The intent of the current paper is to show how a large problem ... input/output relation~ The purpose of section 2 was to show how ...... i f is°co~tai.ed (lab,ns-l).
~ormal Definition in Program Development
C. B. Jones, IB8 Laboratory Vienna.
ABSTRACT
The
intent of the current paper is to show how a large problem
like compiler proTides
a
development structure
can
notation
divided
in
a
way
for arguments of correctness.
• echanically checked proofs formal
be
is
are
not
envisaged,
recommended
so
that
Although
the
the
which
use
basis
of for
correctness arguments exists. The
paper
reviews
three
topics:
the first two are relevant
particularly to the development of compilers: general.
The
subject
of
the
language definition to he used Beginning
with
a
first as
a
the third is more
section is the style of basis
for
development.
small language, possible ways of describing
added features are discussed. The
selection
usability process:
criterion
in it
developing is
this
for a
definitio, specification
techniques is their of
the
compiling
development which is the subject of the
second section. The
third
Development"
Q
section
briefly
reviews
the
process
of "~ormal
which has been described more fully elsewhere.
IBH ~sterreich
1974
388
O. I N ~ O D U C T ! O N
This
paper
provides an overview of a number of pieces of work
related to ~rogram correctness. completely
mecha,ically
appears to be some way
checked off,
small
to show how a large
for
approach
large
taken
programs
is
one
of
for human readers. The paper will problem
can
be
decomposed
into
enough steps that such justifications ca~ be convincing.
The particular compiler, to
proofs
the
documenting a " j u s t i f i c a t i o n " a%tempt
Since the possibility of having
problem to be c o n s i d e r e d is that of developing a
of course, a compiler
oversimplify
specia]
for
a
one
can
only in requiring ~wo extra stages
precede that which is a ~ p l i c a b l e
Three
is a very special program,
moment
major
parts
of
%he
consider of
hut
that it is
development
to
to any program.
compiler
development
discussed i~ sections I tc 3 of this paper. The
problem are
first
section
discusses
the
definition
of the semantics of the source language provides the
overall
d e f i n i t i o n of the language to be compiled. This
correctness criteria for the compiler:
whatever results
can he deduced about a ~rogram iritten in the must
also
be
true
when
compiling that program. properties
of
a
source
language
ru~ning the object code produced
The
discussion
language
definition
identifies
by
important
to be used in the next
stage. Given
a particula~ object machine, the next step is to develop
a mappi,g from the source to the object language.
How
done
of the paper.
is
the
subject
of
the
E x a m p l e s are given of mapping definition
onto
the
second
section
this
is
the a b s t r a c t state objects of the
store of a target machine
(cf. rots. [9,
15]). Any
top-down
correctness
development criterion:
input/output relation~
process
that
is,
must begin with a, overall a
specification
The purpose of section the
process
specification
developing
such
a
an
2 was to show how
exactly this can be Frovided for of
of
compiling
problem.
The
by a s t e p - w i s e
389
process to a running argued
program is discussed in section 3.
It
is
that the use of data a b s t r a c t i o n and appropriate choices
of implicitly defined functions can provide the
structure
for
justifications of large programs.
Since no specific le,gth limit was given to the author,
it must
be co~fessed that his lack of time is the reason that all three sections
are
not written up fully. The ideas behind section
are well enough dccumented in ether should
suffice.
papers
is
very
small.
precisely
3
overview
the example provided
This runs into the usual problem that in such to
"see"
the
correctness,
whereas
if
is
the inability of our "small head" to contain a large
proble~ that gives rise to the need for a section
an
A!thcugh the general direction to be followed
in the work covered by section 2 is clear~
cases it is easy
that
I a~Froaches
justification.
Only
the level cf c o m p l e t e n e s s the author would
have liked te attain.
The
process
of
"Formal Development" outlined in section
applicable to any programming it
is
an
~rcblem.
oversimplification
to
As was
think
observed
that it is therefore
sufficient to show how to tackle any other computing precise!y problem,
the
way
that
for
3 is
above,
task.
In
a c o m p i l e r it was a significant
generating the input/output relation for
other
tasks
will he difficult. It is a b n o r m a l for initial s p e c i f i c a t i o n s to be couched in terms of such relations, and, other than
arguing
that its production should be the first step, the current paper offers nc help as to how it ca, be obtained.
The emphasis throughout is on the method of decomposing a large problem
into small enough steps
Certain
common
te
provide
a
Justification.
requirements result from this, one of which is
the necessity to use a formal notation: only then possible
to
i,tenticn
tc argue for one particular ~ t a t i o n .
d o c u m e n t justifications.
A further technique,
implicitly
be
It is not, however, the
length, is the use
has used the terms "Cperational defined
it
which becomes almost a necessity if proofs
are to be of an acceptable Dijkstra
will
operations
and
of
abstraction.
Abstraction" to cower "Bepresentational
3go
Abstractie," properties.
to
refer to the postponement of unnecessary
Beth of these technigues
will be used,
data
but again no
particular notation is recommended.
Tt
is
the
intention
in
the current paper to concentrate on
t e c h n i q u e s rather than deep results. a
particular
mathematical
T r a n s c e n d i n g the choice of
discipline
to underly the work are
justification:
%he practical steps which must appear in any is t o
attempt
I. LANGUAG~
DEFINITION
This
of
part
the
throw some light on these.
the
STYLE
pape~
suggests
certain
properties
of a
language definition which will facilitate its subsequent use in development
of
constructea
along
other
a
purposes
translator design.
Notice that a definition
the proposed lines will not n e c e s s a r i l y like
proving
suit
programs c o r r e c t in the defined
language~
Although
easy
given
language
a
formulation
to express
with
(see summary)
feature
wanting
the required properties.
plan adopted below is %c c o n s i d e r and possible
way
it
language
formulations for their definitions.
find
a
features
~n attempt has
language
concepts.
In
is hoped that the reader can see the requirement
for the different complete
to
For this reason the
separate
been made tc d e l i b e r a t e l y separate the this
it is not always easy,
definition,
formulations
definition
in
of a language
the source of the complexity.
If
isolation,
whereas
in
a
it is often difficult to see the
current
approach
were
executed on all of the features cf the respectiwe languages one would then be able "cross
products"
to explain ref. of
their
[I]
and
respective
although the notation of the latter is
a
ref.
[4]
as
formulations. step
forward,
the For, both
d e f i n i t i o n s possess the properties discQssed. Rather
than
discussing
finding the a p p r o p r i a t e
notation, model
for
the a
emphasis
language
below is on
feature.
The
391
distinction
between
and
similarities
of
the
so-callsd
" o p e r a t i o n a l " and " m a t h e m a t i c a l " approaches are c o n s i d e r e d it
is
argued
that
which transcend
Most
bat
there are criteria for c h o o s i n g ~he model
the distinction.
of the so!uticns discussed are behind a number of current
language definitions.
Only the solution of the S 2 ~
problem is
novel.
Tn
order
to provide an overall context for the decisions made
below it is worth pointing out the origin of which
led
(Vienna author
to
a
Language)
the pleasure
notation.
algorithms
definition of PL/I shown
in
rots.
encountered. mechanis~
(ref. [14,
1.q
on
[24]).
~Ithough the
7,
9],
belo,)
a
the
in its use.
interpreter results
used
,e%
to
require~
By
define by
arguments
then
the
use
notation
this
is
current
for
formal
feasibility
was
of
the
control
not caused by
itself.
The
common
the tendency to be "over
meant
that
the
abstract
the language sometimes indicated
the
certainly possible to deduce the final outcome,
the
number of difficulties were
of
of most problems was, in fact,
specific"
!969/70
these were certainly
any shortcomings in the formal origin
correctness
based
With the exception (see
During
cf co-operating with P. Lucas and his
co~leagues o, attempts to document compiling
difficulties
reconsideration of some aspects of the "VDL"
Definitio~ had
the
language.
Although
it
was
that such results had no effect on
this proof fzequently went
far
beyond
the
part of the language under consideration.
A
simple
example
was
the
use in some VDL models of a never
recurring "unique name generator" required.
required outcome. stack
to obtain new locations
However, if one wanted
ilplementation,
in
which
the
to
prove
correct
conditions
of
uniqueness.
possible to prove that, since an
undefined
state,
~ccations. ~owever,
it
is
a
locations of previously
closed blocks could be re-used, one was more i n t e r e s t e d in peces_s_a_rx
when
This c e r t a i n l y gave a sufficient model which gave the
Now
the
it was, of course,
mew locations were initialised to permissible
to re-use discarded
one was paying with a very expensive
the sawing of relatively few lines of definition.
proof
392
The
basic
maxim
properties
to
be followed
to the d e f i n i t i o ~
which
then
will
are
not
be to avoid required
giving by
the
language.
Before
coming
on notation
1.1
The
to the language
features
proper,
a brief section
is offered.
Notation
formulae
which
follow
their
use cf notation
also
made of simple
and c o n d i t i o n a l sketchi,g complete
~eanings discussion
concept
used
to a d v a n t a g e
of
a!so
the
importance
Given
syntax
Non-terminals
confines
introduced
a semantic
this
its
use
definition
alternatives;
paper
will
of but
show
its
deve!epment.
notatio~
now
used
tc shorten
as names
has been
and
changed
clarify
of
unit
sets
somewhat
descriptions. as follows
-
-
{LBc}
as
names
for defining W = XIZ
~or a more
is
of
the sets defined
in the r e s p e c t i v e
rule. Rules
to
in ref. [ 17], was
Not only
it can be read as set e q u a t i o n s
-
is
~!~"
itself
items.
of its syntactic of
Use
"iZ ~ h ~
[~].
to divorce
parts
in crdeI
like
non-standard
Syntaz,
mandatory
Objects
~_~_c_
section
1 of ref.
as regards
operations.
in the VDL definitions.
translator
[24]
the
the richness
a grammar
Elementary
for
logical constructs
This
see ~art
subsequent in
The abstract from ref.
for set and
Abstract
considered
a language f r o m
offer no d i f f i c u l t y
programming
statements.
