A system for handling syntax and semantics of computer programs in terms of the mathematical language automth

(1)

A system for handling syntax and semantics of computer

programs in terms of the mathematical language automth

Citation for published version (APA):

Bruijn, de, N. G. (1973). A system for handling syntax and semantics of computer programs in terms of the mathematical language automth. Eindhoven University of Technology.

Document status and date: Published: 01/01/1973

Document Version:

Publisher’s PDF, also known as Version of Record (includes final page, issue and volume numbers)

Please check the document version of this publication:

• A submitted manuscript is the version of the article upon submission and before peer-review. There can be important differences between the submitted version and the official published version of record. People interested in the research are advised to contact the author for the final version of the publication, or visit the DOI to the publisher's website.

• The final author version and the galley proof are versions of the publication after peer review.

• The final published version features the final layout of the paper including the volume, issue and page numbers.

Link to publication

General rights

Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain

• You may freely distribute the URL identifying the publication in the public portal.

If the publication is distributed under the terms of Article 25fa of the Dutch Copyright Act, indicated by the “Taverne” license above, please follow below link for the End User Agreement:

www.tue.nl/taverne Take down policy

If you believe that this document breaches copyright please contact us at: openaccess@tue.nl

providing details and we will investigate your claim.

(2)

M017283

Technological University

Ei"r ..th.wa1111

Netherlands

Department of Mathematics

A system for handling syntax and semantic of computer programs in terms of the mathematical language AUTOMATH

by

N.G. de Bruijn

Department of Mathematica, Technological University

Eindhoven, the Netherlands November 1973

(3)

Department of Mathernaties Techuological University Eindhoven, the Netherlands November 1973.

A system for handling syntax and semantics of computer programs in terros of the matheroatical language AUTOMATH

by M 6 N.G. de Bruijn

-

818

--

----

L.IOT

-

HECl

-

---

\

-

1

I

--

-

--

---

-

----·--

:

"/4011(!3

! -_ _ .... ,., .... ...,_ .... , _ _ ,,._ ... _ _

T

.

H .

E

l

N

0

i 'J

V E

~~ I. Introduction.

AUTOMATH (see [I]) ~s a language which permits us to wri te very large parts of rnathematics in such a precise way that verification of the cor-rectness of the mathematical contents can be automatized, i.e. the verification can be carried out by a computer. The AUTOMATH book that is presented to the computer has to contain everything: logical founda-i::ions, inference rules, mathematical foundations,.axioms, definitions, formulas, abbreviations, theorems, proofs, and the mutual connections bet\..reen all these things.

In many areas of mathernaties one may feel that there is not much need for such extremely precise forroulations of complete theories. Such areas can have a strong intuitive background, and the feel of safety _.is supported by the many applications that can be checked by various en-tirely different methods leading all to the same result.

There are fields, however, where the need for precision is very s trong, \vhere in tui ti ve support is weak and experimental evidence mis-leading. This may happen in cases of long proofs consisting of very many elementary steps, where it is strongly felt that a chain is as weak as its weakest link. If the number of steps runs into thousands the need for mechanical verification can be a very practical one.

(4)

- 2

-One such field can be the one that is devoted to prov~ng that a

computer program has the semantics we want it to have, i.e. that pro-gram execution does what we claim it to do. Irttuition and experimental evidence in this field are known to be independable. One reason, but

not the only one, is that long programs are of ten produced in ~c-ooper

ation between several programmers, pieces are taken from libraries, etc. Another matter is that program languages thernselves need a thorough forrnal description, both for syntax and sernantics.

Let us describe the organization of an AUTOMATH book in which all these things have their place. In order to be able to talk in less

gen-eral terrns, we act as if there ~s only one interesting program in the

world, i.e. a program for finding the g.c.d. of two integers. The AUTOMATH book has to contain

PART A (i) Logical tools, inference rules.

(ii) Mathematical foundations, in particular properties of natural numbers and integers.

(iii) A definition of a particular prograrnrning language.

(iv) Basic assumptions on the semantics of programs in that

language.

Part B (v) Definition of the g.c.d., and proofs of some of its

prop-erties.

(vi) A description of a program for the computation of the g.c.d.

(vii) A sernantic statement, with proof, about that program (this rnay state sernething to the effect that if the input

(5)

3

-Part A will contain a number of primitive notions for which no construction is given. (We note that basic inference rules and ax1oms can be brought under this heading.) We have_to have standard inter-pretations relating Part A to the unformalized (or only partly formal-ized) outside world. Purthermare Part A can contain a number of con-sequences derived from the primitives.

In part B there are no primitive notions any more, and no new interpretations come in. Here everything is defined and derived on the basis of part A, and interpretation of part B has to follow from

interpretation of part A.

PartBis themore flexible part. We may add topart B more mathe-matical results, and more programs. Whether the primitive notions of part A plus their interpretations farm a sound basis, is a question open to discussion. We have to conv1nce ourselves of their adequacy 1n some way or other. What can be checked automatically 1s the correctness of part B (plus the non-primitives inpart A).

In this paper we shall discuss a system for program semantics~ The languages we are able to treat are ALGOL-like. We shall nat be able, however, to take ALGOL '60 to its full extent. ;n particular we shall feel some limitations with respect to type procedures and procedures called by name. And we do nat discuss goto's; nat because gato's make bad programs, but just since our semantic system cannot handle them.

(6)

. 4

-It ~s only a small part of the paper that refers to AUTOMATH. Once we have explained in what way syntax and semantics of a computer language can be described in the rigid AUTOMATH system, we feel the need to develop a system of semantic discussion ~n some more detail. This covers the larger part of the paper. We shall try to explain the philosophy of the system here.

The vital point is a rigid separation ~n three parts: _syntax, semantics and execution. "Syntax" says what a program is, not what it does. "Execution" says what a computer actually does with the program. "Semantics" will be taken in a rather limited, perhaps unusual sense. In the semantics too we make statements about the execution of programs, but the approach is different. The semantic discussion starts with state-ments about the smallest programs, then proceeds to bigger

sub-programs and ends with the full program. The "executional" point of view is that we execute the program starting at the beginning, and watch how it develops. In the executional discussion time plays an

over-whelming role, in the semantic discussion no role at all.

