A COMPLETE AXIOMATIC SYSTEM FOR PROVING DEDUCTIONS ABOUT RECUI~IVE Fq:IOGRNIS
David Harel + Massachusetts Institute of Technology, Cambridge,MR 82139
Amir Pnueli TeI-Aviv University, TeI-Avlv, Israel
and Jonathan Stavi Bar-llan University, Ramat-Gan,|srael
Abstract. enough to express all needed assertions. Various Denoting a version of Hoare's system for definitions of this strength are exoressiveness proving partial correctness of recursive programs of L (Cook[3]), or tidiness of all programs by H, Ns present an extension JD Nhich may be thought (Pratt[ZS]). Cook[3] showed that first order of as H u {^,v,],Y} u H -1, including the rules of arithmetic is expressive, thus proving completeness H, four special purpose rules and inverse rules to of H fop this important special case of L. Extensions those of Hoare. D is shown to be a complete system of Hoare'a system to cover recursion and mutual (in Cook's sense) for proving deductions of the rmcursion have also been proved complete under form e 1, .... r n ~ # over a language, the wff*n similar conditlons (see Gorellck[7], Harel et of which are assertions in some assertion language a I [9] }. L and partial correctness specifications of the form p{=lq. All valid formulae of L are taken as A suitable such system H can in fact be axioms of D. It is shown that D is sufficient for thought of as a formal system for proving the proving partial correctness, total correctness and correctness of deductions of the form program equivalence as Nell as other Important Gl,...,r n ~ p{~)q under the restriction that properties of programs, the proofs of which are each of the ~i is a procedure declaration or a Impossible In H. The entire presentation is Norked formula of L. Houever, .hen considering general out in the framework of nondeterminiatic programs deductions of the form ~l,...,Fn ~ employing iteration and mutually recureive (Nhera the ~i may also be partial correctness procedures. specifications), it is easy to come up with semantically valid deductions which cannot be derived In H. Two examples are I, Introduction. (1} plif r then a else ~ filq The axiomatic method of specifying k plif-~ then ~ else a fi}q semantics of programs, as given by Hoare ([18).(11] and also [12]} lends itself very successfully to a |2) pla}q , rlalq !" pvrlcxlq specific goa!, namely that of proving partial correctness of specific programs. A convenient (a rule which, while being underivable in H, description of the method employs an assert]on can be shown to be superfluous for any language L and a formal proof system H having as concrete proof of partial correctness, axioms all logically valid formulae of L. A proof lgarashi et a1112]). of a partial correctness specification R¢ pI~}q where p,q are Nff's in L , is carried out in H by These examples illustrate the absense (in H) composing = from more primitive program segments, of mechanisms for (1) extracting information from starting from a finite number of assumptions in L. a specification p{~}q about parts of a (where ~ is A well knoNn result is that the conventional Hoers a complex program segment}, and (2) combining the system and its variants are complete if L is strong information given in different specifications about
The Nork of this author was partially supported by NSF under contract !1CS7S-18~1.
249 the same program segment. H can be seen to be complete only for "simple" deductions, in which the II. The Susteu, antecedents cJ include for each given a, at most one specification of tihe form pl~lq, and all Suntax such ~'s are simple specifications consisting of a single assignment or call statement, or a single The alphabet Z contains symbols for oroaram eeoment variable (PSV), which is a symbol individual constants and variables, functions and standing for an arbitrary program segment. predicates, connectives and operators. L=L(Z) is a logical language with equality over Z (having at In Section II we present our system D which least the pouer of the first order language over ie an extension of Hoare's system, and in Section 2). A Nell-formed formals of L uill be called a II! show that D is sound and complete for Iooical Nff (L-wff). P=P(Z) is a programming language deduction (r 1 ..... #n FD~ Iff #1 ..... #n k r), over Z, with the following syntax: that is, G can be proved in D from assumptions ~l,...,~n, iff ~ Is true In every model satisfying
(iv) establishing derived rules, A boolean is a quantifier-free L-wff.
(v) carrying out modular proofs of program A P-seoment Mill simply be a statement in correctness given properties of segments of P. Me extend Z to Z' by adding a set of new symbols the program, (R1;R2,...) which stand for arbitrary P-segments, and are therefore called Drooram-seament (vii simplifying complex program segments and variables (PSV's). The programming language P' is establishing valid program transformations. an extension of P obtained by allouing statements of the form Ri(K.~) , where ~ and ~ have a meaning similar to that given in the elementary actions. Schematically speaking. D will consist of a Note that the difference between a PSV and an suitable version of H for composing the conclumlon of elementary action is that fop the latter Me are the deduction, four rules (^,v,],Y) for collecting given a formula defining its effect. Similarly. the Information about unspecified program segments, and difference between a PSV and a procedure call i~ a "mirror image" of H containing inverse rules for that the latter may have an explicit declaration. decomposing complex program segments appearing Me will use a(K,~) to denote an arbitrary among the premises. D. having the flavour of a P'-segment such that K is the vector of all natural deduction system, has all valid formulae of modifiable variables of =, and W consists of all L am axioms. other variables appearing in a.
