intermediate assertions is needed to prove the completeness of the inductive assertion ... a completeness result for a Hoare-like axiomatic system (see [7]) for a ...
SIAM J . C O M PU T .
t 1980 Society for Industrial and Applied Mathematics 0097-$397/80/0904-0001 $01.00/0
Vol. 9, No. 4, November 1980
COMPLETENESS WI T H FINITE SYSTEMS OF INTERMEDIATE ASSERTIONS FO R RECURSIVE P ROGRAM SCHEMES* KRZYSZTOF R . APT t AND LAM BER T G. L. T . M EERTENSt Abstract. I t is proved that in the general case of arbitrary context-free schemes a program is (partially) correct with respect to given initial and final assertions if and only if a suitable finite system of intermediate assertions can be found. Assertions are allowed from the extended state space V x V. This result contrasts with the results of [2], where it is proved that if assertions are taken from the original state space V. then in the general case an infinite system of intermediate assertions is needed. The extension of the state space allows a unification in the relational framework of [2], of the (essence of the) results of [2], and of [4], 151 and [6], and provides a semantic counterpart of the use of auxiliary variables. Key words. partial correctness, intermediate assertions, relational framework, extended state space, recursive program schemes
1. Introduction. De Bakker and Meertens proved in [2] that an infinite system of intermediate assertions is needed to prove the completeness of the inductive assertion method in the case o f an arbitrary system o f (mutually) recursive parameterless procedures. On the other hand, Gorelick in [5] extended the results of [3] and obtained a completeness result for a Hoare-like axiomatic system (see [7]) for a fragment of ALGOL 60 in which (deterministic) systems of recursive procedures are allowed. Thus any true asserted statement is provable. (Observe, however, that the axiomatic system uses an oracle determining the truth o f formulas from the underlying assertion language.) From the proof we can extract all intermediate assertions about atomic substatements of the original program. Since proofs are finite, we obtain a finite system of intermediate assertions, thus apparently contradicting the result of [2]. Also [4] and [6] avoid the necessity of an infinite number of assertions by using an extension of the inductive assertion method. The purpose of this paper is to investigate this issue in the 'relational framework of [2] and to obtain, within that framework, a unification of the (essence of the) results of [2] and of [4], [5] and [6]. The solution of the apparent contradiction lies in the fact that in [4], [5] and [6] auxiliary variables are used (to store the initial values of variables). These auxiliary variables have no semantic counterpart in the relational framework of [2]. Semantically, the use of auxiliary variables corresponds to the use of states which have an additional coordinate (from a space in a cce ssib le to a program. We shall call the domain 'V x 11 1 oWe f prove that if one allows intermediate assertions from the extended state space V x V, s u cthen h one can always find a finite system of intermediate assertions. More precisely, is partially correct with respect to given initial and final assertions if s t a at program e and only if a suitable finite system of assertions from the extended state space can be s found. Thus for the space 'kV one can take the original state space 7/ a n shows that for IV one could also take the set of all so-called index-triple sequences, so .e x t e that these two completeness .n T dh ee o rd e m 4 results . 4 differ only o in thef choice of the extended state space. Our choice is both more economical and easier to use in the concrete proofs. [s 2t ] a t e s * Received p by the editors December 27, 1978, and in revised form October 19, 1979. This publication is aarevisedcform of the Mathematical Centre Report IW 84/77. t Faculty of Economics, Erasmus University Rotterdam, P.O. Box 1738, Rotterdam, The Netherlands. e t Mathematical . Centre, Kruislaan 413, Amsterdam, The Netherlands. 665