The separation between semantics and execution is strongly imposed on this paper: syntax and semantics are described in terros of AUTOMATH, and execution is shifted to the level of interpretation. The relation

between semantics and execution ~s described as an intuitive one.

Our semantical system depends on handling information on programs.

It is stated what information we have on the smallest building blocks,

and how information on composite programs can be derived from information on the smaller programs it has been built from.

(7)

- 5

-Our discussion on program information never tries to handle the most complete information (which is in general very unpractical). It is just like a piece of mathematics, where we do not bother to derive everything that can possibly be derived. We try to say just enough for the final purpose we have in mind.

The author is aware of the fact that his extensive treatment of semantics runs the risk of having quite some overlap with what others have done before. He accepts this risk since he thinks that if one presents a philosophy and if one wants to stress the fact that it can be used in practice, then one should present an idea of how it works

(8)

6

-2. Orientation on program semantics. Let n he a computer program. Tt operates, deterministically or non-deterministic~lly, on a set of

states ~. lf the execution of n is started at a state w E ~. then there are t~.,ro possibilities: either the execution of n never comes to a stop, or there is a final state w' E ~. In conneetion with the first poss~ -bility, we extend our r2 by adding a single new element, called oo:

+

~ ~u {oo}.

The set of all possible executions of the program TI can be described by a predieare P on the cartesian product

'JT

+

~ x ~ . The interpretation ~s this. If some execution of the pro~ram is non-terminating, we say that it has oo as its final state. Nm,T P expresses that for every initial

'JT

+

statew E ~ the final state is an w' E ~ that satisfies P (w,w').

TI

I f the program is deterministic, then P has the property that for 'JT

any w E ~ there is just a single w' such that P (w,w') is true. That ~s, TI

there is a set ~O ={w E

rt

j

PTI(w,oo)} of initial values that lead to non-termination, and there ~s a mapping g of ~ ' ~O into ~ such that

+

for all w E n ' ~O and all w' E ~ we have P (w w') ~ w' = g(w).

TI '

For formal reasons ~.-re shall add the element oo to the set of initial states as well. Let us agree that P (oo,oo) is true; the other values

TI

P (oo,w') are irrelevant. From now on we describe the semantics of pro-TI

+ + grams ry predicates p on ~ x ~ .

+

Note that P hAs the property that for all w E ~ the set

( 2. I)

~s non-empty. (The ex ecu ti on of the program does ei ther somethinp. or nothing, there is no third possibility:)

(9)

7

-3. Semantic information. When discussing what a program does for us in practical situations, it ~s aften sufficient to deal with incomplete information. Any part of any program may have semantic properties that are complicated and partly irrelevant; irrelevant since they do nat play an essential role in the things \ve want to apply our full program to. I t wi 11 be very convenient to be ab le to discuss programs in a vay where these irrelevant things can be left aside.

To this end ,,1e introduce, for every program TI (acting on a set of states ~) and for every predicate Pon~+ x ~+, a proposition

w(n,P)

that is intended to say that P (w,w') ~ P(w,w') for all w,w'. If w(n,P) 1T

is true, ,.,e say that P presents semantic information on TI. In particular w(n,P ) is true. We may say that P is the full information, and that the

1T 1T

other P's (as long as w(n,P) is true) give partial information.

If we want to descrihe w(n,P) without reference toP , it is this: if 1T

w(~,P) is true, then for every execution that has w as its initial state and as its final state (where w

=

oo means that the execution does not start, and w' ~ oo means that it does not end), we have P(w,w'). On the other hand,

the truth of P(w,w') does nat guarantee the existence of an execution with initial statewand firial state w'.

We can introduce a partial order in the set of all programs, defining

Til

~

1T2 if vp(w(nl ,P) ::;. w(n2,P)). I f bath TI]

~

1T2 and 1T2

~

Til,

"'e can calln

1 and n2 semantically equivalent.

't-1_e _ar_e _certainly_r_e_strictjn_g _ourselv_e_s _by_usin_g _th_e _t_e_{rm "semantic}

information" only in the above sense. Here is an example of a different

type of information: assume \ve kno'" of a program that either it is a 2

program that computes x for all integers x, or it is a program that 3

(10)

- 8

-"lt7e can only get the weaker statement that for every x the program computes

2 3

x ar x .

4. Non-executional points of v~e'"· In sectien 2 we have introduced P" on the

basis of program execution, and the definition of information(in sectien 3)

indirectly depended on that concept. We shall suppress all references to

execution from nmv on, ~. e. we shift discussions on execution to the level

of interpretation. ~1_e_{shall be dealing only '"'ith the problem hm.J progr}_A_m information is obtained from information al:-out the sub-programs the prof-ram consis ts of.

5. Orie.ntation on prograrnming languages. We do nat select a particula!'

language, but we think of a class of languages in the framewerk of a numher

of characteristic features. ~le shall take ALGOL '60 for producing examples

(but as pointed out in the introduction, we do nat claim to discuss ALGOL '6(

in its full glory).

We organize our description of a programming language hy indicating (i) a class of primitive programs and (ii) a class of primitive ways to

campose complex programs from simpler components (primitive program

con-structs).

As primitive programs we can take thinp;s like assignments: , .. re can take

a class of mappings f of n into rt, and proclaim for any such f, "w := f(w)"

as a primitive program.

As primitive program constructs we can take things like the concatenation

"n I n

2" (where n I and n 2 are programs), the binary selection "if B(w) then

n

1 else n 2". And there c<m be constructs of the type where variables play a

role, like the deelaratien and the recursion. In order to re able to express

(11)

- 9

-express~on that can possibly have free variables and dummies.