250 A snecification is a construct # of the form ¢: p(~,~,¢)(a(~,&t)lq(5,~,Z), where p and q Using this definition, we are non able to are L-Nffs and a is a P'-segment. Here the elements assign relations to the procedure calls Nhich have of ~ are said to be the free variables of the corresponding bodg declarations in F. The relations specification f, ghere no confusion can arise we will assigned to these procedures are the least fixpoint occasionalg omit the ¢'s and regard the ~ as relations solving the sgstem of mutuallg recursive consisting of all the variables appearing in the procedure declarations in r (here too we Mill refer specification not assigned to in a. A specification to this interpretation of such P as E). Me no. have p{alq Is simnle if a is a PSV, an elementarg action an interpretation under | for each P'-segment in r. or a call statememt (aimnle statements). A specification P(~,W,Z) Ia(K,~)Iq(K,M,¢) is The formulae of our language g (called W.wff'e) are true under I if VK, W(p(~,g,£)A#~(~,~*,M) ~ q(K',M,£)) is true (note that the free variables £ have been (1) L-wffs, assigned bg 1). (2) specifications, (3) declarations, A set F of W-wffs is defined to be true under an interpretation I of F, if all non-declaration (Note that g-gffe= cannot be combined bg logical formulae of F are true in 1. | is called a model of r. connectives.) A tuple S-(#l,...~n,#) where ~ is not a declaration, is called a valid deduction Semantics (written ~1 ..... *n k r), if ~ is true in an, interpretation | of S Nhich is a model of An Inter[=retation of a set F of M-wffs 1~1 ..... ~n l" ,, a tup,...... %,% ..... %>, .here 0 is a nor,emptg domain, ~ is an Me denote a P'-segment a containing the interpretation ot: all individuals (including statements callPl(Kl,~l) ..... callPn(Kn,J n) constants and free variables), function and bg a("callPl", .... "callPn"), and the elementarW predicate sgmbols of L, each Bi(K,K',~) is a action ~(K'(~(~.~)~#(~'.I)) bg [~.#](K,~). relation for a PS¥ Ri(K, W) appearing in F, and each Ei(K,~',M) is a relation for a procedure Pi Me now present our sgstem D. The basic that appears in F, but does not have a corresponding statements to be proved in D are deductions of the declaration in F BI and El descrlbe the form F ~ ~ Nhere F is a set of W-wffs, and effect of the P'--segments R i and callP I a non-declaration M-Nff. Our inference rules are respectlvelg, under |. rule-schemata in Mhich a,~,.., stand for arbitrary P'-segments and p,q,.., for arbitrarg L-Mfrs. Me now show how an interpretation I assigns truth values to £i-Nffs. An L-wff is assigned a truth value by [ in the standard Nag. A program segment a(K,~) all of whose procedure calls are interpreted (see below), is interpreted under ] as AXIOMS a relation Pa in the following Nag (relational notation from e.g. deBakker and Meertens[1])t A1 FP
For an ele~entarg action A PA " ~ where p Is anW Ioglcallg valid L-wff. (the interpretation ~ gives to ~), A2
For a PSV R i pR i . Bi where ~ Je not a declaration.
For a proceduro Pi PcallP I " Ei A3 Frame axiom
Pa;~ " PaP~ ' p(¢)ia(~,~}p(¢)
Pif r then (x else 13 .f_j. " rPc¢ U r'p~, .here ~ a~ K are disjoint.
Pwhile r d~. ¢~ od " (rPc()* r'.
251 OG Substitution RULES DF INFERENCE P I- plx, u)la(x,14)lq(~,u) L1 Introduction (a) r I- p (z, u) la (z, 14) I q 17.,u) rh¢l. Nhere & le disjoint from ¼ and is free for r,¢ 2 F" ¢1 in p and q.
