A technique for deriving semantic information on computer programs

A technique for deriving semantic information on computer

programs

Citation for published version (APA):

Bruijn, de, N. G. (1973). A technique for deriving semantic information on computer programs. Technische Universiteit Eindhoven.

Document status and date: Published: 01/01/1973

Document Version:

Publisher’s PDF, also known as Version of Record (includes final page, issue and volume numbers)

Please check the document version of this publication:

• A submitted manuscript is the version of the article upon submission and before peer-review. There can be important differences between the submitted version and the official published version of record. People interested in the research are advised to contact the author for the final version of the publication, or visit the DOI to the publisher's website.

• The final author version and the galley proof are versions of the publication after peer review.

• The final published version features the final layout of the paper including the volume, issue and page numbers.

Link to publication

General rights

Copyright and moral rights for the publications made accessible in the public portal are retained by the authors and/or other copyright owners and it is a condition of accessing publications that users recognise and abide by the legal requirements associated with these rights. • Users may download and print one copy of any publication from the public portal for the purpose of private study or research. • You may not further distribute the material or use it for any profit-making activity or commercial gain

• You may freely distribute the URL identifying the publication in the public portal.

If the publication is distributed under the terms of Article 25fa of the Dutch Copyright Act, indicated by the “Taverne” license above, please follow below link for the End User Agreement:

www.tue.nl/taverne Take down policy

If you believe that this document breaches copyright please contact us at: openaccess@tue.nl

providing details and we will investigate your claim.

Notice: This i s a preZiminary varsion. A t t h i s moment t h e author

does

n o t claim o r i g i n a l i t y for any o f t h e thoughto expressed i n

t h i s

note. ?'he note

is

meant Jbr p r i v a t e c i r c u Zation m l y .

N.G. d e B r u i j n , J u n e 20, 1973.

A t e c h n i q u e f o r d e r i v i n g s e m a n t i c i n f o r m a t i o n on computer programs.

1 . L e t n b e a computer program. We assume t h a t it o p e r a t e s d e t e r m i n i s t i c a l l y on

-

a s e t of s t a t e s . S e m a n t i c a l l y i t maps a s u b s e t of R i n t o R ; t h e s t a t e s n o t b e l o n g i n g t o t h a t s u b s e t l e a d t o n o n t e r m i n a t i n g program e x e c u t i o n . That i s , t h e s e m a n t i c ~ a r e ~ d e s c r i b e d by a p a r t i a l mapping g of R i n t o

a.

In a r e c e n t n o t e C2] E.W. D i j k s t r a recommends t o d i s c u s s t h e s e m a ~ ~ r i c s by means of i n v e r s e images. The i n v e r s e image of g i s t h e mapping gt of

? ( a ) i n t o !?(a) @(R) i s t h e s e t of a l l s u b s e t s of R) d e s c r i b e d by

g f ( s ) = C U E R Ig (w) i s d e f i n e d , and & w ) E S ) .

I n d e e d , a s we know from v a r i o u s b r a n c h e s of mathematics (e.g. t o p o l o g y ,

f!

e r g o d i c t h e o r y ) ff h a s n i c e r p r o p e r t i e s t h a n i t s e l f . F o r example we have g C ( s I n S 2 ) = g C ( s I ) n gC(s 2 ) , b u t n o t n e c e s s a r i l y g ( S 1 n Sq) = g ( S I ) n g ( S 2 ) . For n o n - d e t e r m i n i s t i c programs s e e s e c t i o n 22. 2 . Another m a t t e r i s t h a t D i j k s t r a d i s c u s s e s p r e d i c a t e s on $2 r a t h e r t h a n

-

s u b s e t s of

n.