These are of tHó· different kinds: stAte space variables (or durrunjes) and program variables (or dummies). In ALGOL '60 these two kinds are treated very differently. First ,,re have things like this:

begin integer n; for n := step l until 400 dop := p+n end,

where p ~s a global variable and n ~s a dummy.

ThP. sP.cond kind of variable is the one that stands for a program and not for a state space element. We need it for defining recursion. ALGOL '60 does not use program variables for this purpose, but uses circular defini-tions instead. Consicier the program TI defined recursively as

procedure TI; if p > 1 then begin p .- p-1; TI end. (5.1)

(p is a global variahle of type "real"). In lvhatever Hay ve are going to eliminate the circularity of this definition, it seems we need a dummy variable. Let us praeeed like this. Take~ as a program variable (i.e. a

letter lve write at a place that requires a program). Consider the expression

if p > 1 then begin p .- p-1; ~end. (5.2)

Call this express~on Q(~). If ~ is replaced by a program, then Q(~) becomes a program. So we can say that Q maps programs onto programs. In order to represent Q we need a ~-expression. We can write Q as

À

~Eprogram

Nm.;r ~ is a durruny.

if p > I then begin p := p-1; ~ end.

The ALGOL program for TI can be abbreviated as follovs.

procedure TI; Q(TI)

(12)

-

JO-In order to avoid the circularity in this definition, we introduce a symhol RF.C~RS, and we write for n just

RECURS (Q) (5.4)

If we eliminate the letter Q we get as notation for n: RECURS (À .

~Eprogram if p > I then begin p .- p-1; ~end) (5.5) If we have several procedures which are defined recursively by means of each other, then weneed a few tricks in order to get them into a form like

( 5 • 5 ) ( S e e s e c ti on I 5 ) .

6. Sketch of a formal definition of a programming language. We shall use the

possibility of defining programming languages by means of AUTOMATH. We start ~vri ting

)2 :=

program := PN

and from this point onwards ~1e can speak of programs 'being defined on the state space Q. We next descrihe a number of primitive programs as primitive

notions. In order to introduce classes of primitive programs rather than

isolated programs, we admit types K

1, K2, say, and \ve introduce primitives

by

I

;r;= KJ PN program

I

:r:"

.-

PN K2 program For example, K

1 may be a class of mappings of Q into itself, and if f

~sa mapping helonging to that class, the interpretation of Pr1(f) might be the assignment of w .- f(w).

(13)

- IJ

-Next we introduce primitive program constructs, as primitive functions

mapping k-tuples of programs on programs. To he more specific we present as examples: program program concat .- PN program B := [ w,st] bool binselect .- PN program In this example the n

1 and n2 are programs on st.

We shall refer to primitive programconstructsof this type as "lower",

and we use the term higher for constructs 1n which the variable is not a program but sarnething of higher level. As an example of a higher construct, He take as a prirnitive the RECURS, mapping program-to-progrélm functions on

programs:

Q := - - - -[ n ,program] program RECURS .- PN program

Insection 14 and 15 we shall discuss the case of programs with formal para meters.

7. Formal treatment of semantic information. As already stated in section 2,

+

the set Q 1s obtained hy adding an element "oo" to st. The class of all

+ + • + I +

predicates on Q x Q vlj 11 hé denoted by PRED. (So l f w E st , w E st ,

P E PRED, then P(w,w') is a proposition).

We shall assume that to every program ~ and to every P E PRED

~..re have attached a proposition w(n ,P). If n depends on k free program variables n

(14)

I f we wr i te w AUTOMATH

.i

u st SI 1T . -p := w .-- 12 -program PRF.D PN rool

this accounts for the use of w(n,P) in every context where n ~s a program.

For the use in the semantics of higher constructs we farm the notion of

information transformer. Let ~ be a program with k program variables. Let

T be a mapping of PRED x •••

x

PRED (k factors) into PRED. We say that T ~s

an information transfarmer for ~ if for every sequence of programs n

1 , ••• ,nk and for every sequence of predicates P

1 , ••• ,Pk we have

w(n

1 ,P1)1\ ••• Av(nk,Pk)

We shall make semantic assumptions ~n the following order. (i) We shall

postulate knöwledge on w(n ,P) for the primitive programs, (ii) He shall po

s-tulate information transfarmers for the loHer primitive program co

n-structs, (iii) ,.,e shall postulate rules for deriving knowledge on higher

constructs from the information transfarmers for the program-to-program

functions involved.

8. General assumptions on H. \~e first present a number of assumptions ({i), (i i), (iii), (iv)) which 1ve require for all programs. We point out that there is

the possibility to derive these things from assumptions on the primitive

programs and program constructs. One can say that (i),(ii),(iii),(iv) are

essential for the interpretabili ty of lv as semantic information, and that

the semantic assumptions on primitive programs and constructs have to he

consistent with these properties.

(i) For all programs n and all P

1 , P2 E PRED vle have I-\T(n,P

(15)

- 13

-(ii) For all TI \.'e have w(TI,TRUF.) (TRUE is the identically true

predicate.

(iii) For all prograi!ls TI and all P E PRED we have

\-l(TI,P) ~ P(oo,oo),

(iv) · For all programs TI, all P E PRED, all wE SI+ \-!e have w(TI,P) =:>

3

+

W 1 ESI P(w,w')

Note that from (i) we deduce (v) (PI :=;. P

2)

=

(w(TI ,P l) :=;. ,.,,(TI ,P 2)),

(vi) w(TI ,P

1) V H(TI ,P 2)

=

'"(TI ,P 1

V

P 2).

From (i) it does not follow automa.tically that 00

(vii) w(TI,/\i=l Pi)

~

00

1\ .

I \.'(TI,P.),

l = 1

and it lS questionable ,.,hether this rule should be taken as an assumption.

9. Semantics of primitive programs. A simple primitive program 1.s the empty statement TI

0. As semantic assumption it is reasonable to take

cV

~+ P(w,w))

=

w(TI,P)

Wt>G (9. I)

hut it would not do harm to take a Heaker assumption like

cV

~

+

P(w,w))

=

H(TI,P).