1.2 hodue Ponens r I- plx,¼) la(x,u)lqlx,u) (b) r,¢ 2 F ¢1 , r h¢ 2 r I" pl~.t)(alzl.t)lqlx.t)
uhere i is a vector of terms Nhich is free r h ~1 for M in p and q. and does not depend on 2- mhere p and q are L-Nffe. D7 Recureion L3 Deduction
r, p~q rhp=~ and r("callP") , P oroc =("callP")end I- +lcallP}~ r I- p:q r . pl*q (Here F([~.~]) is F ,ith the elementary action [~.~](Z.I) substituted for occurenciee of Mhere p and q are L-Nffs. callP(;.i). A clarification of rule D7 appears at the end of the Section.) D1 Elementarg Action
I]8 A-rule r ~ p(~,g,¢}Nl~(~,~,,14) ~ q(~',14,¢)
r I- p is) ql ..... r I- p Is) qn r I- p(~,u,y.){A(x,14)lq(x,u.¢) n~8
D2 Consequence n r F pla) ^ q i r h p~s , r I-. I=1 r , r I- r:~ i-1
r I- plalq I)9 v-rule
03 ComposI t i on r I- pllalq ..... r i- pnlolq n>8 r I- pla)s + r h sl~lq n r I- v pllelq P h ple;~lq i=1 04 Conditional (08 and I)9 reduce to r I- plaltrue and r F p^rl(xlq , r F p^~r'l~lq r ~. falselolq respectivelg uhen n-8).
r h pill r then a else ~ LLIq D18 V-rule
05 I terat |on P I- plalq
r I- par la) p r I- p I~) (Vu) q
r ~- pluhl l e r do a odlp^-.r u not free in p or r. and does not appear in a.
252 Dll l-rule 016 Inverse Recurslon
P F pi=lq F([J,~) . I{=([I,~))~ F u
F ~ (3M)pl=lq F("calIP") , P uroc =("callP")endF G
g not free In q, and does not appear in ~. where | and ~ do not appear In any other component of the rule.
D12 Inverse Elementary Action A proof in D is a sequence of deductions , ) FI ~ ~i i-1,2,... , where any line (I.e. deduction) is an axiom or is derived from 1' , P (Z~, U, V__.)IA Ix, u) I q Ix, u, y.) I- (r previous lines by one of the Inference rules. A deduction F F • Is said to be derivable in D (written r FD ,) if it is a line of a 013 Inverse Composition proof in D.
Our formulation of D7 employs the substitution of [~.#] for "caHP" in the proof P, pl=l~lq F • of the body ¢. This corresponds to the familiar notion of assuming #{callPl# when proving =. where X does not appear In ang other Employing the same substitution for the premises component of the rule. used in proving =. provides us with a concise way of constructing a recursion rule for mutually Note that 013 (and similarly for the other Inverse recursive procedures which avoids refering to all n rules) Is an indirect May of expressing the more procedures (as Is done in [7] and [9]). In order to natural illustrate the wag in which D7 (and similarly D18) is used, consider two procedures Pt and P2' with P F pl==~lq declarations Pi Droc =l("~l","callP2")end 1SIS2. A framework for a proof of a P F 3X(pl=lX ^ Xl~lq) callPl-Speclflcation is:
the conclusion of uhich is unfortunately not ~ell (1) F ~2{=2([ttl,fl], [~2.#2]))f2, formed In g. (2) P2 ,roc ¢(2([¢l,÷l],"callP2")end F ¢21callP2l#2 , D14 Inverse Conditional (3) P2 DrOC =2([~l,#t),"callPz")end F , p^rlalq . p^-.rl~lq F F $I(=I([$1,÷II,;LLLP2)I# 1,
]r . plif r then = else 13 filq F ¢ (4) P1 oroc a 1 end , P2 Droc ~2 end F $1Iga-LLPtIft. DIS Inverse Iteration Lines (2) and (4) are proved using 07 with P , p:~), , ]Wr{el). , ]~-r~q F ~r an empty F, and F consisting of the P2-dsclaration respectively. P , plmhile r do ~ odlq ~ ¢ The following (standardlg verified) fact mhere ~ does not appear in any other is very useful in proving deductions involving component of the rule. unspecified program segments=
Substitution Theorem - If F F D ¢, and F' and G" are obtained by replacing all occursncies of a PSV R by an arbitrary P'-segment in F and r. then r' FD ~'. I
253 III. Results. Proof - Given a valid deduction w¢ r1.....0, n k 0, we reduce the problem One of our basic assumptions throughout, is as follows= that the language L is expressive (Cook(3]). This (1) The absence of procedure declarations means that fop each P-segment ¢ in the context of a among the premises means that each call statement given set of declarations=, it is possible to can be regarded as a new PSV. This follows from the express as an L-wff the relation p~ computed by arbitrary interpretations both PSV's and call's can 6. i.e. L has cons;tructs powerful enough to express take on. in a model of 0,1.....0,n. the *. U. composition and fixpoint operators. A (2) Use rule D12 to