T e c h n i c a l l y t h i s makes no d i f f e r e n c e , b u t t h e p r e d i c a t e s a r e t h e more n a t u r a l o b j e c t s when d i s c u s s i n g a program. Thus D i j k s t r a e x p r e s s e s e v e r y t h i n g i n t e r m s of t h e p r e d i c a t e t r a n s f o r m e r f.rr t h a t maps any p o s t - c o n d i t i o n o n t o t h e weakest p r e - c o n d i t i o n . That i s t o s a y , i f Q i s a

p r e d i c a t e on R , t h e n f r ( Q ) i s t h e p r e d i c a t e d e s c r i b e d by ( f n ( Q ) ) (w) ="g(w) i s d e f i n e d , and Q ( g ( o ) ) i s true!' ~ i j k s t r a d i s c u s s e s ( i ) empty s t a t e m e n t , ( i i ) c o n c a t e n a t i o n , ( i i i ) b i n a r y s e l e c t i o n , ( i v ) a s s i g n m e n t , (v) r e c u r s i o n . I n t h e l a t t e r c a s e it i s n o t q u i t e c l e a r whether h i s s i m p l i f i e d p o i n t of view w i l l be e f f i c i e n t f o r d e r i v i n g a l l r e q u i r e d ' s e m a n t i c i n f o r m a t i o n b i n p a r t i c u l a r s i n c e h i s r e s u l t r e q u i r e s t h e know- l e d g e of f n (T)

.

3 . I n p r a c t i c a l q u e s t i o n s a b o u t programs, we u s u a l l y do n o t b o t h e r about

-

what t h e weakest p r e - c o n d i t i o n f v ( Q ) i s e x a c t l y . The u s u a l q u e s t i o n i s , i f P and Q a r e g i v e n p r e d i c a t e s , whether P*fn(Q) h o l d s . That i s , we l o o s e something d e l i b e r a t e l y . And a t i n t e r m e d i a t e s t a g e s we have t o c o n s t r u c t

p r e d i c a t e s which p r o v i d e a l o s s w e can a f f o r d and which a r e s t i l l s u f f i c i e n t l y simple t o manage. ( T h i s i s a w e l l known s t r a t e g y i n mathematics, e.g. when c o n s t r u c t i n g s t r i n g s o f i n e q u a l i t i e s i n a n a l y s i s ) . ~ h e r e f o r e we may wish t o d e a l w i t h P =+ f v ( Q ) a s t h e b a s i c n o t i o n .

4. Another m a t t e r i s t h a t i t cannot b e hoped t h a t i t always s u f f i c e s t o

-

c o n s i d e r , a t i n t e r m e d i a t e s t a g e s , a s i n g l e Q o n l y . On t h e o t h e r hand, t h e f u l l knowledge of t h e mapping f r seems t o be t o o much i n many c a s e s . We want t o have a t o o l by which i t can be s p e c i f i e d what i n f o r m a t i o n on t h e

s e m a n t i c s of p i e c e s of program we want t o keep t r a c k o f .

5. We s u g g e s t t h e u s e

-

p r e s e n t l y .

We c o n s i d e r p a i r s of p r e d i c a t e s P, Q , where P i s a p r e d i c a t e on R and Q a p r e d i c a t e on R x R . A c t u a l l y t h e v a l u e s of Q(w,wl) a t p o i n t s where P(w) i s f a l s e , w i l l n e v e r p l a y a r o l e . We might a s w e l l c o n s i d e r Q's t h a t a r e u n d e f i n e d a t p o i n t s (w,wl) w i t h P ( w ) f a l s e , b u t t h i s would c o m p l i c a t e many s t a t e m e n t s c o n s i d e r a b l y . A c c o r d i n g l y , w e s h a l l s a y t h a t t h e p a i r s P,Q and P I ,

Q 1

a r e e q u a l i f P = P I and Q(w,wl) = Q ₁ ( w , w V ) a s l o n g a s P(w) i s t r u e . T h i s d e f i n i t i o n of e q u a l i t y h a s t o b e used i n o r d e r t o m a i n t a i n ( i n s e c t i o n 6 ) t h a t I f < " i s a p a r t i a l o r d e r r e l a t i o n . F o r e v e r y program IT and f o r e v e r y p a i r P,Q we c o n s i d e r t h e p r o p o s i t i o n v(n,P,Q). I t h a s t h e f o l l o w i n g meaning:

