Hoare - An Axiomatic Basis for Computer Programming
Post on 06-Apr-2018
219 Views
Preview:
Transcript
8/3/2019 Hoare - An Axiomatic Basis for Computer Programming
http://slidepdf.com/reader/full/hoare-an-axiomatic-basis-for-computer-programming 1/6
An Axiomatic Basis for
Com puter Programming
C. A . R . HOARE
The Queen's Universi ty o f Bel fast,* Northern Irela nd
I n t his p a p e r a n a t t e m p t is m a d e t o e x p l o r e t h e l o g i c a l f o u n d a -
t io n s o f c o m p u t e r p r o g r a m m i n g b y u s e o f t e c h n i q u e s w h i ch
w e r e f ir s t a p p l i e d i n t h e st u d y o f g e o m e t r y a n d h a v e l a t e r
b e e n e x t e n d e d t o o t h e r b r a n c h e s o f m a t h em a t ic s . T h i s i n -
v o l v e s th e e l u c i d a t i o n o f s e ts o f a x i o m s a n d r u le s o f i n f e r e n c e
w h i c h c a n b e u s e d i n p r o o f s o f t h e p r o p e r t i e s o f c o m p u t e r
p r o g r a m s . E x a m p l e s a r e g i v e n o f s u c h a x i o m s a n d r u le s , a n d
a f o r m a l p r o o f o f a s i m p l e th e o r e m i s d i s p l a y e d . F i n a l l y , i t i s
a r g u e d t h a t i m p o r t a n t a d v a n t a g e s , b o t h t h e o r e ti c a l a n d p r a c -
t i c a l , m a y f o l l o w f r o m a p u r s u a n c e o f these topics .
KEY WOR DS AND PHRASES: axiom atic method, theory of programming'proofs of programs, form al langu age definition, programming language
design, machine-independentprogramming, program documentationCR CATEGORY: 4 .0 , 4 .2 1 ,4 .2 2 , 5 .2 0 , 5 .2 1 ,5 .2 3 , 5 .2 4
1 . I n t r o d u c t i o n
C o m p u t e r p r o g r a m m i n g i s a n e x a c t s c ie n c e i n t h a t a l l
t h e p r o p e r t i e s o f a p r o g r a m a n d a l l t h e c o n s e q u e n c e s o f
e x e c u t i n g i t i n a n y g i v e n e n v i r o n m e n t c a n , i n p r in c i p le ,
b e f o u n d o u t f r o m t h e t e x t o f th e p r o g r a m i ts e l f b y m e a n so f p u r e l y d e d u c t i v e r e a s o n i n g . D e d u c t i v e r e a s o n i n g i n -
v o l v e s t h e a p p l i c a t i o n o f v a l i d r u l e s o f i n f e r e n c e t o s e t s o f
v a l i d a x i o m s . I t i s t h e r e f o r e d e s ir a b l e a n d i n t e r e s t i n g t o
e l u c i d a t e t h e a x i o m s a n d r u l e s o f i n f e r e n c e w h i c h u n d e r l i e
o u r re a s o n i n g a b o u t c o m p u t e r p r o g r a m s . T h e e x a c t c h o ic e
o f a x io m s w i l l t o s o m e e x t e n t d e p e n d o n t h e c h o i c e o f
p r o g r a m m i n g l a n g ua g e . F o r i l l u s t ra t i v e p u r p o s e s, t h i s
p a p e r i s c o n f i n e d to a v e r y s i m p l e l a n g u a g e , w h i c h i s e f fe c -
t i v e l y a s u b s e t o f al l e u r r e n t p r o c e d u r e - o r i e n t e d l a n g u a g e s .