The
still
should
alternatives ~
~=
of non-terminals
X u 2
-
393
~ules
for i n t r o d u c i n g X ::
YZ
Furthermore,
-
use
denotes
of
a
name w i t h o u t
for
its
Other
than
decompose
o~
= z
name of
which the
ends
class
in
"*"
defined
("-set") by
the
of a set -
deccmpositio~
by
made
selection
the c o n s t r u c t o r
it
is
possible
on the left of
to
a definition-
= x -_le__f y = s-n1(x) let
cases
s-n2(mk-X(y,z))
is-X(o)
by u s i n g
is a l s o
= y
suffix.
le_f m k - X ( y , z )
Use
-
s-nl (mk-X (y,z))
of o b j e c t s
membership
is-W (o)
[ y~Y ^ z~Z}
c a n be i n t r o d u c e d
s-n2:Z
(set)
-
{mk-X(y,z)
nonterwinal
a list
To t e s t
X =
selectors
X :: s - n l : Y
The
constructors
z = s-n2(x)
of this b i n d i n g
of
n a m e s in a c a s e s
construct-
w:
mk-X(y,z)
- > f(y,z)
is-X{w)
-
->
(!e_~t m k - X ( y , z )
= w:
f (y,z)) is...
mk...
At
the
the
manipulation
points
w h e r e i t is n e c e s s a r y of
functions,
use
to d i s c u s s is
made
more carefully of
the
Lamhda
notationf(x)
= ...x...
~owever,
these
(see ref.
[13])
let
x = e:
-
uses
will
o f t e n be
"sugared"
) )
g(x)
f = Xx . . . . x...
)
-
( x x . g ( x ) ) (e)
in L a n d i n ' s
style
394
Raps
are
used where %he graph of a function can be explicitly
co,structed -
[dl -> r~ J
explicit definition
[d->
implicit definition
r ] p(d,r)]
+
joining
are the c o ~ n t e r r a r t s of the set concepts.
To
come
now
to
the
problem
of
Semantic
le_~n_it_~o_~n°
d e f i n i t i o n s given beloN will be written in terms from
stated
se@~ntics VDL
domains
to
it is intended
style
models,
ranges.
[16],
in
c o m p o n e n t exists in the i n t e r p r e t i n g discussed
more
construct).
The
full~
below
re la ticn
mathematical
sema,tics
be reviewed
in c c D n e c t i o n
considered.
To begin
in
between
the d i s t i n c t i o n
from
the
which an ezplicit control machine connection functional
(this with
point the
semantics
is
set_e and
ref. [22] is of more i n t e r e s t
and will
with several of the l a n g u a g e
features
with i% is worth showing the definition of
a language which is itself f u n c t i o n a l and thus affords path tc functional
functions
In using the term f_u_n_ct_~onal
to e m p h a s i s e
ref.
of
The
an
easy
semantics.
1.2
Consider
the
language
given by the f o l l o w i n g
rules -
BI expr = inf-expr
B2 inf-expr
B3 var-ref
I var-ref
:: ex~r o F expr
:: id
B~ const =: I~TG
~ const
abstract syntax
395
The
class
op
is
not
existence of a functiom B5 apply-op
Now,
further
specified
than by the
-
: INTG op INTG -> INTG
for a given set of denotations
avoided
other
because
it
will
be
used
(the term "environment" below)
for
the
is
free
identifiers-
B6
DEN
the
: id->
INIG
denotation
of an expression,
which is also an integer,
is
given hy B7 eval-expr(e, den) = cases e: mk-inf-expr (el,op,e2)
->
(l_et v1=eval-expr(el,den) ; l_e_% v2=eval-expr (e2,den) ; r~su_!it_ is
{apply-op(~1,op,v2)))
mk-var-ref(id) mk-co~st(n) type:
This
expr DEN -> INTG
definition
composite
is
programming mathematics, at
from)
introduction
variable
a
has
expression
constructed The
-> den(id)
-> n
the depends
only
the denotations of
perhaps
on
that
the denotation
(and
can
of its component
].anguage. are is forced
most The
distinctive fact
that,
be
expressions.
feature in
of a
therefore
the concept of a dynamic assignment the
given point in time
semantics.
property
to a
of
a
contrast
to
to consider the value of a
variable
Foses problems for the definition
of
396
t.3
&~ais~a!_~a~£~
Consider
the
assignment
language
statements
whose programs consist of a s e q u e n c e of
(as-st)
which can be d e s c r i b e d -
CI as-st*
C2 as-st
The
:: s-lhs:id
effect
of
s-~hs:expr
such
a
sequence
of
statements
transfer~ so~e initial set of d e n o t a t i o n s step
by
step,
into
longer sufficient
their
final
to c o n s i d e r
for
the
denotations.
the DEN as
an
will
be to
variables,
Thus it is no
argument
to
the
interpretation:
the DEN reguired as the a r g u m e n t to the second
(and subsequent)
calls of
changed
by
the
the
interpretation
interpretation
may
have
been
of the first assignment. this proh!em
omitting
This is done because the
a]l
mention
of
the
DEN.
intention is to offer a number of
different
by
The
function given below a p p e a r s to ignore
simply
explanations.
should
be p o s s i b l e to see the intent of what is~ written
accepts
that ~ssign -changes"
assumes e v a l - e x p r
the DEN for
uses the c u r r e n t
the
given
It
if one
id,
and
DEN -
C3 int-st-l(st-!,!)
if i ~ lst-I !_he_n (let mk-as-st(lhs,rhs)
= st-l[i ];
l e t v:eval-expr (rhs) : assign(lhs,w) : int-st-I (st-l,i# I))
i type: It
is
formulae.
as-st ~- IN~g possible
to
The first
=> consider
three
ways
of
possibility is to read them
reading as
such
programs.
397
As
such,
each functicn
refers to one non-local course,
would ccrrespond variable
the same non-local
(i.e.
variable
eval-expr and all calls of int-st-l. trivially
defined
tc
modify
has its usual ordering are
written
in both cases to distinguish c~iven
this view and
the
DEN).
referenced
It
is,
of
by the modified
The sub-program
this variable.
implications.
with "=>", and
to a subrouti,e which
assign
is
The separator
"~"
Subroutine
type
clauses
their calls are marked with a ":", them from pure functions.
using the notation of ref. [ 12], the types
could be given in full by int-st-I
:: DEN:as-st~ INTG ->
eval-expr
:: DEN:expr
assign
:: DEN:id INTG ->
With
this simple, constructive,
discuss
one
of
definition.
the
dynamica~!y
functions. which te~t, there make
has
with
is no incentive
sequencing
language State" to
which
to
a
"Grand
State"
now
tc
all
part
of
the
state
this approach
is that it
the
discussion
The second
ref. [I ], would
in
as-st • INTG DEN -> DEN
eval-expr:
expr DEN -> INTG DEN
assign:
id INTG DEN -> DEN
not
The be
counter
eval-expr.
of alternative
views of the
interpretation
in each case a DEN. This,
int-st-l:
show
variable.
that the statement
possible
give-
and
would
functions as taking an extra argument
an extra result:
style
of program
Although in %his trivial language
further inspection,
int-st-l.
change
to do so, it would have been possible to counter
of taking
without
Returning regard
a
"Small
the possible exception
could net be affected h~, for erample,
function
of
by a side effect on this new non-local
disadvantage clear,
term
put into the state used by the defining
variables,
statement
the
in which only those things
are
are put into the state. the
properties
used
This is in contrast
all
view it is already possible to
desirable
McCarthy
describe a defi,itie, very
-> INTG
is
to
and yielding
which is the view of
398
(I,
fact
examplet
it
is
often
possible
since it can cause
nc
to
simplify;
changes,
in the above
eval-expr
need
not
return a DEN.)
But it is ne longer possible to rely on %he p r o g r a m m i n g view of ":".
It is n e c e s s a r y to d e s c r i b e it
functions.
as
a
combinator
The task of doing this is c o m p l i c a t e d
betwee,
by the various
a l t e r n a t i v e c o n t e x t s and it is e a s i e r to show the result would
come fros using
which
the c o m b i n a t o r -
int-st-I (st- l,itden)
=
if i -< ! s t - I
the__n (l_e~ mk-as-st(lhs,rhs) let
(v,denl)
= st-l[i ];
= eval-expr(rhs,den);
!_et den2 = assign(lhs,v,denl) ; result is
(int-st-l(st-l,i+1,den2)))
_e!s~e den
type:
Since
the
sugared
The
as-st* IN~G DEN -> DEN
"lets" are
now on pure functions,
a
fors cf lambda expressions.
third view one could
of ref.
they are simply
[22 ].
functiona~
The c o m m e n t
language,
take of the f u n c t i o n i n t - s t - i was made on the
definition
that the de,oration of its
was al! that was necessary to d e t e r m i n e
the
sub-components of
a
unit. By regarding the d e n o t a t i o n of an a s s i g n m e n t statement
as
a function this
is
it is again sc
~ossible
to enjoy
the
is that of
denotation
this property.
(That
is mcre c l e a r l y shown if the abstract syntax of a
cosposite statement
is given
recursively.)
would be-
int-st-l:
as-st ~ INTG ->
eval-expr:
expr ->
assign:
id->
(DEN ~> DE~)
(DEN -> INTG BEN)
(IN~G->
(DEN->
DEN})
The r e s u l t i n g
types
399
Again
in
this
combinator. (after
view
it
is
necessary
But now the fact that the
applying
the
functions
to
define
units
to
";"
be
as a
combined
to the static components)
basically f u n c t i o n s of the type ~EN -> ~E~ means that the
are very
pleasing model of functional c e m p o s i t i o n is adequate.
The
Oxford
group
(refs. [22, 23, 19]) have gone rather
far in
designing c c m b i n a f o r s which weuld permit f o r m u l a t i o n s like -
int-st-! (st- l,i) =
X~en.(!f
i
(DEN -> DEN)
w here -
CO~B(vf,uf)
=
kden.(kv,denl.(uf(v) (den1)) (vf(den)))
(It
should
be
made
clear
that if this had been written by a
genuine devotee of mathematical semantics, very
different.
it would have looked
It is the c u r r e n t author's view that excessive
zeal in shortening d e f i n i t i o n s makes them less rather than more readable,
Since
of. ref. [19],
ref. [1]).
this is a function one can look at its result
program!