replace everg special important case of an expressive language is elementarg-statement specification p{A}q by an (as pointed out bg Cook) first order arithmetic. L-Mff. (Here. as well as at other points in the paper, we describe the natural order of the All subsgstems considered in this section derivation. Formally. this application of rule D12. have A1-A3 as axioms. L1-L3 as logical rules and for example, appears at the end of the proof in D. differ onlg in their D-rules, Nevertheless. we may think of this stage as being first in the derivation process.) We are left with Consider the system O J which consists of premises consisting of PSV-specifications of the rules D1-D5, O l ~s a version of the usual Hoare form p{R}q, and L-uffs. Denote bg • the conjunction sgetem for proving partial corectness of programs of the latter. Formally. ¢ can be derived by using D8 ~ith regular control structure, and for it um have with the identitg program and p=true. the following result (proved e.g. in [1,3,9,15]): (3) [f 0, is an L-wff then the validity of the deduction M is equivalent to the validity of Theorem 1 - If ~1''"'0,n are L-wffs, then some L-Mff. This can be seen bg considering an interpretation in which each PSV is assigned the ~1 ..... fn k 0, iff 0,1 ..... 0,n FD| f ° I emptg relation, in this case all specification premises hold and therefore ~e must have ¢ h 0,. Nhich is equivalent to the validity of Consider D2 consisting of D1-D7. This i e an ¢m¢. which in turn is an axiom in A1. Using L2. extension of Hoara's method to deal with mutually is obtained. eecursive procedures. A proof of Theorem 2 can be (4) Emploging a similar argument ~ith an found for similar versions in Harel et al[S] or interpretation assigning the emptg relation to all Gorellck[7]. PSY's not appearing in ~. we can omit any PSY-specification for a PSY not appearing in ~- ]f 0,1'''''0,n :are L-wffbor ~. Me are now left with a situation of the form procedure declarations, then • , Rl-epeciflcatlone ,..., Rk-epeciflcations (1'1 ..... 0,n ~' ¢' iff 0'1 ..... #'n I'D2 ,r . I I" Pkx(R 1 ..... Rk)}q
where = is a P'-segment involving PSV's Me now consider D3 which consists of rules R1, .... Rk. Denote the specification 01-[]6 and DS-Dl2... premises bg F. These premises contain all available information about R1 .... .R k. Ms therefore construct for each lsiSk an "approximation from Theorem 3 - If ~1 .... .r n are L-wffs or above" pR i to the relation computed by R i. simple specifications, then FR i ,ill be an L-Mff which can easily be
¢rl ..... 0,n I. u iff w I ..... ~n I'D3 ¢ " seen to be true in any model of F . and hence in any model of {¢.F}. This is the sense in Nhich it le (Note - in this and the following theorems an approximation. We Hill eimpllfg notation by we omit the proofs of the soundness direction. The referlng to the case Nhere k-1 and to R1 as R. Nith reader is urged to convince himself that the rules the understanding that the following can be done are indeed sound, a rigorous proof of this would be for all k PSV's for ang k. based on Scott's induction principle in a standard Nag. Rather. the proofs presented are designed to Assume that F is the set demonstrate the completeness direction In a pj(~.U.~){R(~.~)lqj(~.g.~) lsjsm. This can constructive manner}. be brought about by using DG and collecting free variables in ~. Define
254 m lSR(X,X' ,u) =Vv ^ (pj (~.,u,v)~qj (~' ,M,v) ) 1' F plelq j=l Clearlg /JR serves to "collect information" about the 1' F (¥u) p Is} (¥u) q PSV R. Define AR as the elementary action u not free in 1', and does not appear in e. X,-¢x'/jR(X,X',U). Obviouslg /JAR=/JR. 011' ]i-rule From the MaN AR Nas defined, it is clear that for every j Me have I= p iAR }q.. j ]' F pialq Thus under {he substitution that replaces the PSV R by the P-segment AR, every 1' F (]u) p lel (]u) q interpretation satisfying 11" also satisfies 1' , and therefore also satisfies p{e(AR)} q. Hence u does not appear In e. ir I- p{e(AR)Iq, and bg Theorem I there exists a proof