"For e v e r y weR f o r which P(w) i s t r u e , e x e c u t i o n of t h e program IT w i t h

i n i t i a l s t a t e w l e a d s t o t e r m i n a t i o n a t a s t a t e w ' f o r which Q(w,wl) i s t r u e . " I f t h i s p r o p o s i t i o n i s t r u e , we s a y t h a t ( P , Q ) g i v e s s e m a n t i c informa- t i o n a b o u t t h e program. We a l s o s a y t h a t (P,Q) i s a p r e d i c a t e p a i r f o r IT. 6. The c l a s s of a l l p a i r s (P,Q) i s p a r t i a l l y o r d e r e d by a r e l a t i o n we

-

w r i t e a s <. We s a y t h a t (P,Q) < ( P 1 , Q ' ) i f b o t h ( i ) and ( i i ) a r e t r u e : ( i ) For a l l w we have P(w)

*

P1 ( w )

(ii)

For a l l w , w ' we h a v e (P(w) A Q"w,w1)

*

Q(w,wl)

I t i s e a s y t o show t h a t i f IT i s a program, and (P,Q) < ( P ' Q ' ) , t h e n

v ( n , P 1 , Q " =+ vV(,rr,P,Q). The p h i l o s o p h y i s t h a t v ( I T , P ' , Q ' ) g i v e s t h e same o r more d e t a i l e d i n f o r m a t i o n about a t l e a s t t h e same c a s e s a s v ( n , P , Q ) d i d .

7. For e v e r y program IT t h e r e i s a maximal p a i r (P ,Q ) . I f g i s t h e p a r t i a l

--

0 0

d e f i n e d ( i . e . t h a t e x e c u t i o n of n w i t h t h e i n i t i a l s t a t e o l e a d s t o

t e r m i n a t i o n , and Q (w,w') i s t h e p r o p o s i t i o n PQ(w)

*

wl=g(o). We~rhave v ( r , P , Q ) ,

0

and f o r a l l p a i r s (P,Q)

8. The a r t of p r o v i n g program c o r r e c t n e s s can b e d e s c r i b e d a s f o l l o w s .

-

We want t o e s t a b l i s h f o r a g i v e n composite program t h a t f o r a g i v e n (P,Q) we have v(n,P,Q). W e do t h i s by e s t a b l i s h i n g s u i t a b l e p r e d i c a t e p a i r s

f o r v a r i o u s p a r t s of 11.. T h e r e a r e s e v e r a l s y n t a c t i c d e v i c e s f o r composing

a p r o g r a m f r o m i t s p a r t s ; f o r each of t h e s e d e v i c e s we h a v e t o s a y how a p a i r (P,Q) f o r t h e composite program can b e c o n s t r u c t e d when p a i r s f o r t h e sub-programs a r e known. A t any s t a g e of t h e program c o r r e c t n e s s proof we may d e l i b e r a t e l y l o o s e i n f o r m a t i o n by r e p l a c i n g a p a i r by a s i m p l e r one t h a t i s lower i n t h e s e n s e of t h e p a r t i a l o r d e r i n g . 9 . Q u i t e o f t e n i t w i l l b e p o s s i b l e t o s e l e c t p a i r s (P,Q) where Q ( o , w t )

-

depends on w ' o n l y . I n such c a s e s v(n,P,Q) i s e q u i v a l e n t t o t h e p r o p o s i t i o n P f11.(Q) d i s c u s s e d i n s e c t i o n 3 . 10. Without g o i n g i n t o a x i o m a t i z a t i o n , we d i s p l a y a few p r o p e r t i e s of t h e P f u n c t i o n v. I n o r d e r t o a v o i d f u r t h e r r e p e t i t i o n , w e l i s t our n o t a t i o n s h e r e : S2 i s t h e s e t of s t a t e s ; u i ,

...

d e n o t e elements of

R ;

a e u s e l e t t e r s P,Q f o r p r e d i c a t e p a i r s ; w e u s e "<" f o r t h e p a r t i a l o r d e r i n g ( s e c t i o n 6 ) ; n l ,

...

d e n o t e programs, T i s t h e p r e d i c a t e t h a t i s t r u e f o r a l l v a l u e s of i t s v a r i a b l e s , and F i s t h e one t h a t i s f a l s e f o r a l l v a l u e s of i t s v a r i a b l e s .