Consider -
p = (X := I; y := x * 2)
for a test
400
Then after reduction-
i~t-st-I (ptl) = (kden.den + [y -> den(x)+2])
which
is
the result expected.
o (Xden.den + [x -> I])
(This e x e r c i s e is somewhat more
i l l u m i n a t i D g on larger examples.)
to
the earlier d i s c u s s i o n of grand
versus small state a p p r o a c h e s ,
(Reverting
it is worth noting that it would
have
for
been
a
moment
possible
tc make the
(undesirable)
step of putting
the s t a t e m e p t c o u n t e r in the state and still give a in
terms
cf a function
would ~ot,
howe~er, have been possible to provide
combinators. counter
to f u n c t i o n s from states
In
particular,
is required
definition
to states. such
~t
simple
the static role of the s t a t e m e n t
to provide the
required
decomposition
of
the semantics.)
If the a p p r o p r i a t e c o m b i n a t o r d e f i n i t i o n s bow provided three questio~
The
ways of reading
were written,
the f o r m u l a
we have
int-st-l.
positicD
advanced
in the next part of this paper is that
the i n t e r p r e t i v e view is useful during the development translator
mapping
thinkiDg
in
problems be resolved
~rograms
terms
~a~ipulated
definitions
notation
meta-~anguage.
written
in
reasoning
this
style
will
be
the m a t h e m a t i c a l view
or any
is
it
so far it would be easy
variant of the "fRr". the question
reasonable
to
add
In
doing
arises to
as the
Would it, for instance, be a c c e p t a b l e to have a
while c o n s t r u c t ? of
that certain
Thus the notation will develop
this for any r e a s o n a b l y c o m p l e x language m~ch
however,
this leads to r e t e n t i o n of
the a~ount of notation i n t r o d u c e d
how
the
to when d e c i s i o n s are otherwise unclear.
to define ~'if then else"
to
Observe,
of c e m b i n a t o r s ~ e ~ _ ~ d
as if they were oFerational;
say he a~pealed
With
to functions.
moze carefully:
also this view of the formulae. the style above~
of
and it is cn!y then that one need take the
view of mapping source %hat
The
of which should be used must now be discussed.
lhe answer
about
must a l w a y s be sought in
a construct.
the
ease
Thus in ref. [~] both while
401
and ~9~ constructs more
have been included,
restricted
kind
than
the
but they are of
FOR
a
much
of PL/I which was being
defined.
This
topic
definition
1.q
The
brings
in its banishment
standards
valuable
to
situations them
committees. have
and
some
an
problem
hop,
its ability
attempt
for
of
it
has not
languages
appears to he
abnormal
to provide formal
defining ~ 9
its
is
has
the
terminated
sequencing
definitions
for
as
both
technigue
this
the
stack
so
be
order.)
that
below
of the interFreting stack:
in of
if
with
a
shorter
The subject of
the
connection
state with
is itself
operation
obeyed and the next step of operation
of
the but
arbitrary
the recta-language
LAMBDA in ref.
removes the top
this
exits, can be
was more general,
describing
(called
function
block
in ref. [ 2,] was to
into
a VDL definition
function
compound
in the ne,t section.
the control
Instead
as functions,
interpreting
the
whose semantics
discussed.
component
[In fact
upsets the
same phrase structure
for modelling ~oto employed
point is discussed
control
can
is discussed
~acbine.
evaluation
section
this is simpler than
that
problems
introduce a control
~irectly
In
the phrase structure
Although
property
phrase structures
of a unit solely in terms of the
sub-units.
chosen
block terminations
abstract
is that, other than the local
and initiated abnormally
definition
the
serious,
tc leave or enter
should be pEovided.
an
be
mechanism
ability
with
of
statement
this
from descriptions
To
to state the semantics
semantics
The
a semantic
may be one of the tools for comparison.
The
it
the challenge of giving
debate on the morality of the Horn construct
yet resulted by
to
Lan~ua~
Goto
long
us
of ~o~o.
described [24]).
by
A step
instruction
from
is elementary,
it is
is performed;
in the case
402
of
a
"macro"
the centre]
operation~
the a p p r o p r i a t e o p e r a t i o n s are put on
stack so that the next step will e n c o u n t e r them.
So far this can be thought of as a way of d e s c r i b i n g functional application. component
The
an
its e x p l i c i t phrase
purpose,
explicit
~anipulation.
stzucture
structured delete
hoover,
was
Thus one
to
the
making
the
control
way to model ~ot_o out of
define
the
in line with the phrase
from
of
part of the state was to make p o s s i b l e
control
"obvious"
structure,
component
any
a
operations
but
to
simply
operations
which
c o r r e s p o n d e d to parts of the program being jumped over.
The effect of this was that, in general, present a r g u m e n t s structure
whose inductive
of the program.
structure f o l l o w e d the p h r a s e
It was of c o u r s e p o s s i b l e to present
proofs,
but they had to be by i n d ~ t i o n
states
generated
by
it was not p o s s i b l e to
LAMBDA.
One
over
could
the
sequence
argue
p r e c i s e l y the undesirable effect of the ~t__Qo, but in definition
had
the generality, instruction,
gone
too far.
in this case
forced
of
that this is fact
the
It was one of the places where
to
change
the
control
in
any
one to show that, in precisely the places
one did not require the power, it was not used.
In fact the deletion used more
of parts of the control
for exits from blocks: local
phrase
was sometimes only
the reason that it was not used for
structures
was
the
s o l u t i o n adopted for
h a n d l i n g abnormal entry into such phrase structures. some
definitions
was simply changed q_oto
into
and
to point tc the next
statement.
out of phrase structures
on exit from the phrase structure.
However,
by
~anipulating
treatment of ~ND in ref. The
current author
action and
the
to be
into the
tended to cloud
the n e c e s s i t y to describe finding unit
made
performed
(This can, in fact he v i e w e d
part cf the iAMBDA function
such d e f i n i t i o n s
This
very easy to describe
providing there was no special e p i l o g u e action
as a b s o r b i n g
Hasical!y,
a d o p t e d a "current s t a t e m e n t s e l e c t o r " which
definition).
the normal action by
the successor to an
Fointer
(see,
for
embedded
example,
the
[25]).
became c o n v i n c e d
that setting up the normal
letting a ~oto "take the machine
by
surprise"
was
403
the
wrong
model.
The
proposal
could result in abnormal "abnormal"
result,
made
termination
which
was
was that any unit which
should
some
return
an
case. Any call of a function which could result in an return
must
(Together with W. Henhapl,
selector
treatment,
order
to
this was written
address
who provided the
statement
up in ref. [6]).
define Algol 60# in which it is possible to ~Qt__qo
into both "_if" and compound
ref.
abnormal
test for this possibility and perform a p p r o p r i a t e
actions.
In
extra
null value in the normal
statements,
the other part of the problem.
[I ] is to provide functions
structure
without
to fo]]cw.
Since these functions
it
was
necessary
to
The approach employed in
which run through
the
phrase
executing but setting up all of the actions prompted the e x e c u t i o n
where to begin they became called
"cue-functions"
as
to
(as in acting
- Dam Stichwort).
Consider,
for example,
the following
-
~ot_a l: i_f P ~_h_e_n I: sl else s2 : s3
Not oD1y should
this,
rather odd, transfer of control
without evaluating p, it should also set up the performed
thereafter
so
thal
s2
is
get to sl
events
to
be
skipped and s3 is next
considered.
The c o m p l e t e l y functional definition of Algol given in ref. [ 1] became tedious because of the man~ places where the effect of a ~o~o
can
cause
a cha~ge of e v e n t s and therefore the abnormal
return value must be tested. most
common
action
was
It was, however,
next operation and pass back the abnormal level.
that
the
value
to
the
next
In fact %here are very few places where it is necessary
to describe any sFecial action. Lucas
clear
simply to refrain from execQting the
proposed
that
Based on
adopting
some
this unit
observation to
trap
P. the
404
interpretation
where the action
free %o drop the ,,test and
This
abbreviation
normal • ~!
is
for
ABN.
e x p l i c i t l y by the retur,ed
a
to
be
Non-~i~l
exi~
the
(implied)
values
statement.
for
ABN
Normal
return
of
All a
are returned
action
with the same value for
~i~
unit b r a c k e t e d
which it applies.
The
one
on
being
ABN.
An
explicit
performed for a non-hi I ~BN value is defined by
means of a ~ a ~
containing
leave
non-hi ! ABN value is to terminate also the calling
function abnormally action
would
the one used in ref. [ ~] and below.
~eturns are written omitting
walue
to
was required
return" case by convention°
together with the statement
C o m p l e t i o n of the trap unit completes the
function.
developmert of this idea has been d e s c r i b e d in terms of an
i~terpre%er partly
partly because
because
it
is
this is how it actually o c c u r e d
probably
easier
to
first
read
and the
following functions in this way. (In
fact
the
separation
i n t - n s - I and c u e - i n t - n s - i were more
taking
the
mathematical
of
the. largely similar,
would probably not
purely i n t e r p r e t i v e view
given
be
functions
made
view: it is only the
if
one
for the
below
that
functions
are
given
by the f o l l o w i n g abstract
written separately°)
The
language
syntax. is
considered
It is assumed
something
is
that among
the unlisted statement
types
like the a s s i g n m e n t of the previous section which
would force retention of the DEN component.