2 . C o m p u t e r A r i t h m e t i c
T h e f i rs t r e q u i r e m e n t i n v a l i d r e a s o n in g a b o u t a p r o -
g r a m i s t o k n o w t h e p r o p e r t ie s o f t h e e l e m e n t a r y o p e r a t i o n sw h i c h i t i n v o k e s, f o r e x a m p l e , a d d i t i o n a n d m u l t i p l i c a ti o n
o f i n t eg e r s . U n f o r t u n a t e l y , i n s e v e r a l r e sp e c t s c o m p u t e r
a r i t h m e t i c i s n o t t h e s a m e a s t h e a r i t h m e t i c f a m i l i a r t o
m a t h e m a t i c i a n s , a n d i t i s n e c e s s a r y t o e x e rc i se so m e c a r e
i n s e l e c t i n g a n a p p r o p r i a t e s e t o f a x i o m s . F o r e x a m p l e , t h e
a x i o m s d i s p l a y e d i n T a b l e I a r e r a t h e r a s m a l l s e l e c t i o n
o f a x i o m s r e l e v a n t t o in t e g e r s. F r o m t h is i n c o m p l e t e s e t
* Dep ur tme nt o f Com puter Science
o f a x io m s i t i s p o s s i b l e t o d e d u c e s u c h s i m p l e t h e o r e m s a s :
x = x + y X O
y < r ~ r + y X q = ( r - y ) + y X ( 1 + q )
T h e p r o o f o f t h e s e c o n d o f t h e s e i s :
A 5 ( r - - y ) + y X ( l + q )
= ( r - - y ) + ( y X l + y X q )
A 9 = ( r - - y ) + ( y + y X q )
A 3 = ( ( r - - y ) + y ) + y X q
A 6 = r + y X q p r o v i d e d y < r
T h e a x i o m s A 1 t o A 9 a r e , o f c o u r se , t r u e o f t h e t r a d i -
t i o n a l in f i ni t e s e t of i n t e g e rs i n m a t h e m a t i c s . H o w e v e r ,
t h e y a r e a l s o t r u e o f t h e f i ni t e s e t s o f " i n t e g e r s " w h i c h a r e
m a n i p u l a t e d b y c o m p u t e r s p r o v id e d t h a t t h e y a r e c o n -
f i n ed t o nonnegative n u m b e r s . T h e i r t r u t h i s i n d e p e n d e n t
o f t h e s i ze o f t h e s e t ; f u r t h e r m o r e , i t i s l a r ge l y i n d e p e n d e n t
o f t h e c h o i ce o f t e c h n i q u e a p p l i e d in t h e e v e n t o f " o v e r -
f l o w " ; f o r e x a m p l e :
( 1 ) S t r i c t i n t e r p r e t a t i o n : t h e r e s u l t o f a n o v e r f lo w i n g
o p e r a t i o n d o e s n o t e x i s t ; w h e n o v e r f l o w o c c u rs , t h e o f f e n d -
i n g p r o g r a m n e v e r c o m p l e t e s i t s o p e r a t i o n . N o t e t h a t i n
t h i s c a s e , t h e e q u a l i t i e s o f A 1 t o A 9 a r e s t r i c t , i n t h e s e n s e
t h a t b o t h s i d e s e x i s t o r f a i l t o e x i s t t o g e t h e r .
( 2 ) F i r m b o u n d a r y : t h e r e s u l t of a n o ve r f lo w i n g o p e r a -
t i o n i s t a k e n a s t h e m a x i m u m v a l u e r e p r e s e n t e d .
( 3 ) M o d u l o a r i t h m e t i c : t h e r e s u l t o f a n o v e r f l o w i n g
o p e r a t i o n i s c o m p u t e d m o d u l o t h e s iz e o f t h e s e t o f i n t e g e rs
r e p r e s e n t e d .
T h e s e t h r e e t e c h n i q u e s a r e i l lu s t r a t e d i n T a b l e I I b y
a d d i t i o n a n d m u l t i p l i c a t io n t a b l e s f o r a t r i v i a l l y s m a l l
m o d e l i n w h i c h 0 , 1 , 2 , a n d 3 a r e t h e o n l y i n t e g e r s r e p r e -
s e n t e d .
I t i s i n t e r e s t i n g t o n o t e t h a t t h e d i f f e re n t s y s t e m s s a t i s f y -
i n g a x i o m s A 1 t o A 9 m a y b e r i g o r o us l y d is t i n g u is h e d f r o m
e a c h o t h e r b y c h o o s i n g a p a r t i c u l a r o n e o f a s e t o f m u t u a l l y
e x c l u si v e s u p p l e m e n t a r y a x i om s . F o r e x a m p l e , i n f in i t e
a r i t h m e t i c s a t i s f i e s t h e a x i o m :
A 1 0 z ~ 3 x V y ( y < x ) ,
w h e r e a l l f i n i t e a r i t h m e t i c s s a t i s f y :
A 1 0 ~ V x ( x < m a x )
w h e r e " m a x " d e n o t e s t h e l a r g e s t i n t e g e r r e p r e s e n t e d .