We u s e 1 f o r n e g a t i o n , I,f o r i m p l i c a t i o n , A f o r "and", v f o r "or",

-

f o r l o g i c a l e q u i v a l e n c e . T h e s e symbols a r e u s e d f o r p r o p o s i t i o n s a s w e l l a s f o r p r e d i c a t e s . 1 1 . P r o p e r t i e s t h a t d o n o t depend on t h e s t r u c t u r e of t h e program

-

b u t o n l y on t h e f a c t t h a t t h e program p r o v i d e s a p a r t i a l mapping.

(iv)

v ( n , P l , P 2 , Q ) = ( v ( n , P 1 , Q )

A

v ( n , P 2 Q 2 ) ) -

(v)

( s t a t e d a l r e a d y i n s e c t i o n 6 ) . I f ( P , Q ) < ( P 1 , Q ' ) t h e n v ( n , P ' , Q f ) L . s v ( n , P , Q ) .

12. The empty s t a t e m e n t . L e t n b e t h e empty program. ( I t s p a r t i a l mapping

-

0

i s t h e i d e n t i t y on R ) . Then

The maximal p a i r i s t h e p a i r P Q w i t h P = T , Q0(w,ci,') = (w=wl) f o r a l l

0 ' 0 0 W , W 1

.

13. C o n c a t e n a t i o n . L e t n d e n o t e t h e program .rr1;.rr2. Assume t h a t v ( n , P I , Q I )

-

and v ( v P

,Q

) a r e t r u e . L e t P

,Q

b e a t h i r d p r e d i c a t e p a i r . Assume 2 ' 2 2 3 3 ( i ) p 3 - P I ( t i ) F o r a l l w , w l we h a v e ( P ~ ( w ) A Q l ( u . w ' ) ) 4 P 2 ( 0 1 j *

( i i i ) F o r a l l w , w" we h a v e Under t h e s e a s s u m p t i o n s ( i ) , ( i i ) , ( i i i ) we h a v e v ( n , P ₃

,Q

₃ ) The maximal p a i r (P , Q ) t h a t s a t i s f i e s t h e s e c o n d i t i o n s i s g i v e n by 3 3 P3(w) = P I (w) A

vwl

( Q ~ ( u y w 1 ) *P2!w1)), Q3(wyw") = w

'

( Q I (w,m1) + Q 2 ( w f ,w")). 14. B i n a r y s e l e c t i o n . L e t B b e a p r e d i c a t e , l e t n ,n b e p r o g r a m s , and l e t

-

_{1 2} T b e t h e program " i f

_-

B

-

t h e n n e l s e T 1

-

2'

Assume t h a t v ( T , P , Q ) and v ( n P , Q ) a r e t r u e . Moreover assume t h a t

1 1 2' 2 2

and t h a t f o r a l l w , w l

Then we h a v e

v

(T

,

P3, Q3).

The maximal p a i r P Q , t h a t s a t i s f i e s t h e s e r e l a t i o n s i s

3

'

15. Assignment. An a s s i g n m e n t n i s a program whose p a r t i a l mapping g i s

-

d e f i n e d f o r a l l o t h a t s a t i s f y a p r e d i c a t e D ( u s u a l l y D = T ) ; t h i s g i s

e x p l i c i t l y g i v e n i n t h e program a s w := g ( u ) .

Assuming t h a t f o r a l l w

we h a v e v ( T , P , Q ) .

The maximal p a i r i s t h e one g i v e n by P = D, Q ( , , u 1 ) = (,' = g ( , ) ) .

16. D e c l a r a t i o n . We c o n s i d e r two d i f f e r e n t s e t s o f s t a t e s . The one i s R ,

-

I n o r d e r t o have something t h a t can b e used a s a t y p e i n o r d i n a r y A l g o l , we t a k e f o r 4 t h e s e t of a l l i n t e g e r s . F o r R we have a p r e d i c a t e p a i r P, Q , and f o r Q we have a p r e d i c a t e p a i r P ,Q Elements of R w i l l b e

1 1 I * 1

denoted a s 'w, A7 (where U E R , XEA ).