D1 st = goto-st
} cpd-st
I ---
D2 goto-st :: id
93 cpd-st :: nmd~st • D~ hind-st :: s - n m = [ i d ~ s-body:st
id net further defined
405 The defining "the unique
functions
can now be given
object satisfying")
(the "b" operator
-
D5 int-st(st): cases
st:
ink-gore-st(lab)
-> ~Ii~(lab)
mk-cpd-st(ns-l)
-> int-ns-l(ns-l,1)
type:
st =>
D6 int-ns-l(ns-l,i) :
if i _~ !ns-I
t~_n {(trap exii_t (lab) wit_~h if is-contained (lab,ns-l) then cue-int-ns-l(ns-l,lab) else exit (lab) ; int-st(s-body(ns-l[i~)) int- ns-I (ns-l,im I) )
_e!s~e ! type:
hind-st* INIG =>
;
means
406 D7 c u e - i n t ~ n s - l ( , s - ] , l a b ) : !et i =
(hi) (is-contained(lab,))
if lab = s-nm(ns-l[i]) thhen int-ns-l(ns-l,i)
e_is_e witl
(~ra~ exit(lab)
if is-co~tained |lab,ns-l) t_he~n c u e - i n t - n s - i (ns-l,lab) else exit (lab) ; c u e - i n t - ns-I (s-body (ns-l[i ]) ,lab) ) int- ns-I (ns-l,i+ I) )
type:
hind-st* id =>
D8 i s - c o n t a i n e d ( ] a b , n s - l ) (3i) (s-nm(ns-l[i])
= = lab)
v
(39) (is-cpd-st (s-body(ns-l[j ]) ) ^ i x - c o n t a i n e d (lab,x-body(ns-l[j 9))
type:
[%
id n m d - s t ~ - >
was
observed
obtained
terms.
constructs.
that
a deeper
This
view
is
~irst it is n e c e s s a r y
in the "=>"
int-st:
Tt
above
understanding
by viewing a m o r n - l a n g u a g e c o n s t r u c t
sesantics
hidden
{_t_rue,fa_!_se)
now to
in
a t t e m p t e d of the above uncover
what
st ->
n~d-st~ INTG -) (DEN -> EEN IBN) hind-st* id
to
define
s t a t e m e n t s separated
by
(DEN -> DEN A~N)
the
denotation
";"
in
terms
of two m e t a - l a n g u a g e of
their
denot atic,s. stl;st2
-
been
(DEN -> DEN ~%BN)
int-rs-l:
easy
has
of the type c l a u s e s -
cue-int-ns-l:
is
is often
mathematical
kden. (le_t (denl,abnl)
= st1{den) ;
if abnl = _nil then st2(denl) else
{denl,abn I)
individual
407
This
gives
us the way of creating
-> ~ ABN}
from two functions
test
dynamic
is
~qt_o will, !t
is
a function
depend on the state.
to write a very straightforward
for the t r!2 e_/xi~ but, if this results in the
fact
functions applied make which
to the whole text
for
which
one
or free
although
the
labels
(in the sense they may the set of labels the
labels. by the following
example -
1
I:$2 /*no contained
Then
that
can do something is known: it is precisely
~ f p ~he._,.nn~
=
is
within the unit),
This point can be illustrated
S
dynamic
(of the current unit) would
to the trap are unknown
he either contained set of contained
equally
to ascribe a semantics of the required type
The key observation
will come
an
combinator
that the t_ra_~ exit body again uses defining
it impossible
to a unit.
{~
unavoidable because the occurence of the
in general,
is also possible
action,
whose type is
of similar type: the fact that t h e
labels
*/
-
int- ns-l(S,1 ) = !_e_% (den1 ,abnl)
= int-st(if
p _th_e.~ng_o_to 1 e_!Is_~e~Lqto =);
(abnl = all -> int-st(s2) abnl = 1
-> cue-int-ns-l(S,l)
T
-> exit (abnl))
Wow s i n c e cue-int-ns-l{S,l)
it
= int-st(S2)
can be seen how tc construct the denotation
of course, statements
a trivial case. introduces
But eve~
where
looping, an equation
fixed point can be sought.
the
of S. This was, graph
of
~o
will be given whose
408
It should be conceded at ~rife " d e f i N i t i o n s " combination°
The
above
which
do
not
permit
static
This is a cause for further consideration.
mechanis~ is not the one usually e m p l o y e d
mathematical semantics: been
this point that it is also p o s s i b l e to
using exits
accepted
{cf.
the mechanism
ref.
[23])
which
is
in giving
appears
that of
to
have
"Continuations".
Basically,
the denotation of a label is the function
~)
r e p r e s e n t s starting at that label and running to the
which
(say ~
->
end of the program!
This is c e r t a i n l y a more powerful concept:
that
more g e n e r a l languages,
it
can define
found out to his cost possible
when
continuations
while
tried
to
the current author show
that
to e l i m i n a t e c o n t i n u a t i o n s in ref. [21].
maxim is to be sparing
general.
he
to
model Algol 60 labels
was
~owever,
c~ power in the m e t a - l a n g u a g e {ref. [ 1 9 ~
It seems unfortunate, for instance,
it
and
the
using
may be too
that in -
p do
!_f q !_b_e_~so__t_o I: I: $2
ea_d the
The
label I cannot be "treated
actual
locally".
choice between c o n t i n u a t i o n s and the model offered
here must be made in the c o n t e x t of the definition.
Since
use
be
decided.
%.he language
the Oxford group has an interest in proving
c o m p i l e r s c o r r e c t it will await a larger can
of
The
experience
with
arguments on e~i~t is, sc far, e n c o u r a g i n g .
example basing
before
this
correctness
409
B_!_o_cL_s!~9~!uj~L__aan_.q~a_q~
1.5
Both
blocks
and
rrocedures
local level of ~aling.
permit their user to i n t r o d u c e a
Since the names defined within different
(even nested) b l o c k s do not have to be distinct, of 1.3 will not suffice as a state. language
in
"remember"
which
Consider
no recursion is allowed.
the value of a variable,
a nested block in which a n o t h e r to o v e r c o m e this problem statically
distinct
for
the
of
a
say x, over the lifetime of
be
to
make
all
one way
identifiers
example, q u a l i f y i n g them with a
unique b l o c k
number.
The
renaming scheme would not, however,
static
case
It is necessary to
variable x is declared,
would
by,
the s i m p l e DEN
be a d e q u a t e if
recursion
were also allowed.
It would then be necessary to keep
distinct,
multiple i n s t a n c e s of a variable which is declared in
a recursive block.
Before
considering
the passing of procedures as parameters,
is a p p r o p r i a t e to discuss c a l l - b y - r e f e r e , c e since i,troduces
a
tool
which
makes
the
its
it
solution
remaining problems both
easier te state and solve.
C o n s i d e r the following -
b__eain ~oc
p(x): ia~
x; x := a;
p(a)
If
the variable a is passed by reference, the parameter x will
refer to a. In an i m p l e m e n t a t i o n the
parameter
location. i~
x
would
result
in
a
reference a
reference
the argument
in all
referenced.
In
places
and
to the same
The d e s c r i p t i o n of Algol 60 in the Algol Report,
this part very operational.
become -
the non-local
was
The model given was to copy in
where
the
formal
parameter
was
this way the body of the above p r o c e d u r e would
410
a := a.
Some
care
because
was
discussion using
necessary
concrete of
when
abstract
describe
with
What
The storage
directly
with
has really
be i n s e r t e d ) .
for
class
[I]).
and
for
there
associate
of the class. which
to
least is
a
is to show the s h a r i n g
of objects
below
the
Eut even
tedious At
call-by-name}
component
bee~ done
(of.
somewhat
The idea
identifiers
rule" partly
should
ref.
the same m e m b e r
"copy
discussed
becomes
below
i, the e x a m p l e
the
being
(of.
by an e n v i r o n m e n t
(chosen
!ocations)~
it
mechanism.
some a u x i l i a r y
is m a i n t a i n e d
values
(see
equivalent,
by h a v i n g
LOCs
parentheses
copying
call-by-reference
identifiers
were
programs,
this
simpler~
in d e s c r i b i n g
strings
maps
This
identifiers
to be s u g g e s t i v e will
no
but i n s t e a d
is to d e c o m p o s e
into
of m a c h i n e
longer with
both
association
associate
locations.
-
DE~ i d - - ..... > VAL into-
ENV
STG
id ....... > LOC ....... > VAt
hut
in doing
so,
the
possibility
is i n t r o d u c e d
to have
idl .... I--->
n--->
v
id2 ....
so
that
any change
references more
via
thaw
via
one of the i d e n t i f i e r s
the other.
the
expression
(The use of of
an
£0C is,
is r e f l e c t e d
to
in this model,
no
eguivalence
relation
over
identifiers).
Tt
is
now
necessary
environments mentioned dynamica!ly
handles
above~
consider
the block
~he
distinct,
to
and
locations
how
model
recursive
will
so the problem
a
block
be g e n e r a t e d
of entering
which
a
has
problems
so as to block
be and
411
destroying
a
denctafion
c e r t a i n l y been overcome. environment location the
is
case
of
base
bindings,
The
will
later
be
r e q u i r e d has
generated
mapping
the
new
local
to
a new
identifier
(notice such a copying of DEN would be incorrect). a
~eeper blocks the
which
All that happens is that a
block
which
can be known by and called from
(i.e. a procedure), it is necessary to
environment,
to
which
it
will
show
insert
how
its local
is to be found.
most
mcdel
economical
would
be to assume again that all
identifiers are distinct in which case it is possible that
In
any
to
show
valid calling e n v i r o n m e n t c o n t a i n s the required base
environment as a sub-part.
"most
existence
does nct cover the case where procedures can be passed
parameters!
ref.
This
is
variable
the
solution as
any
then, only
recent"
recent"
of
TB this case,
precisely
references are possible.
[7]).
The
operational
because
then,
"most
discussion
see
will be to "remember"
what its base e n v i r o n m e n t should
be.
In
an
model one would make a procedure d e n o t a t i o n contain
the pair of procedure text and environment. semantics
other than
(For a fuller
general solution,
for any procedure
can be r e f e r r e d to. This
In
a
mathematical
style d e f i n i t i o n one wo~Id use these two entities to
create a function.
The language to be considered is -
El proc :: s-nm:id s-parms:id~
E2 s t
= call-st
~ as-st
E3 call-st :: s-pn:id
~4 as-st :: s-lhs:id
Identifiers
--.
s-args:id~
s-rhs:expr
then correspond either to variables
is considered) required,
I
proc-set s - d c l s : i d - s e t st
in
or procedures: the
latter
in a
associated object.
E5 ENV : id ->
(LOC | PROC-DE~)
the
former
procedure
(only one type
case
a
denotation,
LOC as
is the
412
A not yet initialised
value for a variable is allowed,
so -
~6 S : LOC ~> VAL
E7 LOC = sere infinite set
E8
VAL
=
INTG
~
A functio~a] type for ~rocedure d e n o t a t i o n s is given
Eg PROC-D~N
: (LOC ~ PROC-DEN)~
->
-
{S -> S)
(Notice that qo_tc is net is the c u r r e n t language,
so ~BN is not
required) o In order tc cover recursive
procedures it is necessary that the
d e n o t a t i o n of a procedure is a v a i l a b l e indirectly) denotation
call
itself.
Since
denotations
wherever it might
is discussed
here are functional objects,
(let
env'
validit7
of
= proc;
= = env
+
([parm-l[i] - d e n ° l i t ] [id - eval-dcl(id) [s-nm(proc)
~ 1- YROC-D~N
413
Eli
eva!- dcl (id) : let
l:alloc () ;
assigm (I,?) result is
type:
E12
;
(I)
id => LOC
int-st(st,env|: cases st: mk-call-st (pn,arg-l)
->
(let f = env(pn); let den-i =
The functions -
~13
allot : :> r OC
El@
release : LOC =>
extend
and
restrict,
respectively,
the
domain
of storage.