S i m i l a rl y , t h e t h r e e t r e a t m e n t s o f o v e r f lo w m a y b ed i s t i n g u i s h e d b y a c h o i c e o f o n e o f t h e f o l l o w i n g a M o m s
r e l a t i n g t o t h e v a l u e o f m a x + 1 :
A l l s ~ 3 x ( x = m a x + 1 ) ( s t r ic t i n t e r p r e t a t i o n )
A l l , m a x + 1 = m a x ( fi rm b o u n d a r y )
A l l M m a x + 1 = 0 ( m o d u l o a r i t h m e t i c )
H a v i n g s e l e c t e d o n e o f t h e s e a x i o m s , i t i s p o s s i b l e t o
u s e i t in d e d u c i n g t h e p r o p e r t i e s o f p r o g r a m s ; h o w e v e r ,
5 7 6 C o m m u n i c a t i o n s o f t h e A C M V o l u m e 12 / N u m b e r 10 / O c t o b e r , 1 96 9
8/3/2019 Hoare - An Axiomatic Basis for Computer Programming
http://slidepdf.com/reader/full/hoare-an-axiomatic-basis-for-computer-programming 2/6
TABLE I
A1 x + y = y + x
A2 x X y = y X x
A3 (x + y ) + z = x+ (y + z )
A4 (xX y) X z = x X (y X z)
A5 x X ( y + z ) = x X y + x X z
A6 y < x D ( x - - y ) + y = x
A7 x+ 0 = xA8 xX0=0A9 x X l = x
addition is commutativemultiplication is commut-
ativeaddition is associativemultiplication is associa-
tive
multiplication distrib-utes through addition
addition cancels subtrac-tion
TABLE II
1.
+ 0 1
0 0 1 21 1232 2 3 *3 3 * *
• nonexistent
StrictInterpretation
23 x 012
3 0 00 0* 1 0 1 2* 2 0 2 *
* 3 0 3 *
+
2. FirmBoundary
123 × 0123
123 0 0000233 1 0123333 2 0233333 3 0333
3.
+ 012
0 0 1 21 1 2 32 2303 3 0 1
Modulo Arithmetic
3 X 0 1 2
3 0 00 00 1 0 1 21 2 02 02 3 0 3 2
these properties will not necessarily obtMn, unless the
program is executed on an implementation which satisfies
the chosen axiom.
3 . Prog r am Execu t ion
As mentioned above, the purpose of this study is to
provide a logical basis for proofs of the properties of a
program. One of the most important properties of a pro-
gram is whether or not it carries out its intended function.
The intended function of a program, or part of a program,
can be specified by making general assertions about the
values which the r elevant variables will take a f t e r execution
of the program. These assertions will usually not ascribe
particular values to each variable, but will rather specify
certain general properties of the values and the relation-
ships holding between them. We use the normal notations
of mathematical logic to express these assertions, and t
familiar rules of operator precedence have been us
wherever possible to improve legibility.
In many cases, the validity of the results of a progra
(or part of a program) will depend on the values take
by the variables before that program is initiated. Thes
initial preconditions of successful use can be specified b
the same type of general assertion as is used to describthe results obtained on termination. To state the require
connection between a preconditio n ( P), a progr am (Q
and a description of the result of its execution (R), w
introduce a new notation:
P { Q } R .
This may be interpreted " I f the assertion P is true befo
initiation of a program Q, then the assertion R will b
true on its completion." If there are no preconditions im
posed, we write true { Q } R )
The treatment given below is essentially due to Floy
[8] but is applied to texts rather than flowcharts.
3.1. Axiom OF ASSIGNMENTAssignment is undoubtedly the most characteristic fe
ture of programming a digital computer, and one th
most clearly distinguishes it from other branches of math
matics. It is surprising therefore that the axiom governi
our reasoning about assignment is quite as simple as an
to be found in elementary logic.
Consider the assignment statement:
x : = f
where
x is an identifier for a simple variable;
f is an expression of a programming language witho
side effects, but possibly containing x.Now an y assertion P (x) which is to be true of (the val
of ) x a f t e r the assignment is made must also have bee
true of (the value of) the expression f, take n be f o re th
assignment is made, i.e. with the old value of x. Thu
if P (x) is to be true after the assignment, then P (f) mu
be true before the assignment. This fact may be expresse
more formally:
DO Axiom of Assignmen t
-P0 {x := f} Pwhere
x is a vari able identifier;
f is an expression;
P0 is obtained fr om P by subs tituting f for all occurences of x.
It may be noticed that DO is not really an axiom at al
but rather an axiom schema, describing an infinite set
axioms which share a common pattern. This pattern
described in purely syntactic terms, and it is easy
cheek whether any finite text conforms to the patter
thereby qualifying as an axiom, which may validly appe
in any line of a proof.
