l e s ) . Here ,e make use of a mete-theorem , h i c h states that i f ¢ r t . . . . . ( r n I- (r. then the f o l i o , i n , is a v a l i d inference r u l e of Ds
r
I-
¢1 .....
We have presented a complete system D, in . h i c h [besides p r o v i d i n g for other important but eomeHhat less spectacular p o s s i b i l i t i e s ) equivalence and p a r t i a l as well as t o t a l correctness of programs can be proved.
r b Cn
The n o t i o n of proof from assumptions can be regarded as a natural and important extension of the b e t t e r kno.n notion of proofs of program correctness using H o a r e - l i k e systems. ] f one chooses to take the view that Hoare's method e s s e n t i a l l y "cheats" by reducing the problem of proving a p a r t i a l correctness s p s c l f i c a t i o n to t h a t of proving a formula of L, then .e might say t h a t D extends the "cheating" too, and reduces the problem of proving a deduction over p a r t i a l correctness s p e c i f i c a t i o n s to that of proving a deduction in L. and therefore r e q u i r e s a s l i g h t l y stronger l o g i c a l component than Is needed In
PF¢ For example proving I~r~e , p^-+r~l . t^r~s , t^-.r:~q , s l(d t I" pl•=hi le r do (x odlq in D . e s t a b l i s h e s the corresponding derived r u l e .
(v) (modular proofs). Take as a premise a n , t h i n g p r e v i o u s l y established and prove the d e s i r e d conclusion as a consequent. Sometimes i t
258
Hoare'a system. The proofs of soundness and completeness of D reduce to the t r a d i t i o n a l p r o o f s of the same f o r Hoare's system Nhen D Is s t r i p p e d of i t s e x t r a features. The r e l a t i o n s h i p can be s c h e m a t i c a l l y seen by viewing D in the f o l l o w i n g p i c t o r i a l Nay=
D
-
H u (^,v,3,Vl
u H -1
^
^
A
I I
I I
I decompose
I
I
I
collect
I
(11) (12) (13) (14) (15) (1G)
r r r I'
. , . . r , r ,
(17) (18) (19) (28)
T T T T
(21) T
compose
(22) T
Aooendlx.
(23) T
Me show hog to prove the equivalence o f the f o l l o w i n g t , o procedures=
This e s t a b l i s h e s ~ne d i r e c t i o n . The o t h e r i s very s i m i l a r and uses F - I T^-,p:>I , 7 ^ p l x ~ f x ) A , A I [ ~ , & ] } | , ~ 1 [ ~ , | ] } # 1. Me now also need another f a c t about a c a l l to T besides true([~,|]i-p. The new fact is needed in o r d e r t o show t h a t the second c a l l to P leaves x unchanged. A s u i t a b l e s p e c i f i c a t i o n ( , h i c h is proved as in l i n e (22) above) Is X=VA-,p(x) l [ f , I ] } x - v , where V i s f r e e . Me omit the d e t a i l s of t h i s d i r e c t i o n .
P oroc .Lf.p(x) then x ~ f ( x ) ; c a l l P ; c a l l P e l s e x~x f l end, and T , r o c i f p(x) then x~f(x)s c a l l T else x~x L L e n d . Me make use of the f o l l o w i n g d e r i v e d r u l e
DR
r I" plo{lq
,
r I" r l ( p , q ] l s
r I" rl0{ls
Acknogledoements. Me wish to thank Nachum Oershowitz f o r suggestions f o l l o w i n g a d e t a i l e d reading of a p r e v i o u s v e r s i o n of the paper. The f i r s t author b e n e f i t e d from many r e l a t e d discussions w i t h Vaughan R. P r a t t .
Define r as the set I't^-,p~ , ~^plx*-fx)),, ~(['r,l])~ , xl[f,I]ll , $I[%1]1$l. Me r e f e r to the d e c l a r a t i o n of P as P D r o c . . . e n d , and s i m i l a r l y for T. (1) (2) (3) (4) (s) (s)
r r r r r r
(7) r (8) r (9) ]['
(18) r
true l [-t, &] l -,p . ~,-t0 F I L3,L2(7,18) L3 (and mS) t r u e l ( ~ . l ] l - , p I- (w~-'p) :~ D2(4,12) truel[-t.l]l-,p F kl[%l]}l t r u e l [ q r . & ] l ~ p F -f^p{x*-fx; [ I f , | ) } | D3(1,131 hyp., 01 t r u e f [ ? , l ] l - p F -f^-,p {xq-x} | t r u e ( [ * t , | ] l - , p I" $ l i f p then x~-fx; [It,|) e l s e x~-x f i l l D4 (14,15) D r o c . , . e n d , r , t r u e l ( ' r . & ) } - , p I- *tlcal I T I i D7 ~ r o c . . . e n d , r , t r u e l [ - t . & ] l ~ p I- ~ I I [ I r . I ) ) ÷ hgp. D r o c . . . e n d , r , t r u e l [ ~ . l ] } - , p I- ( i l c a l l T ) # DR D r o c . . . e n d , ~ , l i f p then x~-fx; [,f,|]+ [ T , | ] else x~-x f i } l , # ( [ 1 , & ] } # , t r u e l [ ~ , l ] ) - , p h # l c a l ITI# hyp.,D12,D13,D14 o r o c . . . e n d , P Droc...end , ~ { c a l l P l # , t r u e l c a l IPl-,p h t t l c a l ITI# D16 Droc..oend , P ~ r o c . . . e n d , $ { c a l l P l # I" t r u e I c a l l P l ~ p (This is proved from P DrOC..,erld as a standard p a r t i a l c o r r e c t n e s s proof. Me omit the d e t a i l s . ) m r o c . . . e n d , P o r o c . . . e r l d , ~ { c a l l P ) ÷ I" ~{calJTl# L2(21,22).