WE>G (9.2)

As further primitive programs one might take assignments w := g(w), where

g is a mapping of SI into SI belonging to a given class. As semantic assumption He might take

<t;}WESI P(w,g(w)) 1\ P(oo,oa) == ,,,(TI,P) (9.3)

but again, this may he weakened in the style of (9.2). Note that (9.1) and

(16)

- 14

-If we wish to express that the calculation of g(w) has been carried out with accuracy E (taking Q to be the set of reals, say,we can do this by taking(instead of (9.3)) w(n,P ) where P is the predicate given by

E E

P (w,w')

E (wEQ 1\ w'EQ 1\ Jg(w)-w' !

< E) V (w w' oo).

10. Lower primitive program constructs. The semantic rules for lower constructs present information transfermers for these constructs.

I

'

For the concatenation TI of two programs n

1 and n2 (n ~s the program whose execution consists of: first n

1, then n2) it ~s reasonable to take this rule (for all P

1, P2 E PRED):

where P

1*P2 ~s the boolean matrix product

It isreassuring to notice how the associativity of the semantics of conca te-nation corresponds to associativity of matrix multiplication.

The question presents itself whether there is a program construct that corresponds to boolean matrix addition, as defined by

The answer ~s provided by a lesser known construct which we may denote as

or _TI2 _,

The execution of this is either the full execution of n

1 (and nothing of n

2) or the full execution of n2. The pregrammer has no influence on the choice

(17)

-

IS-We next cons:ider the binary selection "if B(tü) then n

1 else n2". Here

B js a prt.•djclltl' on ~L WP might d<'scr:ihe its SPm••ntics hy tht- followinf~ ruil':

For all P

1 ,P2 E PRED we have

where n ~s the program "if B then n

1 else n2", and P ~s given by

P(w,w') (B(w) I\ P

1 (w,w')) V (1B(w) 1\ P2(w,w')).

+

(B ~s extended to Q , with B(oo) false).

I I. Higher primitive program cohstructs. We consider constructs f that map

program-to-program functions Q onto programs f(Q). Asemantic rule for such an f explains how we can derive information for f(Q) from an information

transfarmer for Q.

It seems that there ~s only one class of examples worth attention, viz.

those invalving recurs~on. In this section we discuss recursion only for

the case of procedures without formal parameters, and we refer to section 15

for extensions.

by

He first explain some notation. Poo ~s the element of PRED tha.t ~s defined

If P E PRED f or n

n

P00(w,w') (w'=oo),

I ,2, .•. , then wedefine lim sup P as ~he predieare

n

defined by

(lim sup P )(w,w')

n

V

m k>m

3

Pk(w,w').

1~e can now phrase the semantic rule as follm-Js: If Q is a program-to-progra

function, and if T is an information transfarmer for Q then we have

(18)

-

16-where Tn stands for the n-th iterate of T.

The intuitive interpretational idea behind (I 1.1) is the following. Taking a fixed initial sta~e w, we have two possibilities:

(i) There is an integer k such that the execution of Q (n) never k

. . k+j )

gets to any execut1on of n. S1nce Q (n Q (QJ(n)), we can say that for k . any m ~ k the execution of Qm(n) never gets to any execution of n. So any information we have on Qk(n), even the information derived on the assumption that n 1s non-terminating, applies to all Qm(n) with m ~ k, and therefore

m

occurs 1n the lim sup. Conversely, information that applies to Q (n) for all large m, already applies to Qk(n). According to standard "executional'' ideas on recursion, it is Qk(n) that described the semantics, at least if the initia state is

w.

(ii) For every integer k the execution of Qk(n) uses n. Assuming n to be

k

non-terminating, we infer that every Q (n) is non-terminating. According to intuition about execution, the recursion is non-terminating. On the other hand

. k k

we know that T (Poo) presents semantic information on Q (n), and we feel that T k

can be chosen so strong that T (P~) expresses that the initial value w leads t non-termination. That is,

T

k(P~)(w,w') ~

(w'

=

oo). This property is preserved

k

if we pass from T to the lim sup.

We can replace (I 1.1) by sarnething (viz. (11~3)) that is simpler though slightly weaker. Let us assume that T 1s monotonic (i.e. that P

1 => P2

implies T(P

1) => T(P2). Then we have (if TRUE is the identically true

predicate) T(TRUE) ~ TRUE, and hence

n+l n

T (TRUE) ~ T (TRUE) ( 11 . 2)

(19)

- 17

-and it fellows from (11.2) that lim Tn(TRUF) exists. llence (11.1) implies

n+oo

w(RECURS(Q),lim Tn(TRUE)). (I I . 3)

This sametimes produces weaker results then (IJ;!). It may happen th~t

{1 1. I) says that the program RECURS(Q) need not be terminating, ~n cases

where (I 1.3) says that it is sure to be non-terminating. The simplest such

case ~s the one where Q is the identity (Q(~)

=

~), leading to T(P)

=

P

asthebest possible information transformer. Now (11.1) g~ves P"" as

information for RECURS(Q), as it should, but (11 .3) gives TRUE as informati01

which actually means no information at all. The program RECURS(Q) is written

~n ALGOL 60 as the call of a procedure with deelaratien

procedure ~ ~.

We end this sectien witharemark about (11.1). Insteadof (I!. I) we require for any sequence of information transfarmers T

1,T2, ... that

(I I • 4)

This statement is equivalent to the one about (I 1.1), at least of

T,T

1 ,T2, ... are monotonie.

12. Non-recursive procedures. Intuitively, a non-recursive procedure is just

sarnething that gives a name to a program. It is applied ~n situations where

that program is used more than once in another program, and serves as an

abbreviation. In the AUTOMATH presentation of a program, abbreviations are

used throughout, whether A.LGOL calls them abbreviations or not. It is an

oddity of ALGOL that the non-recursive procedures are presented ~n exactly

(20)

- 18

-Any non-recurs~ve procedure (with body p) can be considered as a special recursive procedure, acting on the program-to-program function À p (this is

'TT

a constant function: p does notdepend on n). So the non-recursive procedure with hody p is considered as RECURS(À p), and we have to ask the question

'TT

whether this program is semantically equivalent to p.