While-
E15
assign : LOC VAL =>
E16
contents : LOC => INTG
modify and read,
Based
on
the
respectively,
environment
important points.
it
values of storage.
is
possible
First, it is interesting
is precisely the response
to
to note
clarify that
two this
of both c o n s t r u c t i v e and m a t h e m a t i c a l
414
definitions ]a,guageo
to
the
This
problem
the above manipulation cf ~ref.
the environment,
as
the
well
in the state.
he modified the
defining
a
block
structure
environment
better
than,
is say
The VDL models used the grand state approach and
[2~3"?
co,tailed
of
leads to the second point: in what respects
as
all
"stacked"
versions,
This ~eans that, potentially,
by any function.
were
they can
It was then necessary to show that
i n t e r p r e t a t i o n of two successive statements in a statement
list was under the same environment. non-trivial call, had
because if the first statement was, for example,
the e n v i r o n m e n t to
call,
show
was indeed dumped
environments exactly
that by termination of the i n t e r p r e t a t i o n of the
as
arguments,
that two
the
argument.
~£~i~i~.
certain
the
other
calls
of
(This
was
of
hand, shows guite int-st
the
are
passed
subject of the,
~roefs of the first two lemmas in ref. [g].)
language now available
%hat
on
successive
sa~e
somewhat tedious,
of ~ £ n ~
a
then changed: the proof
the dumped e n v i r o n m e n t had been restored. The passing
explicitly
The
Moreover, such proofs were
is rich enough
to discuss the topic
In the d e f i n i t i o n given, it
conditions
is
assumed
hold for a b s t r a c t programs which are
not expressed by the syntax rules.
For example,
the
definition
would simply be undefined for a program which attempted to call a simple variable or which called a defined procedure less
arguments
than
type
rules
the
unnecessary
in
parameters. abstract
encumberance.)
syntax
however,
of
ref.
It would, of course,
write appropriate checks i~tc
but
with
(The attempt to include such
the
defining
[ I]
was
an
he possible to
functions.
This,
would net show that the checks, in this language,
of a static
nature.
That
is,
it
is
possible
to
define
are a
predicate -
is-well-formed
: ~roc ->
{tr_ue,_fa_!se}
which only yields tzue in the case that all such static context c o n d i t i o n s are fulfilled. position
This
is
not
intended
to
take
a
on to what extent type questions in a language should
be s t a t i c a l l y checkable° useful
~roperty
static
and
what
of can
a
It is only
to
definition
to e x p l i c i t l y show what
only
be
checked
argue
that
it
dynamically.
is
a is (Rn
415
associated
~oint
implementation errors
It
is
i~ an unexecnted
would
be
procedures
1.6
that
for programs
it
permits
which contain
freedom
statically
to
an
checkable
part).
to
possible
define
both
and function
blocks
in the style of this section.
F ux!her ToEiN~
This
section
ccnstrucis With
will consider how some other,
familiar,
language
could be tackled in the same spirit as above.
regard
definition
to fl£~£, it is straightforward
to extend the last
to cover S£~2 out of procedure calls.
This,
with the merging of the other features already defined,
along is done
in the Appen@ix.
~he problem is simple because only known,
therefore
recently activated,
most
referenced.
[f the language allows
parameters
this
the
passing
property no longer holds.
to make each instance
of
labels
as
It is now necessary
cf a label dynamically
this requires some mechanism
and
instances of labels can be
distinct
like the activation
and to do
identifiers
of
ref. [~].
The
i,troduction
variables)
into
consideration
a of
label
language
target variable definition
the
something The
(or,
with
it
affected of
variables
is
forced
fact,
the
a label instance
to be not-greater PL/q d ~ s
in
entry
additional
which Do longer
the
lifetime
than the lifetime of the
not make this restriction to
of
add
a
validity
and
check via
like a set of currently active activations.
definition
creation model
brings
referencing
label being assigned. so
variables
Algol 68 avoids this by constraining
exists. any
of
of
call-by-value
of a special by the in
any
location
changes
A ]gol
60
via
is simple to include
which
will
be
the parameter.
description
aD imaginary block.
of
the
by the
only
one
This is a close
assignment
to
new
The fact that Pi/I makes the
416
choice
between
calling
call-by-value
side
ca~!-~y-~a~a
is
of Algo~
passing
procedures.
it
is
frequently
the
i~Dlementer
wider
freedom
result.
cf
referenced
definition write
it
the
define
First
-
note
that
in
definition
reasonable
is warning
such freedom
to leave
This
is
permit
the
user
order.
in
references
such orders
is an open
a
the
to be made
function
In a l l o w i n g
for
an e q u i v a l e n t
to
in an expression contains
designer
powerful
mechanism
which g u a r a n t e e
be
the
on
pmore
the
rely on any particular
of how tc formally
(a +
may
side-effects.
which
via
in a !a,guage
variables
language
programs
The
of order of evaluation.
if the e x p r e s s i o n cause
[4].
handled
than o p t i m i s a t i o n s
any order even could
is
freedo~
call-by-reference
ref.
desirable
some
and
in
60
~cr instance,
access
which
shown
in a
not
to
The question problem!
(b + c))
the d e f i n i t i o n
may
wish
to allow
not only
-
a h c, a c b, b c au c b a
but also c
It
a
h etc.
is net,
at each The
therefores
branch:
response
of the
performed
were in any
any a v a i l a b l e
The
its
Droperty
of
such
arbitrary
this
was
VDL
to this
~achine But
in
ref.
LAMBDA
into
order
cculd
The
in fact a r e a s o n a b l y
control to
if they were to randomly
be be
chose
for execution.
by
very similar
building
the definition. occur
arbitrariness.
operations
function
[I] was in fact nature
the
was to sake the
branches
IAMBDA
of the ccnt£cl
functional
tree.
parallel the
one path or the other
to inherit problem
into a
on
crder and
leaf
definiticn
achieved
to choose
it is n e c e s s a r y of
component
executed
adequate
was in
Since
this
the only
expression
small impact.
and only relevant place
evaluation
417
The
definition
meta-language not
solved
provides
in
ref.
[4]
by introducing because
for the
the
shifts
the
problem
the "," separator.
definition
inheritance
of
of
a
to
the
The problem
combinator
sequencing
freedom
is
which is
not
provided. 9.
Beki%,
pieces than
among
others,
of "interfering" their
has pointed out that to combine two
program it is necessary
(extensional)
this problem is discussed
in ref.
be
the
generally
required,
pursue the definition defining
of
know
more
His approach to
[3]. While this approach
current
author
more axiomatically:
conditions
to
functional meaning.
good
may
would prefer to
in the first place by
cooperation
that
guarantee
~on-interference. One
final
axiomatic great
area,
that of Storage
parts of a definition.
freedom
left
to
the
reasons,
In
some
implementor
mappings of the data structures efficiency
Models,
are
mappings.
worthwhi3e example, list
viewing
I. 7
in
an
ref.
array
there
is
to what storage
required.
In
PL/I,
somewhat
[q],
however,
storage
model
for
and
to
express
the
constrain
it
was
found
abstractly
value as a mapping
For a fuller discussion
(for
from a (hypera
additional
linearised constraints
see ref. [ 2].
S_~u_m_ma__r Z
difficulty
of defining a programming
from a purely functional occur.
A
functional
extensionally Three
as
of integers to values, rather than as
thereof)
separately.
The
Even
to state the basic
)rectangle
languages
the programmer can take alternative views
of an aggregate and thus the language does the
brings in the role of
definition
(of. section
alternative
definition
in
solutions
were program
to
which functions
I. 2) is not immediatel~
as an interpreting
all interpreting
language as distinct
language is that changes
di~ussed;
a
state
are read
applicable.
to consider the
(ref. [ 2 ~ D ; to
functions as ha~ing an additional
consider
argument
and
418
result which is the state fu,ctions [!9]}. to
(ref. [I]): %o consider the
defining
as producing a f u n c t i o n s from states to states
I% is possible, by adopting c a r e f u l l y
write
in
a
chosen
notation,
style which can be read in more than one way.
Except for the problem cf a r b i t r a r y order, c o m b i n a t o r s provided which permit
The
advantages
are returned
Whatever
(ref.
of
can
be
ref. [4] to be read in all three ways.
the different ways of viewing a definition
to in the next part of the paper.
one's chosen viey of a semantic definition,
there are
more important c o n s i d e r a t i o n s which influence what is
written.
The
central
guide-line
proposed is that the definition should
not possess properties ~hich are no% inherent in being
defined.
This
is
that
a proof is often
a
such
details
it
program,
required that certain
the model haYe no effect on the final outcome. eliminate
language
,or to say that such definitions are
wrong in the overall effect they d e s c r i b e for rather
the
but
details of
If the model can
will facilitate the use envisaged
below. ~xa~ples
of
where d e f i n i t i o n s can be o v e r - s p e c i f i c range
the use ef the grand state a p p r o a c h use
of
lists
vhere
to trivial items
like
from the
sets conld suffice for components of the
state in ref~ [25]. Before
proceeding
%e
the
discussion
of
proving a compiler
correct with respect to a language definition, should
be
spePt
on
the
language definition. corresponds hope.
Most
properties
to
a
such
standards
(axioms)
The
direction
encouraging
moments
definition,
descriptions
the
definition
there is little
are
a
mixture
and partial models for the language. which it is not, for the natural
he read precisely,
best i0cemplete,
verbal
few
of the correctness of the
Rs far as -proving" that normal
if it were possible, to
question
a
such d e f i n i t i o n s
of Even
language
would be shown to be at
at worst inconsistent. followed
by
ref.
[25]
is,
of
course,
very
in that it is a huge step towards s t a n d a r d i s i n g via
a document which could be considered
to be formal.
419
In spite of the difficulties possible
to consider
most trivial languages passing
level a definition
should be checked the
implicitly
defined
seeing
why
currently
task
under
cn
a
the source
first
be
is required. "formally"
question
of
the must
two
to
source to
be
to
to
be
entail
is
the creation of a of
Secondly,
functions from states generated
environment
is
returned
of to
process to be discussed
is
(and even ref. [9]).
resolved
is which of the reading
are
to
be
adopted.