(*} r I-DI ple(ARIlq. NoN (for any s) replace every subproof of SIARIS-/JR in the proof of (•) bgt glthout loss of generality [having in mind the standard techniques used in proving Theorem 1, 1' I" Pj (x' ,u,v)3pj (Zt, U,Y.) IR(x,u)] pj (x" ,u,y.Imqj (x,u,v) in e.g. [1,3,9,15]), Ne man assume that in the process of proving the deduction (~) in DI, the for everg l 1' I" Pl {=1 qt ..... 1' I" Pn lel qn m 3B' (S(X' ,U)^ ^Yv (pj (X' ,U, y.) 3q j (~, U, y.) ) ) (011') J=1 n n F k ^ Pi{el ^ ql I=1 I=1 m 1' ~- e(x,u):)3x' (e(x' ,u)^ a Vy.(pj (x' ,u,y.)mpj (x,u,y.)) ) l=l 08' w-rule (A1 and L1) 1. k Pl 1=} ql ..... 1' F Pn (el qn 1. I- e(x,u) (R(x,u)l (s-/j R) (x,u} (02). 1 n>8 n n ]P F v Pi {if} v ql We remark here that restricting the premises I =1 i =1 to have no free variables not appearing in e (i.e. no ~), makes possible a different proof of Theorem 018' W-rule 3 uh|ch does not use rules 018-011. We no, consider 04 consisting of D1-011. 255 Theorem 4 - If ~L ..... Cn are L-wffs, simple specifications or declarations for procedure names iltm-1},f FD4 x-~{cal IPil#p i (~8,x,u). not appearing in these simple specifications (but possibly in ~, and in other declarations), then Given H (m) consider the first m-1 declarations with APm substituted for "callPm" (rl ..... ~n I= • I f f el' .... ~n FD4 ~' " (denote this by H(m-1)(A ) ). It is not difficult Pm Proof - Assume given w: ~1 ..... Cn k ~, to see that with procedure declarations PI opec a i end 1Siam, among the premises. D4 illustrates the extra ~" ' Ix'zl8 lcal IPll #PI (z~6'x'u) lslsm-ll feature of call's (in ~) to procedures with given bodies, thus forcling the use of D7. Me Mill find a I= x-~ (% (APm) I/=Pro(~8' ~' u), similar approxlma~Lion for each such #Pi and hence by Theorem 3 procedure. As before regard each call to a procedure other titan the Pi's as a new PSV. Me now ¢ , (~-381callPil/APi (~8,~,g) 1siam-l} construct FR for every PSV R, and as above, substitute AR for each appearance of R in m. Denote FD3 ~-z~8 l~, lAPs) ! #Pm (zlS' X, U). the resulting modilfled body of PI by a I, However by the inductive hypothesis, for every 1siam-1 and modifled ¢ by ~', ¢ , Hlm'lllAPm) FD4 ~'~SIF,sl-LLPli#PII~8,~,g 1o This system of m PSV-frse declarations now gives rise to a least-fixpoint solution, in the Me therefore have form of m relations. Denote the L-wff equivalents to these relations by FPi 1siam. Define . Hlm-ll(APm) FD4 ~'z~Olff,m(APm)l~Pm(~.~.¼). APi to be the elementarg action ~'C~pi(~,~',R). (For Clarity throughout this proof we omit indices and applying rule D7 MS obtain of ~,~' and ~,}. Denoting as before by • and F the L-gff and specification premises respectively, r , H (m) FD4 ~-~slcallPm}PPm(~8,~,~). 1 We now observe that any interpretation | satisfying , satisfies (substituted) P. Recalling the definition of the relation that | assigns to The process described in the last two each Pi" we have ¢ k ~", where ~" is theorems can be summarized as a process for ~' further modified bg substituting APi for "composing" a complex conclusion from simple premises. We now begin the process of callP i, 1slam. Therefore there exists a proof "decomposing" complex premises. (==) • FDI ~"" Consider DS, consisting of rules D1-D15. Denoting the declaration premises of w by H, we will obtain a proof of g in D4 bg first replacing (in Theorem ~ - If #l,...,~n are as in Theorem 4 the proof of (~ol~))subproofs of ¢ FD# slAPi}eOFp I without the requirement that specifications be by proofs of ¢,H FD4 slcallPllS-Fp ., simple, then I and then dealing with PSV's as in Theorem 3. Me Mill really show how ~-z!8{callP I}FPi(~,~,R) rt ..... ~rn I= er Iff erI ..... =rn I-D5 er . can be derived in D4 from • and H, where .~ is a vector of new symbols. Easy applications of Proof - All non-simple specifications among the A3,D8' and 011' Mill give s~allPilsoFp i. premises are decomposed using rules D12-D15 (see remark after Theorem G) to obtain only simple Me prove that H.f FD4 ~-38{callPi}FPi(ZlS.~.R) specifications (the validity of the deduction by Induction on m. For m~l assume that if H contains implies that the new symbols introduced at this l-1 declarations I=1 .... 'Pm-1 (denoted Him-l)), sfage gill disappear in the process of deriving then for every 1slam-1 u). Theorem 4 can now be applied. 