In one direction this is all right. For every S E PRED we can derive

w(p,S) ~ w(RECURS(À p),S).

'TT (12.1)

Note that if w(p,S) holds, then T = ÀPEPREDS ~sa predicate transfarmer for À p, and note that Tn(P00)

=

S for all n.

'TT

It seems that if we want to have the implication (12.1) reversed, weneed

further semantic axioms. This seems to be a rather high price for the right to consider an abbreviation as a non-recursive procedure. It might be better to postulate the abbreviation as a program construct in its own right.

(21)

- 19

-13. Semantic theorems invalving recurs1.on. The assumptions on semantics made 1.n sections 8~1 I can he seen as semantic axioms; results derived from them for specific programs can be called semantic results. On an intermediate level we have semantic theorems, which produce semantic results for non-primitive program constructs. Needless to say, there is no essential difference between a program construct and any odd program that contains free program variables. The situation is the usual mathematica! one, where a result is called a theorem if we hope to use it repeatedly, under various circumstances.

In the AUTOMATH book that contains both the computer language definition (i.e. the introduetion of the primitive programs and con-structs) and the basic semantic axioms, we can introduce new program constructs by means of definitions, and prove semantic statements ahout them. These proofs may use mathematical material (e.g. theorems on inte-gers and real numbers) that are developped 1.n the same book.

As an example we take the "while" statement:

while B(w) do a

_...,...

(where Bis a proposition and a is a program). This statement 1.s defined as the call of a recursive procedure n that is introduced as

procedure n; if B(w)

(where n

0 l.S the empty statement). In our AUTOMATH book \,re can wri te

B := [ w,rl ] hool

a := program

whiledo := RECURS( [ n ,program] binselect(concat(a ,1r), '11'

(22)

- 20

-We can now deduce theorems ahout this construct. Instead of expressing them and proving them in AUTOM/\TH, \o7e restriet ourselves here to formulatin!,? them in customary mathematica] style. The context is ~.o,B.

Theorem I.

(i) Let

Q

be a predicate on~; we extend bathBand Q to Q+, takinr B(oo)

=

Q(oo)

=

false.

(i i) Let Z be an integer-valued function on Q; 'l.ve P.XtPnn i t to Q + by giving an arbitrary value (0, say) to Z(oo),

(iii) Assume that for all w ~ Q we have B(w) ~ (Z(w)>O). (iv) Hareover assume that

w(o,À(w,w')EQ+xQ+(Q(w)AB(w)) ~ (Q(w')l\ (Z(w')<Z(w)))). Then we have

w(whiledo(B,o), À(w,w')EQ+xr.+ Q(w)

"*

(Q(w')l\rB(w'))). Sametimes the following modification of this theorem lS useful.

Theorem 2. Assumptions (i),(ii),(iii) as ln the previous theorem. Moreover we assume:

(v)

A

is a non-empty set, and F is a mapping of~ into

A.

We extend

F to Q+, defining F (oo) arbi trary (in A).

(vi) w(o,À( ') n+ n+ (Q(w)AB(w)) ~ (Q(w') 1\ (Z(w') < Z(w))A(F(w)=F(w' W,W EOG XOG

Then we have

(vii) w(whiledo(B,o), À(w,w')EQ+xQ+ Q(w) ~ (Q(w')AïB(w')A(F(w) F(w')))

As an application we take an algorithm for the g.c.d of two integers. Let u agree that gcd(O,O) = 0, and that if m,n are nat both zero, then gcd(min) is the least positive camman divisor of m an.d n. If m,n are integers, we define the auxiliary function rem(m,n) by rem(m,n)

=

m if n = 0, rem(m,n) the

(23)

- 21

-number r with 0 ~ r <

lnl ,

m

=

r (mod n), if n

#

0. Note that gcd(m,O) =

[n

for all integers m, and that gcd(m,n) = gcd(n,rem(m,n)) for all integers m,n. These notions and results have to be in the "purely mathematica!" part of our AUTOMATH book.

For

n

we take the set of all veetors (:) , where m,n are integers. We consider the program TI given by

whilen.füdo. (mn):=( _rem(m,n)n )

which has to he proved to transferm the initial state (:) into a state

(~)with

[m'[ = gcd(m,n).

In order to apply Theorem 2 we take

Q TRUE ,

ze(~)

)

= [n[ ,

F((~))

= gcd(m,n). Now application of that theerem gives

~:)

f

oo)An'=O 1\ gcd(m,n) gcd(m' ,n'))) (Here have taken some inadmi1ab le liberties wi th the nota ti on wi th respect to the point oe) ·In this case the use of the v of sectien 1 7 seems to he preferable. It gives

(gcd(m,n) gcd(m',n') 1\ n' 0)).

14. Coordinatization, projection and injection. In the previous sections we never looked into the structure of n. We shall no'v study constructs

which are connected with th~ struçture of Q as a cartesian product of sets.

Let n

1 , ••• ,nk he sets. The cartesian product. n1x ... xnk consistsof all

k-tuples (w

(24)

22

-~

₁

x .•. x~k are aften described in terros of the nrunes of th~ kvariables

attached to ~I, ... '~k. (If one dislikes mathematical operations on

metamathematical ohjects, one may speak ahout the p:r.ojection ~

₁

x ... x~k-+ ~i instead of the i-th variable). These narnes occur ln assignments and in predicates. When writing or reading a program in ~, it J_s essential to know which cartesian product :representation of ~, and which narnes of the variahles, are taken as the frame of reference. Therefore it might he

h tt _e _{er o spea o}t k f _a 11 _program (n _"_{! , ...}_{'"k lnSLeau o}n )"' >- _, f _a " _program (_"n)" _.