1 If this can be proved in our formal system, we use the famillogical symbol for theoremhood: [-P {Q} R
Volume 12 / Numb er 10 / October, 1969 Com mun ica tio ns of the ACM 5
8/3/2019 Hoare - An Axiomatic Basis for Computer Programming
http://slidepdf.com/reader/full/hoare-an-axiomatic-basis-for-computer-programming 3/6
3.2. RULES OF CONSEQUENCE
I n a d d i t i o n t o a x i o m s , a d e d u c t i v e s c i e nc e r e q u i r e s a t
l e a s t o n e r u l e o f i n f e re n c e , w h i c h p e r m i t s t h e d e d u c t i o n o f
n e w t h e o r e m s f r o m o n e o r m o r e a x i o m s o r t h e o r e m s a l -
r e a d y p r o v e d . A ru l e o f i n f e r e n c e t a k e s t h e f o r m " I f ~ -X
an d ~- Y th en ~ -Z", i . e . i f a s se r t i o n s o f t h e fo rm X an d Y
h a v e b e e n p r o v e d a s t h e o r e m s , t h e n Z a l s o i s t h e r e b y
p r o v e d a s a t h e o r e m . T h e s i m p l e s t e x a m p l e o f a n i n f e r e n c e
r u l e s t a t e s t h a t i f t h e e x e c u t i o n o f a p r o g r a m Q e n -
s u r e s th e t r u t h o f t h e a s s e r t io n R, t h e n i t a l s o e n s u r e s t h e
t r u t h o f e v e r y a s s e r t i o n l o g ic a l ly im p l i e d b y R . A l s o, i f
P i s k n o w n t o b e a p r e c o n d i t i o n f o r a p r o g r a m Q t o p r o -
d u c e r e s u l t R, t h e n s o is a n y o t h e r a s s e r t i o n w h i c h l o g i c a ll y
i m p l i e s P . T h e s e r u l e s m a y b e e x p r e s s e d m o r e f o r m a l l y :
D 1 R u l e s o f C o n s e q u e n c e
I f ~-P{Q}Rand ~-R D S t h e n ~-P{Q}SI f ~-P{Q}Ran d ~ -S ~ P t h e n ~-S{Q}R
3 .3 . RULE OF COMPOSITION
A p r o g r a m g e n e r a l l y c o ns i s ts o f a s e q u e n c e o f s t a t e m e n t s
w h i c h a r e e x e c u te d o n e a f te r a n o t h e r. T h e s t a t e m e n t s m a y
b e s e p a r a t e d b y a s e m i c o l o n o r e q u i v a l e n t s y m b o l d e n o t i n g
p ro ce d u r a l c o m p o s i t i o n : (Q1 ; Q2 ; " ' " ; Q~) . I n o rd er t o
a v o i d t h e a w k w a r d n e s s o f d o t s , i t i s p o s s i b l e t o d e a l i n i -
t i a l l y w i t h o n l y t w o s t a t e m e n t s (Q1 ; Q 2) , s i n c e l o n g e r s e-
q u e n c e s c a n b e r e c o n s t r u c t e d b y n e s t i n g , t h u s (Q~ ; ( Q2 ;
( " " ( Q ,- 1 ; Q . ) - ' " ) ) ) . T h e r e m o v a l o f t h e b r a c k e t s o f
t h i s n e s t m a y b e r e g a r d e d a s c o n v e n t i o n b a se d o n t h e
a s s o c i a t i v i ty o f t h e " ; - o p e r a t o r " , i n t h e s a m e w a y a s b r a c k -
e t s a r e r e m o v e d f r o m a n a r i t h m e t i c e x p r e s s i o n ( 6 + (t2 +
( . . - (t,_~ + t , ) - - . ) ) ) .
T h e i n f e r e n c e ru l e a s s o c i a te d w i t h c o m p o s i t i o n s t a t e s
t h a t i f t h e p r o v e n r e s u l t o f t h e f i r s t p a r t o f a p r o g r a m i s
i d e n t i c a l w i t h t h e p r e c o n d i t i o n u n d e r w h i c h t h e s e c o n d p a r t
o f t h e p r o g r a m p r o d u c e s i ts i n t e n d e d r e s u lt , t h e n t h e w h o l ep r o g r a m w i l l p r o d u c e t h e i n t e n d e d r e s u lt , p r o v i d e d t h a t t h e
p r e c o n d i t i o n o f t h e f i r s t p a r t i s s a t i sf i e d .
I n m o r e f o r m a l te r m s :
D 2 R u l e o f C o m p o s i t i o n
I f ~-P{QdR1a n d ~-R~{Q2}R he n ~-P{ (Q~ ; Q2)}R
3 .4 . R v L~ OF ITERATION
T h e e s s e n t i al f e a t u r e o f a s t o r e d p r o g r a m c o m p u t e r i s
t h e a b i l i t y t o e x e c u t e s o m e p o r t i o n o f p r o g r a m ( S ) r e -
p e a t e d l y u n t i l a c o n d i t i o n ( B ) g o e s f a ls e . A s i m p l e w a y o f
e x p r e s s i n g s u c h a n i t e r a t i o n i s t o a d a p t t h e A L G O L 6 0
w h i l e n o t a t i o n :
w h i l e B d o S
I n e x e c u t i n g t h i s s t a t e m e n t , a c o m p u t e r f i rs t t e s t s t h e c o n -
d i t i o n B . I f t h i s i s f a l se , S i s o m i t t e d , a n d e x e c u t i o n o f t h e
l o o p i s c o m p l e t e . O t h e r w i s e , S i s e x e c u t e d a n d B i s t e s t e d
a g a i n . T h i s a c t i o n i s r e p e a t e d u n t i l B i s f o u n d t o b e f a l s e .