This
which a
have
mapping
been shown in the source in the choice of code to of
source
to states has more to be
functions:
will also require
author,
view of the
Firstly, it is very unlikely that
are exactly those required
produced.
It is
an understanding
for taking the interpretive
distinctions,
case
source
specification
ucrked out. There seem, to the current
arguments
the
definition,
the
The question of whether this doCume, ted
definition
as the basic one.
these
aid
some extent remain open until more examples
definition
be
would
is
this process can begin,
must be
have bee~ fully to
has been
definition
definition
The step by step development
question
an
to the object language.
very similar to that in ref. [15]
styles
the proof
consideration
Based
machine
understanding
The
a
as
of
texts of a source language into texts of a
from
that before
object
below.
Much more
existence
this section discusses how to obtain a
mapping
obvious
believe
like
OF i TRANSL~TOB SPECIFICATICN
language.
a
by current
In ref. [4] an attempt
authors
the
under consideration.
overall
language,
and
it is
it
errors
%o a function.
termination
objects.
program to translate machine
of
The guestion of what
2. DEVELOPMENT
the
of the size required
~cst and assertion comments
the
"consistent".
correctness,
consistency,
to be free of clerical
guesticns
made tc insert pre,
for
like
the wrong number of arguments
subtle are
The
in establishing
some property
programs
developed
to than
manipulations of, for example, modelling in the object state.
the
420
The
abstract
state
of
the
source
definition
permit a large range of implementations. with
a
particular
designer ~ s task particular
machine
is
to
object
might be a
developing
something
of ref.
in view, to be more specific. The
find
machine,
development
concrete
realisations,
for
abstract
the
multi-stage
process
version
properties example
a
in
on
state. the
case
his This of
like a n ~NV to a d i s p l a y model like those
[7]. E a c h stage of d e v e l o p m e n t
concrete,
was chosen to
The time has now come,
of
an
object.
not possessed
by
the
proTides This
more
a
new,
more
model
will
have
abstract
object.
For
list has an o r d e r i n g p r o p e r t y not present in a set.
For this reason,
the a p p r o p r i a t e style to document the r e l a t i o n
believed
to express the c o r r e c t n e s s is from
abstract~
Thus,
(more)
c o n c r e t e to
if Z is a set and modelled by a list L, the set
is r e t r i e v e d by -
retr-$ {L) =
{L[i] ) !-
LIST -> SET
would
then
prove that the new function models the old in
the same style as discussed Milner's "Simulation"
in section
in ref.
3 (this notion
is
like
[18 D .
Another e x a m p l e of the d e c i s i o n s made during the development of the interpreter, flexibility
is the
was
permitted
for the implementer. real
use
of
ratio~a!e
of
arbitrary
by %he language
ordering.
hardware,
design.
is to a t t e m p t a l w a y s to find a model and express
the result of the previous stage.
possible tc avoid large e q u i v a l e n c e hard
to
functions
see. may
in
the r a n d o m n e s s is removed in
that best fits the c o m p i l e r
its c o r r e c t n e s s by sho,ing how, among other i r r e l e v a n t it c o m p u t e s
The
to provide freedom
Other than those a s p e c t s which result
parallel
favour of the choice
The
removal
In
details,
In this way it is
proofs whose
structure
is
fact, for many stages, d o c u m e n t i n g the retr
itself
be
an
adequate
Justification.
The
d e f i n i t i o n is thus providing, not only the c o r r e c t n e s s c r i t e r i a b~t a]se a basis for the c o r r e c t n e s s argument.
421
~t
the
termination
multi-stage, state now
however,
possible
believed sense,
on
the
seeking
object
record
to produce exactlT
machine.
on
The
as documenting more
It
which are
assumptions
attainable
a
state
In a about
goal
than
its full formal definition.
sense
operations
that
to read the interpreter
a
they depend
are inserted,
source language
will
on the text alone.
as
the
in section
that the subsequent d e v e l o p m e n t
of the source language! justify
this
mapping.
static
in
If the machine from
(abstract)
language.
serve
to be described
as a mapping
which are
this is now a function
to the object
function
~evelopment note
which functions
the same state transformation.
which may be a
should now be possible
Such
which may be
the machine o p e r a t i o n s
by expanding all of the case distinctions the
above,
are still written in a meta-language.
to
this can be considered
the object machine
Tt
the work detailed
there exists an interpreter
representable
transitions, is
of
specification 3. It
is
for the
important
to
requires no understanding
The meaning of the language was used to The
mapping itself is a s p e c i f i c a t i o n
purely in terms of strings.
Tt
is
nov
appropriate
to consider
been useful for this section tc block concept to
the
next
an example.
consider
some
Tt might model
I
section
to
use
the
2
the language
of section
example
of
1.3, States are -
DEN:id -> INTG
Given,
is -
apply-op
have the
(of. ref. [7]), but it will provide a better link
expressions. Consider
of
: I~TG op INTG -> IRTG
compiling
422
Then the definition
could be written -
_c_a_se_s e:
mk-inf-ezpr (el ,op,e2)
->
tlet v1:eval-expr(el) : !et v2: eval-expr (e2) ; result iS
(apply-op(vl,op,v2)))
sk-war-ref(id) sk-const(n) type:
-> contents(id)
-> n
e x p r = > IN~G
int-st-I (st- I,i) : if i -< !st-I t~
(_let mk-as-st(lhs,zhs)
= st-l[i]:
l_~et v:eval-expr(rhs) ; ~ssign (lhs,v) : int-st-I (st-l,i+ !))
else !
type: Now,
as-st~ INTG =>
considering
an actual
is the way individual though
the
eval~ation
to
that
-
5
DENt
: (id I T ) - >
where 6
-
id ~ T =
{}
INTG
to note
by the "l.~e% vi"
On most Rachines
some ~se of temporaries,
so
the first problem
of the ether sub-expression
give rise %o man~ such ~ses. rise
machine,
values are retained
so consider
this
even
may itself would
give
storage extended
423 A
algorithm can
simple
interpreter that
be
given
on the new class of states.
superfluous
lengthens
nov
assignments
the example
are
which will a c t as an
~he
made
-
author
is
aware
but their removal
without adding any new concepts).
trans-expr (e, J) :
_cases e: mk-inf-expr(e1,cp#e2)
->
(trans-expr (eq,j) ; trans-expr (e2, J÷1) ; assign (t[ j ],appl~-op {contents (t[j ~ ,op, contents ink- va r - r e f
(id}
(t[J+ 1 9 ) )
->
assign (t[ J ],contents (id) } ik- const (n) -> assign (t[ J ],n) tTpe:
expr !~TG =>
t tans- st- 1 (st- l,i) :
!! i
To show that the trans-expr
interpreter
models eval-expr,
it is
necessar 7 to prove contents (t[ j ]) after If
one
appends
trans-expr(e,j)
the statement
leaves contents (t[ J ])
-- eval-expr{e)
that for i < j, trans-expr (e, j)
unchanged,
it
is
easy
to
prove
the
424
combined
p~operty
expressions. As
str,ctnra!
induction
The further e x t e n s i o n
suggested above
%he original the results
bT
has been shown to model
interpreter by showing
of the latter from
the class of
to as-st lists is trivial.
the new interpreter
defining
on
how
to
retriexe
the former.
The type of the function assign (t[ j],ap~!y-op (.. o))
is
DENt
->
Suppose then,
DENt
the object
machine is of 3 address
an appropriate
instruction
uight be
type
(of. I~M Iq01)
-
op = A_D_DD - ~DD (t[ J ],t[ j ],t[ j+ 1 3) Inserting
such
function
%ransaexpr
languages. derived (At
operations,
It
as
is
a
it
mapping
important
step by step
is to
now
possible
from
source
remember
to use the to
object
that this has been
from the definition.
the risk of labonring
the point, it could
be remarked that
had the statemeDt counter been made part of a grand would ,ow pose problems because
there is no model
state,
it
for it in the
object state). It
should
in
the
be clear
source
development properties the
it
problem mappimg
is which
the mapping
but
used so far that not only
also
in
the
subsequent
likely to lead to more work if unnecessary
are introduced.
~rob!ems
expressed
from the methods
definition,
has
This, however, not
really
is likely to be
conveniently
in
a
such
"single
touches
on
been solved. that pass".
it
one
of
In a large cannot
be
If a multi-pass
is described and its structure differs from that of the
eventual difficult.
translator,
the
proof
Sore work is needed
is
likely
in this area.
to
be much more
425
Before
concluding
this
section
it is worth c o n s i d e r i n g
what
happens if a defining
model is chosen, or given,
which
some
language
is, there are
areas
of
some details Not
the
present
too concrete.
That
is
which do ~o_tt appear in the planned
model.
only should one refrain from throwing the definition
one should also ~o~ embark has
been
stage,
shown for
one
satisfying
equivalence.
ref.
[10]
area
the
The
abstract
subseguent
away:
proof.
It
as a development
notion than that of the source
of the language.
new
In
One can then prove
notion
development
the mere abstract definition. interesting
equivalence
how one can,
a more abstract
introduce
definition that
in
on a complete
in
this
ensures
overall
can now be made from
respect
it
would
be
to prove that the storage model of ref. [25] was a
model of that in ref. [~].
3. FORMIL
Faced
DEVELOPMEN~
with
a
program
specification
and a code listing it is
difficult to ascertain
whether the latter satisfies the former.
The
of
basic
framework Thus,
intention
the
subscribed development correctness It
is
Formal
idea can
be
documented
argued
is to provide step
b~
of a development
that
precisely
each enough
a
step.
level that
is of its
can be the subject of a proof.
important
to distinguish
makes
proof far more tractable. when an attempt
the current proposal
then constructing
its specification.
during a development redone,
recorded
of top-down documentation
to. In addition it is
idea of writing a program fulfills
Development
in which the design can be
The possibility the
a
that
it
to u s e abstraction
construction
Furthermore,
proof
from the
of
a
step-wise
the amount of work to be
to construct a proof uncovers
an error,
is r e d u c e d .
It
may
also avoid
misunderstanding
that Formal Development invention.
if it is stated right
is not proposed
The backtracking
as
a
rule
and effect of inspiration
to
away order
conveyed
426
by ref. Just
[20] are much more typical
as
one f r e q u e n t l y
documenting a design so that a
it is worth cohere~%
of program invention.
development
reader
can
see
a
of ideas.