In ALGOL the narnes of variables are used for the notation of primitive programs. We shall aften have to refer to these names, and therefore we use a notation we explain by an example. If ~ = R x ~ x

E

x R (where ~ stands for the reals and Z1 for the integers) and if ~ is coordinatized by

(x,y,n,w), then we express this fact by writing Q = R x R x R x R.

x y n w

Projection '"ill be defined as a construct that transfarms .a program on ~

₁

x

...

x~k into a program on a smaller state space. As an example, we

consider a program on Rx x Ry x 7n x~, like

if x > 2 then begin n := 1; y := b * b end.

We transfarm it into a program on JRx

x

IRY hy means of declaration (trat

turns n and b into duromies)

begin integer n; real b; if x > 2 then begin n := I; y := b*b end end

By the way, this lS a non-deterministic program, slnce there has been no assignment to b. The best-possible information on this program ls

(25)

23

-((x,y)

f

oo) =+ ((x' ,y')

f

oo 1\ (x-=x')/\ (x>2 =:$> y'::::O)A (x$2=->y=y'))).

I

Let us also ~xplain by an example what injection is. Let ~ be a program on

R

x IR x

z· .

We transfarm it into a program on IR x IR x

z

x

z

x

z

x y n x w k n ~

by means of a simultaneous substitution replacing x by w, y by x, n by ~.

The usual terminology is to say that ~ is a procedure with three formal parameters, and that the transformed program is the call ~(w,x,~).

Starting a more formal description, we introduce two state spaces

A Ax ... xA,

I m

and a one-to-one mapping cp of { 1, ••• ,k} into {I, .•• ,m}. We assume

n -

A

" i - cp(i) (i=l, ..• ,k).

(This equality of spaces has nothing to do with narnes of variables), To cp we associate a mapping

E+i

E cp ( (À I , ••• , Àm) )

Since cp ~s one- to-one, Ecp maps A onto rl.

Two elements (À_{1 ,. ••}_,Àm)'

(Ä;, ...

,Ä~) are called equivalent i f Àj= Àj for all j E {l, •• . ,m} '\ {cp(l), ... ,cp(k)}.

\-Je now introduce two primitive constructs, "projectioncp "and "injectioncp" For every program ~ on A we have a program"projectioncp(~)" on ~. and for every program p on ~ we have a program "inj ectioncp (p )''on A. In symbols:

projectioncp injectioncp program(A 1x .•. xAm)~ program(~

1

x .•• x~), Program(~

₁

x ... x~k)-+ program(A 1x ... xAm).

In order to describe the semantics of projectioncp, we associate to every

+ + . + +

(26)

24 -Ecj>lJ ')1\P(lJ ,lJ ')) (Àcii,À 'cll). (w' oo) (ÀEII), + (w 1 d'l ) •

Our semantic assumption on the projection will now be that for every

TI E program( A

1, ... , Am) and for every predicate P on A+x A+ we have

w (TI , P ) =="' w (pro j e ct i on <P (TI ) , Li <P ( P) ) • ( I 4 • I ) .

In order to describe the sernarttics of we associate to

. + + .

every pred~cate Q on ~ x ~ a pred~cate

injection<P , + e<P (Q) on A x 1\+, defined by G<P(Q)(À,oo) = Q(E<PÀ,oo) e<P(Q)(oo,À1 )

=

(À1

=

oo) (À 1 E fl.+).

Out semantic assumption on the injection will now be that for every

+ +

p E program(~

1

x .•. x~k) and for every predicate Q on~ x~ we have

w(p,Q) ~ w(injection<P(p), e<P(Q)). _(14.2)

We remark that for every p E program(~

1

x •.• x~k) we can form

p1

= projection<P(injection<P(p)), and that w(p,Q) ~ w(p 1

,Q) for all Q.

The restrietion that

q,

is one-to-one plays a role ~n the interpretation of the injection as a procedure call. If n(x,y) is a procedure, then we think of the call n(s,t) as referring to the program we get syntactic.ally

(27)

25

-the letter y by -the letter t, throughout -the body of the procedure. The description of thesemantics in (14.2) corresponds to this. If, however,

~

is

not one-to-one, this correspondance gets lost. Actually~ the construct that transfarms the program n(x,y) into n(t,t), in this sense of letter-replacement,.does notfit into our semantic theory since it is known that the semantics of n(t,t) is~ Uniquely determined by the semantics of n(x,y)! This is illustrated by the following example:

The procedures with bodies

begin y := x+l; y := x end

y := x

have the same semantics: both transfarm the initial state (a,b) into the

final state (a,a). But n

1(t,t) :begin t := t+1; t := t end

t := t

have different semantics. The first one transfarms the initial state c

into the final state c+1, the second one transfarms c into itself.

15. Application to ALGOL procedures. At first sight it seems that the conside-rations of section 11 are restricted to the simplest case of recursion, viz. the procedures without formal parameters, and it seems that they exclude

function procedures. However, if we take advantage of the primitive

con-structs of section 14, this simple case turns out to cover a very large

part of what can happen in ALGOL with respect to procedures. To be more precise we describe the situation as follows. We master the semantics of the

procedures called "by injection" (see below). A large part of the usage of procedures in ALGOL can be reduced to calls by injection, by means of slight

program rnodifications that "obviously" do not make any semantic difference.

(28)

26

-and for part of the calls by name. lt is nat easy to say what parts can be remadelled into calls by injection,and therefore it seems reasonable to take the calls by injection as the fundamented notion, and to say that the power of our semantic technique covers procedure calls ~n ALGOL as far as they can be reduced to calls by injection.