256 Our main result is IV. Th9 Power of D, Theorem G - Me gill trg to be elightlg more specific about our claims as to what can be done in D. ~1 ..... ~n k • Iff • 1 ..... =rn FD ¢ . (i} (partial correctness} Given a orooram (P1 .... ,Pn,a) consisting of n declarations and a Proof - The onlg nem feature here is the statement a, and some L-Nffs ~l,...,em, possibilitg of having call statements among the a proof that the program is partially correct with specification premises, mith given declarations respect to p and q, assuming the el are true, (Implging that their "meaning" Is fixed, and theg ie carried out simplg bg proving in D can no longer be regarded as PSV'e}. Rule D1G is applied to all such procedures, effectivelg getting PI* .... Pn' ~'1 ..... 4re I- pl(xlq rid of the call's, and "trading" them in fop nem bodg-specifications. The situation is non preoiselg that described in the hgpothesie of Theorem 5. Here (ii} (total correctness}, Given a program too ~he validitg of the original deduction implies and L-wffe as in (i), a proof that a is totallg that the new ,sgmbols | and A (standing for the correct assuming the L-wffe true, can be carried out least fixpoints) will disappear In the derivation bW proving in D process. | Pl,...,Pn,ei,...,~m, p(~,¼,~)~(~,¼)la(~,~}l-q(~,U,Z} F V~,¼(-~(~,~)}. Note the decompose-collect-compose e~mmetry of the entire derivation process described in the Another wag is bg using constant sgmbole above theorems= (a,~} and proving in D (1} "trade" call's for bodies Pl,...,Pn,fi,...,~m, (2] decompose bodies and premises P(a,~,~) , (~,~}=(~,u} {a(3,~)}-q(~,~,K) F false. (3) collect PSY information (4} compose bodies (5) "trade" bodies for call's Me wish to clarifg this somewhat euprieing (S) compose conclusion. result as related to the commonly accepted view that termination of programs with loops or As remarked above, step (2] shone up in a recureion must emplog some form of induction on a formal proof as the composition of the premises. uell founded set. The fact is that the induction This Is a consequence of the deductive character of has been buried deep in L, and its utilization is D, the decomposed premises being "carried along" no longer the concern of the user of D. Rather, an throughout the derivation and composed towards the inductive argument might be handy when the valid end. However, Ne prefer to regard this step as formulae (taken by us as axioms A1} are to be "decomposition" because it te usuallg carried out proved in L. Me illustrate this point. Take L to be first in a manner similar to subgoaling. A glance the language of arithmetic, and prove that a= ~hile x>8 do x~x-1 od is totallg correct uith at the proof in the Appendix might help clarifg respect to p(x}= xZ8 and q(x}= x=8. Subgoallng this remark. (using the second formulation above}, we obtain the deduction az8 , x=alal-x=8 ~ false. Applications ge rdmark here that restricting L to be first order can deetrog the completeness, as shoHn of D15 and 012 yield az8 , Yx(x=a~X(x)) , in [9], a result Nhich reminds one of (and in fact Yx(X(x)^xSS~-x=8) , Vx(~(x)^x>8~(x-1)} ~ false. This, in turn, is equivalent to proving subsumes, and as such provides a hen proof of) (a~8 ^Yx(x-a~(x]] ^ Yx(~(x)^xsS~-,x-8) ^ Wands result [16]. This result and the rather Yx(X(x)^x>8~(x-1))} ~ false, a valid L-wff obvious fact that if L is weak second order then it |e expressive, should now be clarified bg the (and hence an axiom of D), which can easily be proved hlararchg result appearing in (8]. in arithmetic using an induction axiom. Another complete formal system in which total correctness can be proved is that introduced by Pratt[15] and proved complete in Harel et al[8], Pratt's approach is to formulate a uniform 257 induction principle explicitly in the system, in is possible to denote the established segment bg a the form of a rule which is analogous to OS. and PSV and make the premises simple, this having the Nhich composes a specification about the loop dual effect of shortening the proof and adding to its to partial correctnes=s. )n D. the dual to DS is D1S clarity. (slmilarlg for recurslve calls). ,hich merely "breaks up" the loop. providing all the information the loop specification carries uith it. and leaves (vi) (simplification and transformations) the rest to the logic: of the underlying language. Using D. It is possible to validate general program transformations. Once a sufficient set of transformations has been established, this set can (ill) (equivalence) Take programs then be used to simplify, develop and synthesize correct programs. (See [2].