T h e r e a s o n i n g w h i c h l e a d s t o a f o r m u l a t i o n o f a n i n f e r e n c e
r u l e f o r i t e r a t i o n i s a s f o l lo w s . S u p p o s e P t o b e a n a s s e r t i o n
w h i c h i s a lw a y s t r u e o n c o m p l e t i o n o f S , p r o v i d e d t h a t i t is
a l s o t r u e o n i n i t ia t i o n . T h e n o b v i o u s l y P w i l l s t il l b e t r u e
a f t e r a n y n u m b e r o f i t e r a t i o n s of t h e s t a t e m e n t S ( e v e n
n o i t e r a t i o n s ) . F u r t h e r m o r e , i t is k n o w n t h a t t h e c o n -
t r o l l i n g c o n d i t i o n B i s f a l s e w h e n t h e i t e r a t i o n f i n a l l y
t e r m i n a t e s . A s l i g h t l y m o r e p o w e r f u l f o r m u l a t i o n is p o s -
s i bl e i n l ig h t o f t h e f a c t t h a t B m a y b e a s s u m e d t o b e t r u e
o n i n i t i a t i o n o f S :
D 3 R u l e o f I t e r a t i o n
I f ~P A B{S}P t h e n ~ - P { w h il e B d o S } ~ B A P
3 .5 . EXAMPLE
T h e a x i o m s q u o t e d a b o v e a r e s u f fi c ie n t t o c o n s t r u c t t h e
p r o o f o f p r o p e r t i e s o f s i m p l e p r o g r a m s , f o r e x a m p l e , a
r o u t i n e i n t e n d e d t o f i n d t h e q u o t i e n t q a n d r e m a i n d e r r
o b t a i n e d o n d i v i d in g x b y y . A l l v a r i a b l e s a r e a s s u m e d t o
r a n g e o v e r a s e t o f n o n n e g a t i v e i n t e g e r s c o n f o r m i n g t o t h e
a x i o m s l i s t e d i n T a b l e I . F o r s i m p l i c i t y w e u s e t h e t r i v i a l
b u t i n e ff i c ie n t m e t h o d o f su c c e s s iv e s u b t r a c t i o n . T h e p r o -
p o s e d p r o g r a m i s :
( ( r : = x ; q : = 0 ) ; w h i l e
y<rdo ( r : = r - - y ; q : = l + q ) )
A n i m p o r t a n t p r o p e r t y o f t h is p r o g r a m i s t h a t w h e n i t
t e r m i n a t e s , w e c a n re c o v e r th e n u m e r a t o r x b y a d d i n g t o
t h e r e m a i n d e r r t h e p r o d u c t o f t h e d i v i s o r y a n d t h e q u o -t i e n t q (i .e . x = r + y X q ) . F u r t h e r m o r e , t h e r e m a i n d e r
i s l es s t h a n t h e d i v is o r . T h e s e p r o p e r t i e s m a y b e e x p r e s s e d
f o r m a l l y :
t r u e { Q } ~ y ~< r A x = r + y X q
w h e r e Q s ta n d s f o r t h e p r o g r a m d i s p l a y e d a b o v e . T h i s
e x p r e s s e s a n e c e s s a r y ( b u t n o t s u f f i c i e n t ) c o n d i t i o n f o r
t h e " c o r r e c t n e s s " o f th e p r o g ra m .
A f o r m a l p r o o f o f t h i s t h e o r e m i s g i v e n i n T a b l e I I I .
L i k e a l l f o r m a l p r o o f s , i t i s e x c e s s i v e l y t e d i o u s , a n d i t
w o u l d b e f a i r l y e a s y t o i n t r o d u c e n o t a t i o n a l c o n v e n t i o n s
w h i c h w o u l d s i g n if i c a n tl y s h o r t e n it . A n e v e n m o r e p o w e r -
f u l m e t h o d o f r e d u c i n g t h e t e d i u m o f f o r m a l p r o o f s is t od e r i v e g e n e r a l r ul e s f o r p r o o f c o n s t r u c t i o n o u t o f t h e s i m p l e
r u l es a c c e p t e d a s p o s t u l a t e s . T h e s e g e n e r a l r u le s w o u l d b e
s h o w n t o b e v a l id b y d e m o n s t r a t i n g h o w e v e r y t h e o r e m
p r o v e d w i t h t h e i r a s s i st a n c e c o u l d e q u a l l y w e l l ( i f m o r e
t e d i o u s l y ) h a v e b e e n p r o v e d w i t h o u t . O n c e a p o w e r f u l se t
o f s u p p l e m e n t a r y r u l e s h a s b e e n d e v e lo p e d , a " f o r m a l
p r o o f " r e d u c e s t o l i t t l e m o r e t h a n a n i n f o r m a l i n d i c a t i o n
o f h o w a f o r m a l p r o o f c o u l d b e c o n s t r u c t e d .