L e t a b e a program o p e r a t i n g on

R

and l e t T b e t h e program

1 1

"begin i n t e g e r A ; a end. Assume t h a t v ( ' r r l , P I , Q 1 ) i s t r u e , and t h a t

1

-

( i i )

' ~ . n y u ~ n

'AEA *Aft& ( ( P (o) A Q ] ( i w , ~ T $ ' , ~ l T ) ) _{~ ( w , o ' ) ) .}

Then we have V ( T , P , Q ) . - The maximal p a i r P , Q t h a t s a t i s f i e s t h e s e r e l a t i o n s i s g i v e n by 17. R e c u r s i o n . J u s t l i k e D i j k s t r a C21 d i d , we r e s t r i c t o u r s e l v e s t o a

-

r e c u r s i v e p r o c e d u r e w i t h o u t l o c a l v a r i a b l e s and w i t h o u t p a r a m e t e r s . The body can b e d e s c r i b e d as f o l l o w s . Take a f i n i t e number of s y n t a c t i c v a r i a b l e s : 5

,

.

.

.

,

5,. The e x p r e s s i o n

3

( E

,

. .

.

.Cm) s t a n d s f o r something t h a t t u r n s i n t o a program i f programs a r e s u b s t i t u t e d f o r 5 1 , . . . , c m . We now want t o d e f i n e t h e r e c u r s i v e p r o c e d u r e

TI

by d e s c r i b i n g i t s body

a s

$ ( n ,

...

, n ) .

Example. L e t n l and n2 b e programs, and l e t & ( < l , Q be

i f B t h e n b e g i n

5,;

c i

a l end e l s e a

-

--

2'

T h i s l e a d s t o t h e p r o c e d u r e

p r o c e d u r e

II;

if

B t h e n b e g i n fi; II; a end e l s e n 1

--

2 ;

We r e t u r n t o t h e g e n e r a l c a s e where fl i s d e f i n e d a s $ ( f l y . .

.

,n>

.

L e t

(P,Q)¶

(P0.Q0). ( P I , Q , ) ¶ .

.

.

b e p r e d i c a t e p a i r s . Cje assume t h a t P 0 = F , and c h a t

f o r e v e r y i n t e g e r k 2 0 t h e f o l i o w i n g i s t r u e : For a l l programs

IT^,...,^

m

w i t h v ( I T ~ , P , Q ) ( i = l

,.

.

.

,m) we h a v e

k k

We a l s o assume t h a t f o r every p a i r w , w ' t h e r e i s a number k

r

0

such t h a t

Then we h a v e v(II,P,Q).

18. As a n example we t r e a t t h e program " w h i l e B o " , where B i s a

-

p r e d i c a t e and a, i s a program. It c a n b e w r i t t e n a s a r e c u r s i v e p r o c e d u r e ( c f .

C11):

p r o c e d u r e

E;

- -- --

i f B t h e n b e g i n U;

II

end e l s e n o ;

(where n i s t h e empty s t a t e m e n t ) . Now

5

i s g i v e n by

0

3(5)

-

" i f _-.- B

_-

t h e n b e g i n

_-

-r;

---

end e l s e r o w .

I n o r d e r t o a p p l y t h e c o n t e n t s of t h e p r e v i o u s s e c t i o n , we h a v e t o know f o r what p a i r s P , Q , P \ Q ' i t i s t r u e t h a t f o r a l l programs IT w i t h

v(IT,P,Q) we h a v e v (

3

( T ) , P ' , Q 1 ) .

The answer i s t h a t ( P ' , Q ' ) < (Px,Qk), where P,(d = ( B ( d => (PG(w) A (Q(w,w1> -/ P ( w ) ) ) Q-g(w,wfr) = (B(w) h

,

(Q,(w,wf

1

-

Q(w' ,w"))) v (-7B(w) A (w=w")). Here P 0 Qo i s t h e maximal p a i r f o r t h e program T. 19, In s e c t i o n 17 t h e r e i s s e n t e n c e " f o r a l l programs T ~ , . . . , T w i t h . . . I f

-

m T h i s c a n b e r e p l a c e d by something t h a t d o e s n o t t a l k a t o u t a l l programs.

We can say: if we behave as if 5. were a program for which v(Si,P Q ) holds,

1

k'

t-

then we obtain, by application of our semantic rules, the truth of

~($(5~,..., 5 ) Pk+*Qk+,). Needless to say, this requires a more serious discussion of those rules than we attempted here.