[4].[G] and [13] for the [P1 ..... Pn .a)' (11 .... Tm'a)" use of such sets). Alternatively D can be part of a program development system in ghich the user may Their strong equivalence (see Manna(14)). create and validate his o,n transformations and can be proved in D bg proving apply them Immediately to verified program segments, Pt' .... Pn'T1 .... .T m . I|=}X I- till). Some simple examples of such transformations are ghere I and A are a ns. predicate symbols, and proving the dual (.ith = and ~ exchanged). For p|if r then = else = fi!q I- plalq example the reader m~ght care to prove [ P uroc if.p(x) then x+f(x); callPI callP else p|uhlle -I) do= od; I~}q F P{l~lq x+x fi end, Toroc )f plx) then x+f(x)l callT else x+x fiend, l(x) lcal/PlX(x)] F I(x) lcallTlXlx) pill r then = else ~ fllq and its dual (a proof of this equivalence is given F pllf-.r then ~ else ~ filq in the Appendix). or I(x0y) lghile r(x) do x~-f(x) odl.hile s(y) do Other examples are transformations for g~-g(y ) odl)dx.g) I- ~(x.g) l,hlle r(x)ve(g) recurslon removal (See(2)). do if r(x) then x~-f(x) else y.-g(y) fl od)X(x0y) and its dual. (In both examples me ,rite the elementary action .ith relation x'-f(x) as x~f(x).) V|. Conclusion. (iv) (derived rules). Here ,e make use of We have presented a complete system D, in a mete-theorem ,hich states that if ¢rt.....(r n I- (r. .hich [besides providing for other important but then the folio, in, is a valid inference rule of Ds eomeHhat less spectacular possibilities) equivalence and partial as well as total correctness of r I- ¢1 ..... r b Cn programs can be proved. PF¢ The notion of proof from assumptions can be regarded as a natural and important extension of For example proving the better kno.n notion of proofs of program correctness using Hoare-like systems. ]f one I~r~e , p^-+r~l . t^r~s , t^-.r:~q , s l(d t chooses to take the view that Hoare's method I" pl•=hi le r do (x odlq essentially "cheats" by reducing the problem of proving a partial correctness spsclfication to that in D . establishes the corresponding derived rule. of proving a formula of L, then .e might say that D extends the "cheating" too, and reduces the problem of proving a deduction over partial (v) (modular proofs). Take as a premise correctness specifications to that of proving a an,thing previously established and prove the deduction in L. and therefore requires a slightly desired conclusion as a consequent. Sometimes it stronger logical component than Is needed In 258 Hoare'a system. The proofs of soundness and (11) r . true l [-t, &] l -,p . ~,-t0 F I L3,L2(7,18) completeness of D reduce to the traditional (12) r , truel(~.l]l-,p I- (w~-'p) :~ L3 (and mS) proofs of the same for Hoare's system Nhen D (13) r . truel[-t.l]l-,p F kl[%l]}l D2(4,12) Is stripped of its extra features. The relationship (14) I' . truel[qr.&]l~p F -f^p{x*-fx; [If,|)}| D3(1,131 can be schematically seen by viewing D in the (15) r , true f [?,l] l -p F -f^-,p {xq-x} | hyp., 01 following pictorial Nay= (1G) r , true([*t,|]l-,p I" $lif p then x~-fx; [It,|) else x~-x fill D4 (14,15) D - H u (^,v,3,Vl u H -1 (17) T Droc.,.end , r , truel('r.&)}-,p I- *tlcal ITIi D7 ^ ^ A (18) T ~roc...end , r , truel[-t.