We shilll e:;<:plain the "calls by injection" in an example. I f we have a

program

begin integer n; real u; T end ( 15. I)

then T has to be

a

program ~n

z·

x IR , ALGOL permits that along with T we

n u

define a procedure with global variables n and u, and with forroal parameters

x and y, say. If these are of type ~'integer", we have, insteadof the Tin

(15.1),

procedure K(x,y); integer x,y; B; T

1•

Here B is the procedure body, and T

1 a program that makes use of K. Now B is

a program in Zn x Ru x Zx x zy' and T

1 ~s a program in ~n x Ru. This T1 may

contain calls of the procedure K. In order to be able to consider these calls

as constructs ~n the sense of the injections of section 14, we shall assume that they are what we shall denote as call by injection. Such a call may occur in some ~nner block, where the state space is sarnething like

~n x Ru x Za x ~ x ~c x ~d. Now the call by· injection has to beK( , ) where at the empty spaces we put distinct variables from the set a,c,d (i.e. different locally valid variables of the right type, excluding those variables

that were global to the procedure declaration (here: excluding n). For

example, if T

1 is

begin integer k,i ; real

z

;

k := 4 , 1 ·= 3; ... ;

if u > z then begin integer t; t := i+l; K(t,i) end end

(29)

- 27

-then the K(t,~) lS a call by injection. The local state space at the place where the call is made in zn x ~u x 2k x z~ x ~z x 2t.

Let us now consider a case of recursion. Consider the following ALGOL program on the state space Zk x Z~:

begin procedure slowgcd (~,y); integer x,y;

if y

f

0 then begin if x < y then slowgcd (y,x)

else begin x := x-y; slowgcd (x,y) end end;

slowgcd (k,~)

end.

A semantic statement about this program is that if the initial state sat is-fies k ~ 0, ~ ~ 0 then the final state satisfies either ~' = 0, k' = gcd(k,~) or k' = 0, ~' gcd(k,~).

Let us discuss how this case of recursion should be presented in the style of sections I I and 14. Let ~ be the mapping of ~I x ~

₂

that interchanges the indices 1 and 2. Take ~

=

~ = ~. If p ls a program on ~ x l , then

I 2 x y

injection~(p) is the same program on ~ x ~ but for the interchange of the

x y

letters x and y in the program. Using this we can say that we have a program-to-program function Q, mapping programs on Z x ~ onto programs

x y on ~ x Z , where Q is defined by

x y

Q(p) if y

f

0 then begin if x < y then injection~(p) else begin x := x-y; p end end •

Now RECURS(Q) lS a program on that same space. By means of an injection ~ (that turns x into k, Y into ~) ~e get for our slowgcd program

(30)

28

-After this kind of remodelling, the recurs~ve procedures with formal

parameters called by injection are open for the semantic discussion of sectiot Note that if the call "slowgcd(k,~)" is replaced by "slowgcd (k,k)"

(which is not a call by injection) in the above program, tbe final state doesnothave k'

=

gcd(k,k) as might be expected, but just k'

=

0.

In ALGOL most procedure calls are not calls by injection, but very often they can be brought under this heading by slight modifications, which consist of opening new blocks with extra variable declarations.

Let us consider the "call by value'' (in ALGOL this is indicated at the procedure declaration, and not at the procedure call; the effect is that a procedure, as far as a particular formal variable is concerned, is either always called by value or always called by nàme). If we want to call the procedure p(x,y) in the form p(3,t) (where t is a local or global variable), and if we intend both x and y to be called by value, we can write

"begin integer u,v; u .- 3; v := t; p(u,v) end".

Function procedures can be treated by adding an extra formal variable. Instead of "real procedure f(k); integer k; ... " we write

"procedure F(k,y); integer k; real y;

_"

and we use the y for receiving the value of f(k).

There is a kind of procedure usage in ALGOL that seerns to escape the reduction to injections. If a procedure f(x) is called by name by means of f(E), where Eis an expression which is not itself a variable,we can run into difficulties. We cannot always replace f(E) by "begin integer k; k := E;

p(k) end", which would essentially be a call by value.

The fact that fünction procedures can be used for procedure composition

~n the sense of f(g), ~s the basis of their expressive power, but it causes semantic trouble. We should be aware of the fact that the semantics of the

....

(31)

29

-the semantics of f(x) and g. As an example, we take on 2 x

z

t s

procedure f

1

~x); integer x; t :=x; procedure f

2(x); integer x; begin t :=x; t :=x end; integer procedure g; begin s := -s; g := I end;

The calls f₁(g) and f₂(g) turn out to be semantically different, al-though f

1 and f2 are semantically equivalent.

If, however, f(x) 1s a procedure where the x 1s called by value, then the composi te procedure f (g) is semantically determined -by the semantics of f and g. In that case we can easily reduce the calls to calls by inj ection.

In our treatment of recursion (section 11) we did not treat the case of a finite set of procedures which are defined in terros of each other. This is not hard to do by means of an extra variable. For example, if procedures p,q,r are deEned by the bodies P(p,q,r), Q(p,q,r), R(p,q,r), respectivily,

then we can define

procedure F(k); integer k; value k; if k=l then P(F(l),F(2),F(3)) else

if k=2 then Q(F(l),F(2),F(3)))

else R(F(l),F(2),F(3),.

Note that P(F(l), F(2), F(3)) is nota procedure call, but a program 1n

which the calls F(l),F(2),F(3) occur.

I f '"e have a recursive procedure p(x,y) which has in its body p(t,t)

(both x and Y called by name),then this 1s nota call by injection. We can savo

the situation if we consider p(x,y) and p(t ,t) as separate procedures. Let

(32)

30

-length of thè formal parameter list of q equal to the one of p. Next we can add a third parameter in order to get a single procedure. The following example (of a meaningless program) shows how it is clone:

procedure p(x,y); integer x,y;

begin if x=y then begin p(x,x); x := x-1 end;

if x=y then begin y := x+y; p(y,x) end end

Using some obvious shortcuts (e.g. omitting the trivial test x do our remodelling as follows:

procedure P(x,y,k); integer x,y,k; begin integer i ;

x) we

if k=l then begin if x=y then begin i := 2; P(x,y,i ); x := x-1 end; if x=y then begin y := x+y; i := I; P(y,x,i) end

end

else begin i := 2; P(x,y,i); x := x-1; x := x+x; P(x,y,i)

end end.