666 K R Z Y S Z T O F R. APT AND LAMBERT G. L. T. MEERTENS In [2] it is proved that in the case of regular declaration schemes (corresponding to flow-chart programs) one can always find a finite system of intermediate assertions taken from the original state space. In more syntactical terms this can be interpreted as a statement that auxiliary variables are not needed for correctness proofs in the case of flow-chart programs. They are needed in the general case o f arbitrary systems of (parameterless) procedure declarations. In the relational framework any subset of the state space can be taken as an assertion. This is not the case with a more syntactical approach in which assertions are formulas from an assertion language. These two different approaches lead to different types of completeness results. Thus one should be cautious in translating results from one framework into the other because there can exist subsets of the state space which do not correspond to (are not defined by) any formula from the assertion language. This problem within the relational framework could be resolved by defining a language over the state space in which assertions could be expressed. However, a natural question then arises as to which formulas (subsets) should be accepted as assertions. This problem has been studied in [1]. 2. Preliminaries. As in [2] we shall use binary relations over the state space to provide an interpretation for systems of mutually recursive procedures. More precisely, given a set 9 = {Pi, • • • , Pn} of procedure symbols, we define a language o f "statements" , 9 ' () as follows: let s i = {I, AI, A2, • • '} be a set o f "elementary action" symbols, A = {ti, t2, • • •} a set of "Boolean expressions." 9*(P) is then the least set containing si U U 9 that is closed under the operations " ; " (sequencing) and " " (nondeterministic choice). By a declaration scheme we mean a set 2 = {Pi 4S1, • • • , w h e r e for i = 1, • • • , n, P, E g, S, E ( 9 ) In [2] a theory of partial correctness and inductive assertions has been worked out in a relational framework. The meaning of a program is viewed as a binary relation over the state space, i.e., a set of pairs of initial and final states, whereas an assertion is viewed as a subset of the state space, i.e., the set of states satisfying the assertion. We recall some definitions from [2] which are used below. Let V be the domain of states. Letters R, R p, q, Ir subsets of V; x, y, z elements of VI R ., • • • d e n o t e i p, {n( x , ax): xr E p}, b i y ; R r2 p e = l {31:a3x[xt Epi A xRy]}, o n s R = {(x, y): yRx}, o = v e r denotes the empty set. f V ; ( Throughout the paper we use the convention fro m [2] that in any expression X , involving programs and assertions built up by using ; , U o r w e suppress the subscriptY " ," . ) :So, for example, if we write p;Rg_Thq we actually mean p „ ; R g . R ; q , , i.e., J Vx, y[(x Ep A xRy)-i y e q], or (informally speaking) that the program R is partially . Z with respect to p and q. We shall need the following results proved in [2]. correct LEMMA [ 1. X R 1 Z (Ai i i ) ( R i L i R 2 ) ; R 3 = Z ( i v) V ( R 1 ; R 2 ) - R “ P A e IR l ) ,c
(i) (Ri; R2); R3 = Ri; (R2; R3) ( = (ii) R i R i ; R 3 U R2; R3, ; If( X R ( Y I2 1 ,RU2 • , . •R • •3
Ri; R2; R3, from now on),
COM P L E TE NE S S W I T H F I N I T E S Y S TE M S
6
6
7
Let 0 = {Pi S i , • • • , Pn b e a declaration scheme. By an interpretation i into a 9 state space 'V we mean a mapping from 9 '(g ) into relations over V such that: (a) f o r each A E 6 ( A ) is a binary relation over V; (b) 6 (/) = {(x, x): x e (c) f o r each t E ( t ) is a subset of 'V; (d) f o r each F (e) e iP (S, i ; S2) i = ie (Si); ie(S2); (f) i2 (S 1 U S2) = ( S t ) U i2(S2); ( P ) (g) ( j i s = (lo(S1), • • • , le(Sn)) holds. e a (ie(Pi), • • • , Th e tb above is the usual denotational semantics of recursive program schemes. i definition n Its justification (a P r y a n d equivalence wit h operational semantics i s a n immediate consequence ir ) , e lof the results proved in [21 Observe, f o r example, th a t i f • [ ] ; ' t •a t i mentioned above ie (P) = ig (ti)+; ie (t2)-ft •o n In the sequel ; t 2 1 , wet shall h ealways n consider programs with respect to a given declaration •o We shall freely identify statements and their interpretations, hoping that no scheme. d u e t o ,v confusion will t h result e from this. ie c3. Extending o n vthe estaten space. t iWeonow want to use the assertions from the e r n extended space V x V. In order to do this we have to extend (in an obvious way) several (' operations from V into 'V x V. Let a, b denote subsets