Two main sorts of development the one norla!Iy connected specification
But,
rearranges a proof when writing it up,
steps are discussed.
mith t o p - d o ~
of w_hha~ is required,
a
which
may be either s t a t e m e n t s of some language or assumed
tC
second
have
possible
perform
the
specifications
used:
one
the give~
properties
be
achieved.
it
becomes which
can
are
The also
step comes from the wish to use By
such steps of development
using
to
an
the
arguments.
necessary be
combined
task.
reduce
and c o r r e c t n e s s
the
believes
relevant
drastically
representation
may
notation is being used it is now
M~I
of normal data objects.
to
development
formal
down
sort of development
abstractions only
some
write
sub-operations The
task
in either case their specifications
Since
possible
the
Given
operations recorded.
hoXw
development.
one writes some sequence of
operations
sub-operations:
show
The first is
to
objects
which
algorithm, length
it is
of
both
At some point in the seek
an
efficient
described in the language being are considered
in section
3.2.
!~!___o_me_r~.~io~a! A__bb_s_t_ra_c/tio~
Operations
are considered
some class,
say Z. For some operation,
means
that
OP will
(only deterministic
to be transformations
~rcduce a state
say CP
~' when
operations are c o n s i d e r e d
on states from
-
"run in" a state in
the
current
paper). The
term
not
De
abstraction available
is applied
(other
than
because operations,
which may
by
performed
a
yet
to
he
427
construction) an implicit
can be discussed. specification.
They are in fact discussed via
The definition
be given via two predicates
of an operation will
one which specifies the domain over
which it must yield a result pre-OP : Z -> pre-oP(q) and
the
required
{t_~rue,f~!se}
= (3#') (G [OP] ,')
other
cf
which
specifies the input/output
post-OP
: Z Z ->
pre-OP(#)
{tr_ue,false}
^ w [OP] #' = post-OP(#,#')
by -
If both of these conditions hold the fact is recorded pre-OP These
relation
for the operation -
two
post-OP
predicates,
the meaning of OP
then, record everything
(there is of course
necessary
about
nothing about performance
etc.). Suppose
a
proceed?
The problem is decomposed
specification
is
given in this form, how does one
a set of
(simpler)
operations,
to sub-problems
on
the sub-operations
the
be
true
of statements
that time they provide
will be recorded
The
most
languages execution
trivial is of
to the
way
of
separate first
execution of the second. such a combination
in the language
specifications
is
to
with be
of the two operations
in exactly assumptions
work.
two
operations
":"
showing
immediately
The conditions
necessary -
The
being used. Until
for further
combining them
could be
specification.
the sate style. Eventually all of the sub-operation will
choosing
which, if one had them,
combined in some stated way to fulfil assumptions
by
in most
that
the
followed to show
by
that
428
pro-OPt
post-OPl
pre-OP2
post-OP2
will satisfy pro
are
firstly
stated
post
that
each
pro(G1)
= pre-OP1 (=1) A post-OPt(,1,=2)
secondly
~erived
the
overall
such a sisp!e
combination,
requirement
not being suggested
should
be
accompanied
post(,1,,3)
to
In wany sit~atious
For instance,
list has been provided
can be
is proved in refo [12])~ prove
however,
true.
For
three special
with total operations
the first two lemmas are vacuously
it is certainly program
the
excessive.
cases can be applied.
relation
^ post-OP2{,2,~3)=
of these c o n d i t i o n s
appears
~X~)
input/output
-
~ post-OPl(~1,e2)
adequacy
lemmas
%hat
= pre-OP2(q2)
frow the combination
pre{#1) (The
will only be used over its
domain-
pre(,1) and
=
operation
(pre
Furthermore,
that every use of ":" in
by formal
proofs:
a
but a check
to which an appeal can be made
in
case
cf doubt. The
reader
the
next
should stage
properties
observe of
relied
onQ
that the development current providing
proof.
that a specification
development
which
Thus it is not n e c e s s a r y
cf that operation
There
is passed on to
states
is
a
complete
does
not
all
of
the
to later show disturb
split of the problem
the of
J ~stif ications.
More
methods
style
by ref. [ 12], section 9 of that paper also considers
of
combining
operations
the set could be further extended.
are defined in the same how
429
3~
many
respects
this might be the more important
forms of abstraction
being considered:
of the two
it is certainly
the
one
which is under-employed. The idea of data abstraction the earlier mappings
has, in fact,
parts of the paper.
have
both
used
an
The
language
abstraction
(i.e. that class of objects described That
this
was
alternative
necessary
of redefining
can
already
be
been used
definitions
and
of the program text
by the abstract seen
in
by
syntax).
considering
%hose functions in terms of
the
concrete
strings. If
then,
terms
it
ef
is
difficult
detailed
impossible
tc
data
tc even state the specification
representations,
it
will
write a r g u m e n t s for correctness
in
become
at such a level
of detail. The
proposal
is
that development
bring in those properties effect
on
percentage section
the
below.
represe,tafion performance The
of the data structure
algorithm.
That
cf the development
3.~
~hus
this
that
permits
can be seen
one
in
a
have
an
reasonable
the
example
is able to postpone
of
fixing the
of a data object until adequate reason
of a sub-algorithm)
interface
of an algorithm should only
(e.g. the
can be ascertained.
between operations might, then,
terms of sets or maps for example:
in
the
be described
final
code
in
linked
lists or hash tables might be the chosen representations. ~t
is
necessary to discuss
which refiDes a data doing is adding
properties
has an ordering
property
possible
what goes on in a development
representation. to
not
Essentially
the data structure present
in
the
what
step is
(e.g. the list set).
to re~iev~e all of the data of the abstract
the more concrete.
one
It
is
level from
430
Suppose
an
o p s r a t i c ~ ~n states of c l a s s D has been used, s u c h
that -
prod postd
and one now wishes to show that -
pree poste is
an
adequate
simulation.
If
is
sufficient
to
find
a
r e l a t i o n s h i p b e t w e e n the two state c l a s s e s -
retrd : g -> D w h i c h shows that OPe works on a wide enough class of states -
pred(d)
and
that
retrd)
the
ne~
operation
produces states m a t c h i n g
those produced by the old o p e r a t i o n
prod(d)
(This
^ r e t r d ( e ) = d = pree(e}
^ retrd(e)=d
~ction
differs
O p e r a t i o n s are Dot,
(under
-
^ poste {e ,e ') = postd(d,retrd(e'))
from
that
in
ref.
[ 18]
in that the
necessarily, functions).
3j___~le___o_f_~_xa_re_s si o_n_C_o_~ t_ii_on
The
input/output
[elation given for trans-expr in section
defined %o operate conveniently linear form consideriDg
cn
chosen
objects
parsing and
consider a reverse-~olish first p a r s e -
type
"expr".
These
2 is were
to be tree r e p r e s e n t a t i o n s of %he o r i g i n a l
(presumably infix). the
of
Without going all of the way to
tokenising of an e x t e r n a l string,
text which might result from
such
a
431
c-expr
::= c-inf-expr
c-inf-expr c-var-ref c-const The
~ c-const
::= c-expr c-expr c-op ::= ...
::= ...
relation
retrieve
~ c-Tar-tel
of
this to the class expr can be specified
function
which
hy a
uses a stack -
retr-expr (tl) =
!_o_r i = ~ _to ! t l ~o (is-c-var-ref (tl[i ]) -> ~ush (retr-var (tl[i ])) is-c-const (tl[i ]) -> p.ush (retr-ccnst (tl[i ]) ) is-c-op (till ]) -> (!_e_t e2: p_q~; l~t e1:~o~; 9.~sh(mk-ex~r (el,retr-op (tl[i ]) ,e2) ) ) ) ; result type: Not
is
(~o~)
c-expr -> expr
only
criterion suggestive
does
this
retrieve
for the following o f a way
to track
function
translate
give the correctness
function,
the temporaries,
the stacking
is
432
Assuming
an external
variable b -
trans-c-ezpr (t i) : _~_~_r i = I t c _! t l do (is-c-var-ref (tl[i ]) -> (b:=b+
I;
assign (rib ],contents (retr-var (tl[i ~ ) ) ) is-c-const (tl[i ]) -> t;
(b : = b +
assign (t[ b 3, retr-const (tl[i ])) )
is-c-op(tl[i])
->
(assign (t[b-1 ].appl y-op (contents (t[ b- I), retr-op (tl[i ~ , contents (t[ b]) )) ; b := b-l)
type:
c-expr =>
The correctness
ca~ now be proved if -
b := O; trans-c-expr(tl| trans-expr (retr-expr (tl) , I) This
result
follews
from a Froof, by induction
{and possible c c n s t r u c t i o n s
of)
on the length
tl, of the stronger statement
-
b := k; trans-c~expr(tl) leaves b = k + I and creates
the same as
frans-expr (retr-expr (tl) ,k+ I)
The
rather
short
leave the reader Whilst
the
correctly
unclear as tc
notation
made the
development
treatment of Formal
via
used
step
in
from
operations,
he,
a
ref.
Development bigger [12]
development the
example
offered
example
may
looks.
is t h o u g h t to have via of
functions
to
that report
is
433
unconvincing. was
so
This is mainly because the a l g o r i t h m
oriented
to
arrays
considered
that the use of an abstract data
r e p r e s e n t a t i o n is somewhat artificial.
The
example
ref. [11] is more i n t e r e s t i n g with respect to
of
data a b s t r a c t i o n and a
short
outline
of
a
rewrite
of
its
development is now given -
Specification:
find
a
(general,
table
driven
recogniser)
algorith~ -
REC
: grammar nt s y m b * - >
{_Y_E_S,~O}
Where the abstract form of a grammar is -
grammar : nt -> rhs-set rhs = el* e! = symb I nt
The
pro-condition
n o n - t e r m i n a l and sentence
defines that
that
there
non-terminal.
there
is
The
are
exactly
rules
one
post-condition
should yield "YES" if and only if produced from the given gra$mar.
the
for
rule
states
symbol
each
for
the
that
R~C
string
can
be
("Produceable" is defined).