16. Treatment of arrays. In the previous sections we never discussed arrays. At first sight it seems that they do not fit in our philosophy of separating semantics and execution, since it may turn out only during execution that an array index 1s out of bounds. If thi~ happens, we get to sarnething that 1s neither terminatien nor non-termination, but sarnething we shall denote by "abortion".

(33)

31

-Another difficult point seems to be that the array bounds are p and q (p ~ q) then our semantic discussion can get to situations where we have

only partial information on these p and q, or no information at all. These objections do not present serieus difficulties to our semantic system. We can take various points of view about the abortions. One point of view 1s that we add to the state space ~ not just the extra element ru,

but also an element A standing for "abortion". It is treated more or less 1n the same way as the element oo, For example, one of the semantic effects

of any sub-program will be that if the initial value is A, then the final value is.A (even for sub-programs we know to be non-terminating with any

ordinary value w).

We have to interpret things like a[ k] := u semanÜcaliy. First we have to rewrite the array declaratiori. If we have on ~

begin real array a[ p:q ] ; Wend

then p and q may be expressions, or variables. In order tö express that they

are frezen at theblock entrance, we introduced new variables i,j and write

begin integer 1,J; 1 := p; q := j;

begin real array a [ i:j ] ; W end

end.

~ow we consider W as a program on~ x 2. x 2. x.A where A is the infinite

1 J

cartesian product

• • • x 1R a [ _ I] x IR a [ O ] x IR a [ I] x • • •

Th at is, inside W we treat .•• , a [ -I ] , a [ 0 ] , a [ I ] , . . . as re al

variables. Inside W we can have subprograms a [ k ] := u or v := a [ k];

where u and v are variables; let us just consider the first one. We shall

describe (in words) the maximal infomation for it. For every initial state

it gives a well-determined final state.

(i) If the initial state 1s A then the final state is A.

(34)

- 32

-(iii) If the initial state is different from

A

and oo, and if it satisfies i :S k :S j, then the final state differs from the initial state m the value of a [kJ only; its final value equals the initial value of u.

(iv) I f the initial state is different from A and oo, and if i t satisfies k > j or k < i, then the final state is A.

This describes how semantic information on W can be obtained. Getting from here to the semantics of the block "begin integer array a [ i:j ] ; Wend" is a matter of projection (see the beginning of section 14). The

fact that the state space has infinite dimension does not cause much trouble. It makes a difference in the presentation in AUTOMATH.

If a formal parameter C in a procedure is an array, we can just coneider it as an infinite set of formal parameters. If in any call of the procedure a specific array B is presented, then we can interpret this as ·a call by inj eetion, that replaces, for every i, the vaiiable C [ i ] by the variable

B [ i ] ,

17. Alternative ways tó describe program semantics, The description by means of w(n,P) can be used to express that under certain circumstances execution of n will not terminate. We:. shall now introduce a slightly weaker expression v(n,Q,R). This one says for some initial values

w

that there is terminatien

and for these

w

it may say sarnething about the final value w', but it gives no information at all for the other values of

w.

Quite often v is simpler to handle than w.

Any predicate Q on ~ can be extended to a predicate Q+ in ~+ by agreeing that Q(oo) is false. Let us call this the standard extension of Q. We can make

similar agreements for the case that ~+

=

~ U {oo} U {A} with t.hP A nf section

16, but we shall not consider this here.

+ + +

Any predicate R on ~ x ~ can be extended to a predicate R on ~ x ~

(35)

33

-+

R (w,oo) = false

+

R ( oo , w ! ) = t ru e

If Q and R are predicates on Q and Q x Q, respectively we now define

v(n,Q,R) w(n À + +

' (w ,w') EQ xQ

+ +

(Q (w) ~ R (w,w'))). (I 7. I)

The interpretation of v(n,Q,R) is that if w E Q satisfies Q(w), then execution of n with initial value w terminates, with an w' that satisfies R(w,w').

Let us call P(P E PRED) smooth if

V

n+ (P(w,oo)

~ ~

1P(w,w')).

WE" W ( 17.2)

If P 1s smooth, and if we define

Q(w) IP(w,oo), R(w,w') P(w,w'), (WErl ,W 1 dl)

then we have P(w,w') (Q (w) + ~ R + (w,w')), whence

v(n,Q,R) w(n,P).

Sa for smooth P's nothing gets lost if we use v insteadof w.

The simplification we get by restrietion to normal predicates will be clear from what was said at the end of section I I.

The use of v instead of w does nat make much of a difference: the only loss seems to be that non-termination can na langer be stated for sure.

An essentially weaker system of semantic description is the use of preconditions and postconditions. These are predicates P

1 and P2 on Q, and thesemantic statement is that if the initial state w satisfies P

(36)

- 34

-the program terminates, -then -the final state w' satisfies P

2(w'). This means that we use w(1r ,P), where P ~s defined by

P(w,w') oo)).

In this paper we discussed not-termination and abortion by adding elements oo and A to the statespace (sections 2 and 16). We shall now sketch a different point of view leading to an adapted semantic system. If we have a program Z on the state space ~. we replace it by a program

z*

on the state space ~. f x ~ b x ~. where ffi is the set of booleans.

~n a or

z*:

begin boolean inf, abor; inf:= false; abor:= f_alse;

z

end.

The identifiers inf and abor do not occur in Z, but in our adapted sernarttic system they will nevertheless play a role. If we intend to express that a certain sub-program

z

1 of Z is non-terminating, we prescribe its semantics

as the one of the single assigrunent "inf := true" • Similarly, if we intend

to express that

z

1 leads to abortion, we prescribe the semantics as the one

of "abor := true".

Reference

I. The mathematical language AUTOMATH, its usage, and some of its

extensions, Symposium on Automatic Demonstratien (Versailles

December 1968), Lecture Notes in Mathematics, Vol.l25, Springer-Verlag, 29-61 (1970).