of 'V x V used as assertions and P cr, 1 V n ; R o - t =1((x, The -e l )operations ; and , mentioned above retain their meaning when applied to subsets of ) ), e( V (x yV), x x 'V) and 'V x 'V respectively, so obviously Lemma 1 holds in the case of i) ) : the- extended state space V x VI We shall use in the sequel "mixed" expressions o m s involving assertions from 'V x V and programs from 'V x V. While doing so we shall xe R t always mean th e ir "extensions" to ( V x V) x (V x 'V), which can be obtained by yn attaching the subscript , to assertions and the superscript t h A twe s R2,mwe t o write p r oRi;g a; r a s actually . F mean o RI;r a cothat ethe convention of omitting brackets (as indicated in Lemma 1) does not lead now to + x- a m p l e , e rfany ambiguities, since (R ;i Rl I . f T h e E 'ri e Observe e rcl; R R ; b means that a , , R e a d that 7 V T c R s; R h o u l d Vx, y /u2 at c so n v i n, c e 1 sh)or that the program R ise partially correct with respect to a and b. ; b , , i . e . , i m s l f cr shall need the following definition: b1 tWe e h a t nt [(( e d' = x a, (R) = 1(x, o taR I ; t the proofs below 0 - we shall use Scott induction to prove inclusions between h sR In I . relations on 'V x u - ): T e a pxScott induction. L e)t[ gO= R{PiT , e sdeclaration W • t, •LetEA l 5 1 ( Pscheme. te e ( i from up assertions from 'V • , es a x XV and programs from V x V and formal (place-holding) cnvariables ( X sP , X i ) , A, i i o (i) W o ) l • •x T n, • u(ii) f o r each R 1, • • • , R„ x 'V, / e c•• • • R, o d• i f W X S( fl, , , n fcX hp • , 1then g1(.91(R1, y• • • , Rn), • • • , Sn(R11 • • • 1 Rn)) n t ( ( RP 1 , ) a ou i 1, ) hs• • a n g gdr ( S -I ( R b • — , R J , . . . , S n ( R b . — , R r ) ) . p on e g• • • r; a , • r t• • > o da ( X , ( ,R ( g i
668 K R Z Y S Z T O F R. APT AND LAMBERT G. L. T. MEERTENS Then gl(P1, • • • 'PO g-gr(P1, • • • , P,2). The proof is analogous to the proof of the version formulated in [2]. 4. Completeness result. The general context-free declaration scheme is (I)
{
P
i
S o U
Si,21..) • • • U
with M i S s o t where m e A(i, j, k)E U P ( i , j, k) e {PI, • • • , PO, and K i n S ,, ithen = above declaration scheme each P(i, j, k) is some element of {Pi, • • • , PO. , e In the tQ A Define a function h i by: a n n h(i, t ej, kg) e r gi sies The general ( inductive method - i ( i assertion f K calls for suitable intermediate assertions rsO preceding and succeeding each statement in the program. The theorem presented P ( i , = 1-= p I 1 ii l l Im below states soundness and completeness of a particular version of the method in which , , k j y , ) ,l0intermediate assertions from the extended state space are used. The theorem shows that j = aAthe global correctness property p; P , n(intermediate of the special form a', a(i, j, k), b' and b(i, j, k). 1 iP i ;0 assertions q Assume the declaration scheme (1). For any two assertions p, d,c aTHEOREM, n jea l w) a y s P; Pi P i ; ; a,b e P c0ei f there s exist t( aassertions b l bi sc clix h V (i {1 , • • • , n}) and relations R 11, • • • , j e {I, • • • , M h)ei d )ilb,Ei , 1k Ci X e S yV lV aa'n; A(i, d, ( j, 0)i g k A(i, j, 0); b E .i 1 i f K fi, • nj d i n { I , t ,e g , • i (2) a, ' ; A(i, j, 0) •A ( i , 0 ) ; a(i, j, 1), • ib(i,=j,l k);0A(i, , k ) g A(i, j, k); a(i, j, k +1), k =1, • • • , K , ) , i j j, K ) ; A (i, i K M b(i, J; 1 ) i „J — f K =K Jand t ud • s c I ) c• A , I n (19 x p)g a 0 , ,h (3) > ( i A, l , h a •t 1 1 (, K •t tHereI by definition a(i, j, k)= a o •f 1 readable we shall prove the theorem in the ,Proof. h ( , To) make the argument more r ,case;of P A I ; P; A2;( P; A3 U A4. The proof for the case of the general ' j declaration a ' ' 'the l M 7 context-free scheme is analogous and we leave it to the reader. We thus bk ) , ' declaration , ,lprove( R the following. p K oi Assume the declaration P A l ; )P; A2; P; A3 U /44. For any two assertions p, q c i k , l E 71, f q ) , ,a n d b tl xp ; P g P ; q , ( ,i , h• p j exist iff there — , assertions a, b c '11 x Ir and relations R1,R2c I t x 'V such that e• . k 1 ) • a ;A1 cA1 ;a (R1 ), f = ) h , o b (R b ; rn(4) 1 P 1 b(R2); A3 A 3 ; b, m ); ( a a ; A 4 c. A 4 ; b , A i n 2 , d g K A i
669
COM P L E TE NE S S W I T H F I N I T E S Y S TE M S
and I 11(p xp )g a,
(5)
b il(V xp )cq xp . I f part. We first prove by Scott induction that (6)
a;P.cP;b.