4 . G e n e r a l R e s e r v a t i o n s
T h e a x i o m s a n d r u le s o f i n f e r e n c e q u o t e d i n t h is p a p e r
h a v e i m p l i c i t ly a s s u m e d t h e a b s e n c e o f s i de e f f e c t s o f t h e
e v a l u a t i o n o f e x p r e ss i o n s a n d c o n d i t io n s . I n p r o v i n g p r o p -e r t ie s o f p r o g r a m s e x p r e s s e d i n a l a n g u a g e p e r m i t t i n g s i d e
e f f e c t s , i t w o u l d b e n e c e s s a r y t o p r o v e t h e i r a b s e n c e i n
e a c h e a s e b e f o r e a p p l y i n g t h e a p p r o p r i a t e p r o o f t e c h n i q u e .
I f t h e m a i n p u r p o s e o f a h ig h l e v e l p r o g r a m m i n g l a n g u a g e
i s t o a s s i s t i n t h e c o n s t r u c t i o n a n d v e r i f i c a t i o n o f c o r r e c t
p r o g r a m s , i t i s d o u b t f u l w h e t h e r t h e u s e o f f u n c t io n a l
n o t a t i o n t o c a l l p r o c e d u r e s w i t h s i d e e ff e c t s i s a g e n u i n e
a d v a n t a g e .
A n o t h e r d e f i c i en c y i n t h e a x i o m s a n d r u le s q u o t e d a b o v e
5 7 8 C o m m u n i c a t i o n s o f t h e ACM Vo lu m e 1 2 / Nu m b er 1 0 / Oc to b e r , 1 96 9
8/3/2019 Hoare - An Axiomatic Basis for Computer Programming
http://slidepdf.com/reader/full/hoare-an-axiomatic-basis-for-computer-programming 4/6
i s t h a t t h e y g i v e n o b a s is f o r a p r o o f t h a t a p r o g r a m s u c -
c e s sf u ll y t e r m i n a t e s . F a i l u r e t o t e r m i n a t e m a y b e d u e t o a n
i n f i n i t e l o o p ; o r i t m a y b e d u e t o v i o l a t i o n o f a n i m p l e -
m e n t a t i o n - d e f i n e d l i m i t, f o r e x a m p l e , t h e r a n g e o f n u m e r i c
o p e r a n d s , t h e s i z e o f s t o r ag e , o r a n o p e r a t i n g s y s t e m t i m e
l i m i t . T h u s t h e n o t a t i o n "PIQ}R" s h o u l d b e i n t e r p r e t e d
" p r o v i d e d t h a t t h e p r o g r a m s u c c e s sf u l ly t e r m i n a t e s , t h e
p r o p e r t i e s o f i t s r e s u l t s a r e d e s c r i b e d b y R . " I t i s f a i r l y
e a s y t o a d a p t t h e a x i o m s s o t h a t t h e y c a n n o t b e u s e d t op r e d i c t t h e " r e s u l t s " o f n o n t e r m i n a t i n g p r o g r a m s ; b u t t h e
a c t u a l u s e o f t h e a x i o m s w o u l d n o w d e p e n d o n k n o w l e d g e
o f m a n y i m p l e m e n t a t i o n - d e p e n d e n t f e a t u r e s , f o r e x a m p l e ,
t h e s i ze a n d s p e e d o f th e c o m p u t e r , t h e r a n g e o f n u m b e r s ,
a n d t h e c h o i ce o f o v e r f lo w t e c h n iq u e . A p a r t f r o m p r o o f s o f
t h e a v o i d a n c e o f i n f i n i te lo o p s , it i s p r o b a b l y b e t t e r t o
p r o v e t h e " c o n d i t i o n a l " c o r r e c t n e s s o f a p r o g r a m a n d r e l y
o n a n i m p l e m e n t a t i o n t o g i v e a w a r n i n g i f i t h a s h a d t o