&]l~p I- ~II[Ir.I))÷ hgp. I I I (19) T Droc...end , r , truel[~.l]}-,p I- (ilcallT)# DR I I decompose (28) T Droc...end ,~,lif p then x~-fx; [,f,|]+ [T,|] I I else x~-x fi}l , #([1,&]}# , truel[~,l])-,p I collect h #lcal ITI# hyp.,D12,D13,D14 I (21) T oroc...end , P Droc...end , ~{callPl#, compose truelcal IPl-,p h ttlcal ITI# D16 (22) T Droc..oend , P ~roc...end , ${callPl# I" trueIcallPl~p (This is proved from P DrOC..,erld as a standard partial correctness proof. Me omit the details.) Aooendlx. (23) T mroc...end , P oroc...erld , ~{callP)÷ I" ~{calJTl# L2(21,22). Me show hog to prove the equivalence of the following t,o procedures= This establishes ~ne direction. The other is very similar and uses F-I T^-,p:>I , 7^plx~fx)A , P oroc .Lf.p(x) then x~f(x); callP; callP else x~x fl AI[~,&]}| , ~1[~,|]}# 1. Me now also end, and need another fact about a call to T besides T ,roc if p(x) then x~f(x)s callT else x~x LLend. true([~,|]i-p. The new fact is needed in order to show that the second call to P leaves x unchanged. Me make use of the following derived rule A suitable specification (,hich is proved as in line (22) above) Is X=VA-,p(x) l[f,I]}x-v, where V DR is free. Me omit the details of this direction. r I" plo{lq , r I" rl(p,q]ls r I" rl0{ls Acknogledoements. Me wish to thank Nachum Oershowitz for Define r as the set I't^-,p~ , ~^plx*-fx)),, suggestions following a detailed reading of a ~(['r,l])~ , xl[f,I]ll , $I[%1]1$l. previous version of the paper. The first author benefited from many related discussions with Me refer to the declaration of P as P Droc...end, Vaughan R. Pratt. and similarly for T. (1) r truel[,f.|]l-,p I" "r^plx~-fxlA hyp. (2) r truel[-f,l]I-,p I" ).{[-t.&]}# hyp. REFERENCES (3) r truel[-/.&]l-,p I- true{[%|limp hgp. (4) r true ( [% &] l -,p I" kl[lr.&]lW~-,p D2.08(2.3) (s) r true l [?,&] }-,p ]- pl[*t,I])l hgp. [1) J.g. de Bakker and L. G. L. T. Meertene. (s) r true([~,&) } ~p I" "On the Completeness of the Inductive Assertion Yx, x'(jz(x)^(lf(x):~(x')) ~ I(x')) D12 Method". Journal of Computer & System Sciences. 11. (7) r , true([1.,&]l-p F ~('t~) ~ & A1,L2(gith x'-x) 323-367. (1976). (8) r , true l [T,|] i -p , p,-P,'r I- (7^-p}:di hyp.,L1 (9) ][' , true l [l,I] }-,p , jz,-,p,'t I- | (2] R.M. Burstall and J. Oarllngton. "Some L2(ge also use L3, and D8 with the Tranlformations for Developing Recursive Programs'. empty program to create a conjunction Proc. International Conference on Reliable of the hypotheses) Software. LA Calif.. (1976). (18) r , true { [-t,&] }-p . p,-,p I-,r:~l L3 259 [3] S.A. Cook, "Soundness and Completeneee of [15] V.R. Pratt, "Semantical Considerations on an Axiom Sgstem for Progra~ Vsrification",TR-SS Flogd-Hoare Logic", Proceedings 17th Symp. on (a revision of "Axiomatic .and Interpretive Found. of Computer Science, Houston, Texas 18'3-121, Semantics for an Algol Fragment", TR-79, (1975)), (197G). Oept. of Computer Science, Universltg of Toronto, Canada, (197G). [1G] M. Mand, "A Now Incompleteness Result for Hoare's System", Proceedings 8th ACM Symp. Theor W [4] J. Darlington, "Application of Program of Computing, 87-91 (lS7G). Transformation to Program Sgnthesis", Proving and Improving Programs, Colloques Iria, (1975). [5] R.g. Floyd,, "Assigning Meaning to Programs", In J.T.SchMartz (ed.)Mathematical Aspects of Computer Science. Proceedings Sgmp. in Appl. Math. 1S, Prov. R.]., American Mathematical Society, 1S-32 (1SG7). [G] S.L. Gerhart, "Correctness-Preserving Program Transformations", Proc. of the 2nd Symposium on Principles of Programming Languages, Pals Alto, Calif., (1975). [7] G.A. Gorelick, "A Complete Axiomatic System for Proving Assertions about Recursive and Non-Recureive Programs", TR-7S, Dept. of Computer Science, Unlv. of Toronto (1975). [8] D. Harel, A. R. Meyer and V. R. Pratt, "Computability and Completeness in Logics of Programs", Proceedings of 9th Annual ACM Sgmp. on Theory of Computing, (1977). [9] D. Harel, A. Pnuell and J. Stavi, "Completeness Issues for Inductive Assertions and Hoarm's Method", Technical Report, Dept. of Mathematical Sciences, TeI-Avlv Univ., Israel (197G}. (1B] C.A.R. Hoare, "An Axiomatic Basis for Computer Programming", CACM 12, $7G-588 (19G9}. [11] C.A.R. Hoare, "Procedures and Parameters= An Axiomatic Approach", In E. Engeler(ed.}, Sgmp. on Semantics of Algorithmic Languages, LNM 188, Berlin, Springer, 182-11G (1971). [12] S. Igaraehl, R.L. London and D.C. Luckham~ "Automatic Program Verification It A Logical Basle and its Implementation", Acta Informatica 4, 145-182 (1975}. [13] O.E. Knuth, "Structured Programming with Goto Statements". Computing SurveWs, Yol 8, No 4, pp.2GI-3B1, (1974). [14] Z. Manna, "Mathematical Theory of Computation', McGraw Hill, (1974). 260