Step I: Splits the problem into an input stage which stores the grammar:
a main stage which c r e a t e s
"State
contain
information on all possible top-down parses:
stage which yields YES or NO depending on a state
sets.
terms of the the
which
will
an output
predicate
of
the
The storage for the grammar is still s p e c i f i e d in (abstract)
programmer
map.
assigned
This may be
the
task
a
disappointment
to
of c o n s t r u c t i n g the input
routine since he has little to work on yet. fixing
Sets"
But
the
cost
of
this interface for his c o n v e n i e n c e is that the far more
time c o n s u m i n g parsing operation has not yet been developed far enough to get h~s
views on an e f f i c i e n t representation.
The state sets are a l s o described a b s t r a c t l y
(as a list of sets
of tuples)
is
certain
since the purpose of this
stage
to
show
that
upper and lower b o u n d s on the state sets are s u f f i c i e n t
434
to make the final Fredicate correct. of abstract
definition.
Notice this
give~ bounds and different a l g o r i t h m s could be use
this
freedom.
(In
fact
the
considerable use in considering
Scanning] the
which generate nee stales. ~inimum
constructed
specification
to
has been of
(Prediction,
Completion,
The state sets are defined
sets satisfying a certain equation.
are showP to fall
form
optimisations).
Step 2: introduces E a r l e y ' s operations
as
extreme
There is a great deal of freedom in the
within the bounds stated in
Step
Such sets I.
Notice
that not o~ly are these operations defined in terms of abstract data objects, distinction
they are also
implicitly
Step
~:
not
Begins
%c
restriction would,
algorithm
4:
Makes
is not
representing ~t
this
rhs)
the
Using
~t
algorithm
the restriction.
similar ordering step to the data structure
grammars.
what the common oFerations on the
Now is the time to give
REFEP
abstraction [S].
complete.
to the allowable grammars.
the c o n c r e t e
(In fact those used were quite complicated the
lists
mcint most of the algorithms as such, is designed and
it ix clear are.
yet
have been possible to use a different
a
of
on lists it is necessary to iDtrodnce a
(no zero length
however,
by mapping state
object in a yon NeQmann machine,
at _this stage of development and avoid
Step
in
development
But notice that, since a list
a convenient data
chosen
this form of
ccnsider representations
step to a concrete representation the
is
later.
sets onto state lists. is
This
to ref. [8 ] in which the a l g o r i t h m s are programmed
with operations on the a b s t r a c t data: is employed
defined.
option.)
Doing
data
(~L/I)
structures
data objects!
HASEE variables with
this prompts a macro style of data
like refo [5] which is similar to that used in ref.
435
4. SU~M~RY
The
aim
of the paper has been to show how a large problem,
this case the development of a compiler, can be decomposed small
steps.
Providing
each
step is adequately
complete design history is thus
obtained.
One
in
into
documented, of
the
a
views
expressed is that each stage of development should be supported by a justification. recorded
in
a
~his
notation
correctness argument. with
a
view
implies
to
cn
Such
that
which
it
correctness
steps
of
design
are
is nossible to base a arguments
are
sought
human readers rather than mechanical theorem
checkers.
The
key
to
making
ahstraction. minimum
properties
more difficult to provide
such
a
an approach practical is the use of
In each of the sections the value of stating has find
been shown. an
construction,
the
Although it is frequently
~FFropriate
abstraction
than
to
the a d v a n t a g e s of the former make the
effort worthwhile.
By
emF]cying
both data and operational abstraction,
the development are
rea]isations
of detail. argument
is based on showing how the from the
it is possib]e
The
of the same algorithm at ever greater
Taking this view, the normal
he retrieved
operations
design
(more)
of
levels
correctness
abstract model can
(more) concrete realisation.
In this
of
a
way
design language to be able to specify
imp!ici%ly and tc ~se very abstract data objects
different
particular
style
tc avoid general equivalence proofs.
requirements
very
a view of
process is obtained where the s u c c e s s i v e stages
from these of ~rogramming languages.
netatiGn
language,
(that of ref.
are
A!tho~gh a
[4]) has been employed as the
it should be emphasised
that it is the method
not a Farticular notation which is being proposed here.
436
Ackncwle~sement
~ost
of
the
ideas
contained in this paper were developed
co]]ahcraticn
with
se~bers
of
Laboratories.
The members and
the
Hsrs!ey
and
vienna
i~ IBM
meetings of IYIP WG 2.3 have also
been a great stimulus.
~eferences
[I]
C.9.%]]en~
9.N.Chap~an
Definition
of Algol 60",
12.1~5 August
[2]
[Ed.)
on
~ormal
Report,
TR
Algorithmic
Languages"
Lecture
Notes
in
1979.
H.Beki&~
P r e s e n t a t i o n on "Semantics of Actions" given at
Newcastle
University,
September
197~.
Ho~eki£ et a] "A Formal ~efinition of PL/I" to be printed
A.Hansal,
Re~ort Gf T ~
"Soft,are
Laboratory Vienna.
Devices for Processing Graphs Using
Facilities",
W.~e~hap]
a~d
Statements
in the VDL ~, I ~
March
[7]
of
SF~iDger-Verlag
IS8, October
PL/I c o m p i l e - t i m e
[6]
IB~ Hursley T e c h n i c a l
Semantics
E.Engeler,
as a Technical
[5]
"A
H.~ekie and K. Walk, " P e r m a l i s a ~ i o n of Storage Properties"
~ a t h e m a % i c s No.
[~]
C.E. Jones,
1972.
i~ ~'Sym~osiu~
[3]
and
C.B. Jcneso
Into Proc Letters.
1974.
~'On the Interpre%ation of Gore Vienna
Note,
LN
25.3.065,
1970.
~.He~hapl
and
C.B. Jones,
Possible Implementations, IBM Vienna Tech,ical
"The with
Hlock Proofs
Report, TN 25.104,
Concept and Some of
~quivalence",
April
1970.
437
[8]
C.A.R.Hoare,
"Proof
?epresentations",
ef
Correctness
Acta Informatica,
Vo!.
of
1,
pp
Eata 271-281,
1972. [9]
C.B.Jo~es
and
Implementation Algorithmic
P. Lucas,
Techniaues",
Languages"
"Proving
(Ed.) E. Engeler,
Lecture Notes in Mathematics [10] C.B. Jones,
"Sufficie ~t
Correctness:
Assignment
Correctness
in "Symposium
on Semantics
Springer-Verlag
No. 188, October
Properties Language",
of of
for
1970.
Implementation
IB~ Hursley
Note,
TN
9002, June 1971. [11 ] C.B.Jcnes,
"Formal Development
Example Based on Harley's S!GPLAN Conference,
of Correct
~ecogniser",
SIG~AN
Algorithms:
presented
at
An AC~
Notices Vol. 7, No.l, January
1972. [12] C.B.Jcnes,
"Formal Development
Technical
Deport,
[13] P.J.Landin,
"R
Correspondence
Church's Lambda-Notation: No.2, February [14] P.Lucas, Report,
TR 25.085, "On
Development Conference [16] P.Lucas
Computation"
60
ACM,
and
Vol.8,
of
the Block
Vienna
Technical
I mple me nfa tions",
and
the
presented
Stepwise at
IB~
1972.
K. Walk, "On the Formal Description
Press,
[17] J.McCarthy,
IB~
Correctness
in Annual Review in Automatic Pergamon
Algol
1968.
Program
cf
Realisations
Equivalence",
at Pisa University,
and
Between
Part !", Comm. of
Constructive
their
[15] P.Lucas,
!~M Rursley
1965.
"Two
Co,cept and
of Programs",
TR 12. 117, June 1973.
Programming,
Vol.6,
of PL/I" Part 3,
1969. "Towards
a
Mathematical
presented af !FIP Congress
1962.
Science
of
438
[18] R.~il~er,
"An Algebraic
Programs"~
Stanford
[ Ig] P.gosses,
"~he
Definition
University
~athematical
Oxford University Computing
of Simulation
AIM-I~2,
February
Semantics
Laboratory,
of
Between 1971.
Algol
PNG-12,
60",
January
197g. [20] Po
Naur,
"An Experiment
pp 3~7=365, [21 ] J.C.~eynolds,
Languages",
Conference,
August
Languages",
Computers
Series
Brcok!yn,
1971.
[23] C. Strachey,
presented
~icrowave
Vo!.21,
"~bstract
PL/I", TBM Vienna Technical [25] "PL/I BASIS/I"
National
ACM
A
Semantics
of the Symposium
Research
Polytechnic
,'Continuations:
al,
for Higher-Order
25th
"Toward a Mathematical
which can deal with Full Jumps", et
at
in "Proceedings
and Automata",
Symposia
[2~] K.Wa~k
HIT 12,
1972o
and C.Strachey,
for Computer on
Eevelopment",
~'Definitic~al I,terpreters
Programming
[22] DoScott
on Program
1972.
Institute
Institute
Mathematical
of
Semantics
unpublished.
Syntax
and Interpretation
Report, T~ 25.098,
ECMA ANSI working document,
of
lg69.
February
19g~.
439 A~pendix This appendix c o n t a i n s a definition merging
the separate
written
in a style
mathematical
features
of the language obtained
of section
I.
(cf. the tlpe clauses)
The definition
is
which can he read
as
sesantics.
B___STIR A ]%CC~. SYNTAX prOC
:: s-nm:id
St
=
as-st
:: s-lhs:id
goto-st
:: in
call-st
:: s-pn:id
as-st
s-parms:id~
~ gore-st
s-args:id~
:: nmd-st*
nmd-st
:: s-ns:[id S s-body:st
expr
=
inf-expr
:: expr o~ expr
vat-tel
:: id
const
:: INTG
in
}
op
)
~ vat-rot
/'args dcl,
~ const
not further specified
INTG )
DOMAINS
ENV: i d - > S: L O C - >
(LOCI
v~n = I ~ T G
PROC-DEN: AB.
= [ id ]
~ROC-DEN)
VAL
LOC = infinite
cpd-st
~ cpd-st
s-rhs:expr
cpd-st
inf-expr
proc-set s-dcls:id-set
| call-st
set
I ! (LOC I PROC-DEN}~
-> (S -> S ABN)
bT
proc or parma/
440
FUNCTIONS
e v a ! - ~ r o c - d c l (proc) (env) = le_t < i d , p a r ~ - l , ~ r o c s , d c l s g m k - c p d - s t ( n s - l )
> = proc;
!e_t f~den:!)= {!_~! env'
: e~v + ([ par,-![i ]
den-l[i]
~ 1