Assume that a; X c_ X; b for some X c 7 r , i.e., that y, of((x, o-)E a A xXy)-* (y, cr) 101 Thus for any relation R, y , Gr, T [ CT RT A ( X , T ) e a A x X y
7
)
b ] ,
i.e., according to our notation, (7)
a
(
R
)
;
X g_ X ; b(R).
Now, due to the assumptions, Lemma 1 and (7), a; (A l; X; A2; X; A3 )=(2 ; A l); X; A2; X; A3c.A1; a (Ri); X; A2; X; A3 c A l ; 2 ) ; A 3
X;
b(R1); A2;
X;
A3 g Al;
X;
A 2 ; a ( R2) ; X ;
A 3 c441;
X;
b ( R
c ( A l ; X ; A2 ;X; A3); b. Hence, by Lemma 1 and the assumptions, a; (A l; X ; A 2 ; X ; A 3 L J A 4 )c (A l; X ; A 2 ; X ; A 3 L J A 4 ); b. Since obviously a; 11 c 11; b, by Scott induction, (6) holds. We are now ready to prove p; P P ; q. Suppose that x E p and xPy for some x, y e er. We have to show: y E q. By the assumptions (x, x)E a. By (6), (y, x)E b. Since x E p, by the assumptions (y, x)E Only if part. Put a = I, b P and let R , that (4) As hold. l o a ny d q x i p =and , (5) Let x, y, cr be 2q = elements of V. E R .arbitrary (i) We have to show: a ; A i g o ( I R 1), i.e., (x, cr)E a and x i l A l ; a(R 1 l P ; l i the e sdefinition ( yof a, , o- = x, so byethe definition of R Ay i), m pzBy since (y, y) E a, we get 3 7 -[ o i w h e W (ii) We to show: b (R1); A2 g- A2; -i c have H e n ac(R2), e i.e., , 37-[(TR ai implies r , 3c1 r Re l y . Rir A ( y , r ) tr Ah xA2y. of ER1 and b ,crA -i ( xBy ,othea7definition - ]) E pb definition r o v of R 2 , a ib1 [ o l a yn d x A 2 Y e s-rputting T p-e aun dt t r iP nx , g (iii) We 1 R ,o s too show: sR 2 c, r (b (RD; A A3 g A3; b, i.e., IT[cTR2-r A (X, T)E b] and xA3Y 2=yhave r1 T q implies cr) E b. Suppose that for some 1-, c r R yslA .i n (y, c .e yu2 i definition of R2 and b, a (A l; P; A2)T and TPx, so a ; ((;v Yy / , P oPy, which means (y, cr) E b. -yA T , ( x , 7 ) E 2) to show: ) y a ; A4 . C A4; bb, i.e., (x, cr) E a and .x,44y implies (y, a) E b. 7 (iv) We a(aA ll have ; P ; A 2 ; d y x A ;3 y P. E B 1 ) n E (x, Suppose cr) E a and x / t eA 3 , )y y . e a tB a (v) Obviously 4 t h] h h/1") nT u (pesx p) a, . tw .ty . have (vi) We b ( V p ) q p , i.e., (x, y) E b and y E p implies x E q. T h toe show: n e S Suppose u (x, y)E b and y E p. Then yPx, and since p; P CP ; q, we find x E q. = oc r g e This concludes the proof. p p 3x to 3 T d Ta s n 1 e x P y , [ [t a R . e . , oi 2 h
670
K R Z Y S Z T O F
R. A P T A N D L A M B E R T G. L . T. M E E R T E N S
The above proof is an analogue of the corresponding completeness proofs in [5] and [6]. However, the relational approach sheds some light on the role of the auxiliary variables used in [5] to obtain so-called "most general formulas" and in [6], analogously, to "freeze" the global variables upon entering a procedure call. It is clear from the above proof that completeness is obtained by using the meaning o f a procedure as an assertion. The proof also suggests an alternative, equivalent point o f view at the wa y of introducing the extended state space. Namely, the same result can be obtained by proving first partial correctness of the program a := P using assertions from its state space. The condition I fl (p p ) c.. a is then replaced by