TABLE III
Linenumber Formal proof Justification
1 tr ue ~x = x ~ y X 0 Le mm al
2 x = x - { - y X O { r : = x } x = r . - t - y X O DO
3 x = r ~ y X O { q : = O } x = r . - b y X q DO
4 t r u e { r := x} x = r ~ y X 0 D1 (1, 2)
5 t r ue {r := x; q := 0} x = r -t- y X q D2 (4, 3)
6 x = r ~ y X q A y ~ r ~ x =
( r - y ) ~ y X (1-t-q) Le mm a 2
7 x = ( r - - y ) .- {- y X (1-t-q){r := r - y } x =
r + y X (l +q ) DO
8 x = r + y X (l +q )[ q := 1 . - b q } x =
r - t - y X q DO
9 x = ( r - - y ) -~ y X (l +q) {r := r - - y ;
q := 1+q } x = r + y X q D2 (7, 8)
10 x = r + y X q A y ~ r { r : = r - - y ;
, q := l + q} x = r + y X q D1 (6 , 9 )
11 x = r -b y X q [w hi le y ~ r do
( r : = r - - y ; q := 1--bq)}
~- -Ty < r /~ x = r ~ y X q D3 (10)
12 tr ue {((r := x; q := 0); whi le y ~ rdo
( r : = r - - y ; q := l+q) )} -~y ~ rAx =
r + y X q D2 (5, 11)
NOTES
i. The left han d column is used to nu mb er the lines, and the
right hand column to justify each line, by appealing to an axiom,
a le mm a or a rule of inference applied to one or two previous
l ines , ind icated in b rackets . Nei ther of these columns is pa rtof the formal proof. For example, l ine 2 is an instance of theaxiom of assignm ent (DO); l ine 12 is obtain ed fro m lines 5 and 11by appl icat ion of the ru le o f composi t ion (D2) .
2 . Lemma 1 ma y be proved f rom ax ioms A7 and AS.3 . Lemm a 2 fo l lows d i rect ly f rom the theorem proved in See. 2 .
a b a n d o n e x e c u t i o n o f t h e p r o g r a m a s a r e s u l t o f v i o l a t i o
o f a n i m p l e m e n t a t i o n l i m i t .
F i n a l l y i t i s n e c e s s a r y t o l is t s o m e o f t h e a r e a s w h i c h h a v
n o t b e e n c o v e r e d : f o r e x a m p l e , r e a l a r i t h m e t i c , b i t a n
c h a r a c t e r m a n i p u l a t io n , c o m p l e x a r i th m e t i c , f r a c t i o n
a r i t h m e t i c , a r r a y s , r e c o r d s , o v e r l a y d e f in i t i o n , f il es , i n p u t
o u t p u t , d e c l a r a t i o n s , s u b r o u t i n e s , p a r a m e t e r s , r e c u r s i o n
a n d p a r a l le l e x e c u t io n . E v e n t h e c h a r a c t e r i z a t i o n o f in t e g e
a r i t h m e t i c i s f a r f r o m c o m p l e t e . T h e r e d o e s n o t a p p e a r tb e a n y g r e a t d i f f i c u l t y i n d e a l i n g w i t h t h e s e p o i n t s , p r o
v i d e d t h a t t h e p r o g r a m m i n g l a n g u a g e i s k e p t s i m p l e
A r e a s w h i c h d o p r e s e n t r e a l d i f f i c u lt y a r e l a b e l s a n d j u m p s
p o i n t e rs , a n d n a m e p a r a m e t e r s . P r o o f s of p r o g r a m s w h i c
m a d e u s e o f t h e s e f e a t u r e s a r e l i k e l y to b e e l a b o r a t e , a n
i t i s n o t s u r p r i s i n g t h a t t h i s s h o u l d b e r e f l e c t e d i n t h
c o m p l e x i t y o f t h e u n d e r l y i n g a x i o m s .
