A COMPLETE AXIOMATIC SYSTEM FOR PROVING DEDUCTIONS ABOUT RECUI~IVE Fq:IOGRNIS David Harel + Massachusetts Institute of Technology, Cambridge,MR 82139 Amir Pnueli TeI-Aviv University, TeI-Avlv, Israel and Jonathan Stavi Bar-llan University, Ramat-Gan,|srael Abstract. enough to express all needed assertions. Various Denoting a version of Hoare's system for definitions of this strength are exoressiveness proving partial correctness of recursive programs of L (Cook[3]), or tidiness of all programs by H, Ns present an extension JD Nhich may be thought (Pratt[ZS]). Cook[3] showed that first order of as H u {^,v,],Y} u H -1, including the rules of arithmetic is expressive, thus proving completeness H, four special purpose rules and inverse rules to of H fop this important special case of L. Extensions those of Hoare. D is shown to be a complete system of Hoare'a system to cover recursion and mutual (in Cook's sense) for proving deductions of the rmcursion have also been proved complete under form e 1, .... r n ~ # over a language, the wff*n similar conditlons (see Gorellck[7], Harel et of which are assertions in some assertion language a I [9] }. L and partial correctness specifications of the form p{=lq. All valid formulae of L are taken as A suitable such system H can in fact be axioms of D. It is shown that D is sufficient for thought of as a formal system for proving the proving partial correctness, total correctness and correctness of deductions of the form program equivalence as Nell as other Important Gl,...,r n ~ p{~)q under the restriction that properties of programs, the proofs of which are each of the ~i is a procedure declaration or a Impossible In H. The entire presentation is Norked formula of L. Houever, .hen considering general out in the framework of nondeterminiatic programs deductions of the form ~l,...,Fn ~ employing iteration and mutually recureive (Nhera the ~i may also be partial correctness procedures. specifications), it is easy to come up with semantically valid deductions which cannot be derived In H. Two examples are I, Introduction. (1} plif r then a else ~ filq The axiomatic method of specifying k plif-~ then ~ else a fi}q semantics of programs, as given by Hoare ([18).(11] and also [12]} lends itself very successfully to a |2) pla}q , rlalq !" pvrlcxlq specific goa!, namely that of proving partial correctness of specific programs. A convenient (a rule which, while being underivable in H, description of the method employs an assert]on can be shown to be superfluous for any language L and a formal proof system H having as concrete proof of partial correctness, axioms all logically valid formulae of L. A proof lgarashi et a1112]). of a partial correctness specification R¢ pI~}q where p,q are Nff's in L , is carried out in H by These examples illustrate the absense (in H) composing = from more primitive program segments, of mechanisms for (1) extracting information from starting from a finite number of assumptions in L. a specification p{~}q about parts of a (where ~ is A well knoNn result is that the conventional Hoers a complex program segment}, and (2) combining the system and its variants are complete if L is strong information given in different specifications about The Nork of this author was partially supported by NSF under contract !1CS7S-18~1. 249 the same program segment. H can be seen to be complete only for "simple" deductions, in which the II. The Susteu, antecedents cJ include for each given a, at most one specification of tihe form pl~lq, and all Suntax such ~'s are simple specifications consisting of a single assignment or call statement, or a single The alphabet Z contains symbols for oroaram eeoment variable (PSV), which is a symbol individual constants and variables, functions and standing for an arbitrary program segment. predicates, connectives and operators. L=L(Z) is a logical language with equality over Z (having at In Section II we present our system D which least the pouer of the first order language over ie an extension of Hoare's system, and in Section 2). A Nell-formed formals of L uill be called a II! show that D is sound and complete for Iooical Nff (L-wff). P=P(Z) is a programming language deduction (r 1 ..... #n FD~ Iff #1 ..... #n k r), over Z, with the following syntax: that is, G can be proved in D from assumptions ~l,...,~n, iff ~ Is true In every model satisfying <statement>::=<elementary action> I <procedure call> I rl,...,~ n . Here tho #i can themselves be any <statement>;<statement> J partial correctness specifications. if<boolean>then<statement>else<statement>fi I whiiQ<boolean>do<statement>od The completeness result is shown