the equivalent requirement p x : = x a := a . In such a way the extension of the state space is caused by a change in the original program P. The desired global correctness property is then derived by deleting the assignment a [- : = x 8 t o 5. A n application. Having obtained a specific form of the completeness result we ]tshall h illustrate e its usefulness by the following example. ." a Let u the x state space 'V be the set of natural numbers X. Consider the following i l i a r declaration: y (8) P [n v a r 5 1 0 0 ] ; where, i a of b course, [n 1 0 0 ] = fx : x 1001, [n := n 1 1 ] =f(x, y): y = x +111 and so on. E is of n course : McCarthy's = P well-known 91 function defined in a relational framework. l e " n We want to prove that a + 1 1 ] ; u(9) n •.5100]; P P ; [n 9 1 ] . P ; [ s Observe P that the above declaration is of the form P P A 2 ; P; A3 (-) A4., where i E n A 1 = [n 15100]; [n := n + n > 1 g A2= I, 1 0 1], t 0 ] ; A3 = h [ e A4 = En >1.00);[n := n — 10]. n c o We : can now use the theorem to prove (9). The easiest way to proceed is to define the rrequired r relations and functions as in the proof of the theorem, taking for P [n= e [n 51 19 01s ]0U] [n ; >1.00];[n := n p o 10 0 ]Thus , awe ndefine d n d t] a o = {(x, x): , xE ci hn e c k g t b =hf(x, y): a (x =t 91 fl y 5 1 0 )0 ) p (R 4 raI v n d R2 = [tix 1 0 0 ] ; [n := n + i l l ; (En-5 1.00];[n := 91]U [n >100]; [n := n — 10]) o (- ( 5 ) = o ={( y ) : (90 x 1 0 0 A y = x +1) v (x 0 0 r: 1 1 , ox )
COMPLETENESS W IT H FIN ITE SYSTEMS
6
7
1
- - n 100 - n = cr(r- a)
-za( R 1 )) ( 90_c r - 100An= c r - i - 1) v(cr 100) ( FIG. 1 , - = - b)
Acknowledgments. We are grateful to Prof. A. Pnueli who refereed the paper and suggested various improvements, in particular the present, stronger version of the completeness result. We also thank Prof. J. W. de Bakker for critical comments on an earlier version.
REFERENCES [1] K . R. APT, J. A. BERGSTRA AND L. G. L. T. MEERTENS, Recursive assertions are not enough—or are they?, Theor. Comput. Sc., 8 (1979), pp. 73-87. [2] J. W. DE BAKKER AND L. G. L. T. MEERTENS, On the completeness of the inductive assertion method, J. Comput. System Sci., 11 (1975), pp. 323-357. [3] S. A . COOK, Soundness and completeness of an axiom system for program verification, this Journal, 7 (1978), pp. 70-90. [4] J. H . GALLIER, Semantics and correctness of nondeterministic flowchart programs with recursive procedures, Proc. 5th Coll. Autom ata, Languages and Programming, Lecture Notes in Computer Science, No. 62, Springer-Verlag, 1978, pp. 251-267. [5] G . A. GORELICK, A complete axiomatic system for proving assertions about recursive and nonrecursive programs, Technical Repor t No. 75, University of Toronto (1975). [6] D . HAREL, A. PNUELI AND J. STAVI, Completeness issues for inductive assertions and Hoare' s method, Technical Report, Tel-Aviv University, 1976. [7] C . A. R. HOARE, An axiomatic basis for programming language constructs, Comm. ACM, 12 (1969),pp. 576-580. [8] S. OWICKI AND D . GRIES, A n axiomatic proof technique for parallel programs I, Acta Informatica, 6 (1976), pp. 319-340.