20. Monotonicity rules. Assume that a program r contains a sub-program

-

T and that, by our semantic rules, we have derived v(r,P,Q) using about 1

'

r nothing but v(r ,P ,Q). Compare this with the situation where we start

1 I 1

from v(IT~,P~',Q~'), with a pair (PIf,Q1') > (Pl,Ql). Then our rules produce the truth of some v(~r,p',Q') with a pair (P',Q1) > (P,Q).

This is in accordance with the interpretation of the predicate pairs as information. If v(IT,P,Q) is true, then (P,Q) gives semantic information about

.

If (P1,Q') > (P,Q), and v(v,P1 ,Q') is still true, then (P',Q1) gives at least the same amount of information. The maximal amount is the maximal pair (see section

7).

It gives all semantic information there is,

viz. the full knowledge of the partial mapping.

21. We excluded non-deterministic programs in the previous sections; yet

-

the technique of predicate pairs may apply to them, provided we omit the statements about maximal pairs made in the previous sections,

As an example we take for R the set of reals. The following program operates on R:

begin integer x;

x

:=

x

*

x; w :=

x

_-

end

If we take

P

=

T,

Q(w,wl) = (w' > - 2 ) , then v(n,P,Q) is true in tl:?

sense explained at the end of section

5.

Non-deterministic programs may have little practical value, unless one wants to include in this category the kind of numerical subroutines

22. Often we have the situation that in a predicate pair P1,Q, the

Q l

-

does not depend on its first variable (i.e. Q 1 depends on w' only; cf. the end of section

9).

The general case can be reduced to this one: If P

and Q are given, and if P ,Q1 are defined by

1

then we have

v(n,P,Q) =

vt

v(n,Pl ,Q,)

It is, however, questionable whether such a reduction is practical.

2 3 . The technique of expressing semantic information by means of pairs

-

is suggested to be quite suitable for the presentation of program correc,- ness by means of an AUTOMATH text. There are various possibilities to do this (in AUTOMATH or in a related language) such that one and the same book contains both the syntacts and the semantics of the program.

We indicate one such possibility here in AUT-QE. For deta'ils about the AUTOMATH languages we refer to

C11.

For better readibility we write prop instead of type if the interpretation is a proposition.

For any type R we assume the existence of a type "program(R)". We intend to let the objects in this type be programs acting on R .

program :=

PN

tYPe

By means of axioms we introduce primitive programa and composition rules for programs. For example, we describe a partial mapping g with domain

D

g

:=

Cw,~lCu,

I w I ~ l n

assignment

:=

PN

program( Q)

For concatenation and if-then-else we write

So the programs " I T ~ ; I T ~ "

and "if

-

B

-

then n l else n2" are denoted by

-

I t

_{concatenation}

(IT 71 )Ie

and "if enelse (nl

,n2,B)It. Similarly

we can

i n -

1'

2

k

troduce "while B do

-

-

71".

For recursive programs

we

do the following. We introduce a mapping

5?

(cf. section

17)

that sends programs

n

into 9(n).

Now the recursive

procedure

TI

:= P(R)

is introduced as fix?(*):

71 :=

1

program(R)

Having described program

s

this way, we turn to semantics.

We introduce v(T;P,Q)

as

a primitive:

I

IT^

:=

program(Q)

concatenation

:=

PN

program(Q)

B

:=

Cw,Rl prop

ifthenelse

:=

PN

program(Q)

I I

/ P :=

CW,S~I

prop

Q := C U , ~ I C U ' , ~ I

prop

v : =

PN

_prop

Next we can describe semantic rules (like those of sections

12-18)

as mathematical theorems or axioms. This can of course be quite compli-

cated.

References.

1 .

N.G. de Bruijn, The rnathematicdlanguage AUTOMATH, its usage, and

some

of its extensions, Symposium an Automatic Demonstration

(Versailles,December

1968),

Lecture Notes in Mathematics, Vol.

125,

Springer-Verlag, 29-61 (1970).

2.

Edsger

W.

Dijkstra,

A

simple axiomatic basis for programming con-