by proving a series of more restricted theorems, holding for <declaration>::-<procedure name>(<name parameter list>, luccesslvely richer subsystems of D , thus clarifying <value parameter Ilet>)croc<statement>end . the whole process and also achieving a side effect of Indicating the precise role in D played by its An elementaru actioq is a non deterministic impor~ant components;. assignment of the form ~(E'~(~,K',M) readingz"assign to ~ some K' such that ~ holds". A variety of properties of programs can be This will usually be abbreviated as A(K,~), Nhere K proved using D. and the completeness result ensures Is the vector of variables ,hich can be modified by us that uhen L is expressive (e.g. in arithmetic). A. and ¼ ie the vector of additional variables upon a proof exists for each valid such property. The Nhich the assignment might depend. ,hen ~ is of the following possibilities are described in Section IV: form K''~(~,~), A is the conventional assignment statement. (i) proving the partial oorrectenes of a given program. A orocedure call is a statement of the form call P(K,~), where P is a procedure name, K is a (II) proving the total correctness of a given vector of actual name parameters (variables), and program, 18 a vector of actual value parameters (terms). The E'S are assumed to be distinct and the ~'e to be (ill) proving the (strong) equivalence of programs, independant of the K's. (iv) establishing derived rules, A boolean is a quantifier-free L-wff. (v) carrying out modular proofs of program A P-seoment Mill simply be a statement in correctness given properties of segments of P. Me extend Z to Z' by adding a set of new symbols the program, (R1;R2,...) which stand for arbitrary P-segments, and are therefore called Drooram-seament (vii simplifying complex program segments and variables (PSV's). The programming language P' is establishing valid program transformations. an extension of P obtained by allouing statements of the form Ri(K.~) , where ~ and ~ have a meaning similar to that given in the elementary actions. Schematically speaking. D will consist of a Note that the difference between a PSV and an suitable version of H for composing the conclumlon of elementary action is that fop the latter Me are the deduction, four rules (^,v,],Y) for collecting given a formula defining its effect. Similarly. the Information about unspecified program segments, and difference between a PSV and a procedure call i~ a "mirror image" of H containing inverse rules for that the latter may have an explicit declaration. decomposing complex program segments appearing Me will use a(K,~) to denote an arbitrary among the premises. D. having the flavour of a P'-segment such that K is the vector of all natural deduction system, has all valid formulae of modifiable variables of =, and W consists of all L am axioms. other variables appearing in a. 250 A snecification is a construct # of the form ¢: p(~,~,¢)(a(~,&t)lq(5,~,Z), where p and q Using this definition, we are non able to are L-Nffs and a is a P'-segment. Here the elements assign relations to the procedure calls Nhich have of ~ are said to be the free variables of the corresponding bodg declarations in F. The relations specification f, ghere no confusion can arise we will assigned to these procedures are the least fixpoint occasionalg omit the ¢'s and regard the ~ as relations solving the sgstem of mutuallg recursive consisting of all the variables appearing in the procedure declarations in r (here too we Mill refer specification not assigned to in a. A specification to this interpretation of such P as E). Me no. have p{alq Is simnle if a is a PSV, an elementarg action an interpretation under | for each P'-segment in r. or a call statememt (aimnle statements). A specification P(~,W,Z) Ia(K,~)Iq(K,M,¢) is The formulae of our language g (called W.wff'e) are true under I if VK, W(p(~,g,£)A#~(~,~*,M) ~ q(K',M,£)) is true (note that the free variables £ have been (1) L-wffs, assigned bg 1). (2) specifications, (3) declarations, A set F of W-wffs is defined to be true under an interpretation I of F, if all non-declaration (Note that g-gffe= cannot be combined bg logical formulae of F are true in 1. | is called a model of r. connectives.) A tuple S-(#l,...~n,#) where ~ is not a declaration, is called a valid deduction Semantics (written ~1 ..... *n k r), if ~ is true in an, interpretation | of S Nhich is a model of An Inter[=retation of a set F of M-wffs 1~1 ..... ~n l" ,, a tup,. ..... %,% ..... %>, .here 0 is a nor,emptg domain, ~ is an Me denote a P'-segment a containing the interpretation ot: all individuals (including statements callPl(Kl,~l) ....