t r u e l [ , f . | ] l - , p I" "r^plx~-fxlA hyp. t r u e l [ - f , l ] I - , p I" ).{[-t.&]}# hyp. t r u e l [ - / . & ] l - , p I- t r u e { [ % | l i m p hgp. true ( [% &] l -,p I" kl[lr.&]lW~-,p D2.08(2.3) true l [?,&] }-,p ]- p l [ * t , I ] ) l hgp. t r u e ( [ ~ , & ) } ~p I" Yx, x ' ( j z ( x ) ^ ( l f ( x ) : ~ ( x ' ) ) ~ I ( x ' ) ) D12 , true([1.,&]l-p F ~('t~) ~ & A1,L2(gith x'-x) , true l [ T , | ] i -p , p,-P,'r I- (7^-p}:di hyp.,L1 , true l [ l , I ] }-,p , jz,-,p,'t I- | L2(ge also use L3, and D8 w i t h the empty program to c r e a t e a c o n j u n c t i o n of the hypotheses) , true { [-t,&] } - p . p,-,p I-,r:~l L3
REFERENCES
[1) J . g . de Bakker and L. G. L. T. Meertene. "On the Completeness of the I n d u c t i v e A s s e r t i o n Method". Journal of Computer & System Sciences. 11. 323-367. (1976). (2] R . M . B u r s t a l l and J. O a r l l n g t o n . "Some T r a n l f o r m a t i o n s for Developing Recursive Programs'. Proc. I n t e r n a t i o n a l Conference on R e l i a b l e Software. LA C a l i f . . (1976).
259
[3] S.A. Cook, "Soundness and Completeneee of an Axiom Sgstem for Progra~ Vsrification",TR-SS (a revision of "Axiomatic .and Interpretive Semantics for an Algol Fragment", TR-79, (1975)), Oept. of Computer Science, Universltg of Toronto, Canada, (197G).
[15] V.R. Pratt, "Semantical Considerations on Flogd-Hoare Logic", Proceedings 17th Symp. on Found. of Computer Science, Houston, Texas 18'3-121, (197G).
[1G] M. Mand, "A Now Incompleteness Result for Hoare's System", Proceedings 8th ACM Symp. TheorW of Computing, 87-91 (lS7G).
[4] J. Darlington, "Application of Program Transformation to Program Sgnthesis", Proving and Improving Programs, Colloques Iria, (1975). [5] R . g . Floyd,, "Assigning Meaning to Programs", In J.T.SchMartz (ed.)Mathematical Aspects of Computer Science. Proceedings Sgmp. in Appl. Math. 1S, Prov. R.]., American Mathematical Society, 1S-32 (1SG7). [G] S . L . Gerhart, "Correctness-Preserving Program Transformations", Proc. of the 2nd Symposium on Principles of Programming Languages, Pals Alto, Calif., (1975). [7] G.A. Gorelick, "A Complete Axiomatic System for Proving Assertions about Recursive and Non-Recureive Programs", TR-7S, Dept. of Computer Science, Unlv. of Toronto (1975). [8] D. Harel, A. R. Meyer and V. R. Pratt, "Computability and Completeness in Logics of Programs", Proceedings of 9th Annual ACM Sgmp. on Theory of Computing, (1977). [9] D. Harel, A. Pnuell and J. Stavi, "Completeness Issues for Inductive Assertions and Hoarm's Method", Technical Report, Dept. of Mathematical Sciences, TeI-Avlv Univ., Israel (197G}.
(1B] C . A . R . Hoare, "An Axiomatic Basis for Computer Programming", CACM12, $7G-588 (19G9}. [11] C . A . R . Hoare, "Procedures and Parameters= An Axiomatic Approach", In E. Engeler(ed.}, Sgmp. on Semantics of Algorithmic Languages, LNM 188, Berlin, Springer, 182-11G (1971). [12] S. Igaraehl, R.L. London and D.C. Luckham~ "Automatic Program Verification It A Logical Basle and its Implementation", Acta Informatica 4, 145-182 (1975}. [13] O.E. Knuth, "Structured Programming with Goto Statements". Computing SurveWs, Yol 8, No 4, pp.2GI-3B1, (1974). [14] Z. Manna, "Mathematical Theory of Computation', McGrawH i l l , (1974).
260