5. P r o o f s o f P r o g r a m C o r r e c t n e s s
T h e m o s t i m p o r t a n t p r o p e r t y o f a p r o g r a m i s w h e t h e r
a c c o m p l i s h e s t h e i n t e n t i o n s o f i t s u s e r. I f t h e s e i n t e n t i o n
c a n b e d e s c r i b e d r i g o r o u s ly b y m a k i n g a s s e rt i o ns a b o u t t h
v a l u e s o f v a r i a b l e s a t t h e e n d ( o r a t i n t e r m e d i a t e p o i n t s ) ot h e e x e c u t i o n o f t h e p r o g r a m , t h e n t h e t e c h n i q u e s d e s c r i b e
i n t h is p a p e r m a y b e u s e d t o p r o v e t h e c o r r e c t n es s o f t h
p r o g r a m , p r o v i d e d t h a t t h e i m p l e m e n t a t i o n o f t h e p r
g r a m m i n g l a n g u a g e c o n f o r m s t o t h e a x i o m s a n d r u le s w h i c
h a v e b e e n u s e d i n t h e p r o o f . T h i s f a c t i t se l f m i g h t a l so b
e s t a b l i s h e d b y d e d u c t i v e r e a s o n i n g , u s i n g a n a x i o m s
w h i c h d e s c r i b e s t h e l o g i c a l p r o p e r t i e s o f t h e h a r d w a r
c i r c u i ts . W h e n t h e c o r r e c t n e s s o f a p r o g r a m , i t s c o m p i l e
a n d t h e h a r d w a r e o f t h e c o m p u t e r h a v e a l l b e e n e s t a b l is h e
w i t h m a t h e m a t i c a l c e r t a i n t y , i t w i l l b e p o s s i b l e t o p l a c
g r e a t r e l i an c e o n t h e r e s u l t s o f t h e p r o g r a m , a n d p r e d i
t h e i r p r o p e r t i e s w i t h a c o n f i d e n c e l i m i t ed o n l y b y t h
r e l i a b i l i t y o f t h e e l e c t r o n ic s .T h e p r a c t i c e o f s u p p l y i n g p r o of s f o r n o n t ri v i a l p r o g r a m
w i ll n o t b e c o m e w i d e s p r e a d u n t i l c o n s i d e r a b l y m o r e p o w e
f u l p r o o f t e c h n i q u e s b e c o m e a v a i la b l e , a n d e v e n t h e n w
n o t b e e a s y . B u t t h e p r a c t i c a l a d v a n t a g e s o f p r o g r a m p r o
i n g w i l l e v e n t u a l l y o u t w e i g h t h e d i ff i c u lt i e s, i n v i e w o f t h
i n c r e a si n g c o s t s o f p r o g r a m m i n g e r r o r . A t p r e s e n t , t h
m e t h o d w h i c h a p r o g r a m m e r u s e s t o c o n v i n c e h i m s e l f
t h e c o r r e c tn e s s o f h i s p r o g r a m i s t o t r y i t o u t i n p a r t i c u l
c a s es a n d t o m o d i f y i t if t h e r e s u l ts p r o d u c e d d o n o t c o
r e s p o n d t o h i s i n t e n ti o n s . A f t e r h e h a s f o u n d a r e a s o n a b
w i d e v a r i e t y o f e x a m p l e c a s e s o n w h i c h t h e p r o g r a m s e e m
t o w o r k , h e b e l i e v e s t h a t i t w i l l a l w a y s w o r k . T h e t i m
s p e n t i n t h i s p r o g r a m t e s t i n g i s o f t e n m o r e t h a n h a l f t ht i m e s p e n t o n t h e e n t i r e p r o g r a m m i n g p r o j e c t ; a n d w i t h
r e a l i s ti c c o s t in g o f m a c h i n e t i m e , t w o t h i r d s ( o r m o r e )
t h e c o s t o f th e p r o j e c t i s in v o l v e d i n r e m o v i n g e r r o r s d u r i n
t h i s p h a s e .
T h e c o s t o f r e m o v i n g e r r o r s d i s c o v e r e d a f t e r a p r o g r a
h a s g o n e i n t o u s e i s o f t e n g r e a t e r , p a r t i c u l a r l y i n t h e c a
o f i t e m s o f c o m p u t e r m a n u f a c t u r e r ' s s o f t w a r e f o r w h i c h
l a r g e p a r t o f th e e x p e n s e is b o r n e b y t h e u s e r. A n d f i n a ll
t h e c o s t o f e rr o r i n c e r t a i n t y p e s o f p r o g r a m m a y b e a l m o
V o l u m e 12 / Num ber 10 / Oct obe r, 1969 Com mun ica ti ons o f t h e ACM 5
8/3/2019 Hoare - An Axiomatic Basis for Computer Programming
http://slidepdf.com/reader/full/hoare-an-axiomatic-basis-for-computer-programming 5/6
i n e a l c u l a b l e - - a l o s t s p a c e c r a f t , a c o l l a p s e d b u i l d i n g , a
c r a s h e d a e r o p l a n e , o r a w o r l d w a r . T h u s t h e p r a c t i c e o f
p r o g r a m p r o v i n g i s n o t o n l y a t h e o r e t i c a l p u r s u it , f o l l o w e d
i n t h e i n t e r e s t s o f a c a d e m i c r e s p e c t a b i l i t y , b u t a s e ri o u s
r e c o m m e n d a t i o n f o r th e r e d u c t i o n o f t h e c o s t s a s s o c i a t e d
w i t h p r o g r a m m i n g e r r o r .
T h e p r a c t i c e o f p r o v i n g p r o g r a m s i s l i k e l y t o a l l e v i a t e
s o m e o f t h e o t h e r p r o b l e m s w h i c h a f fl ic t t h e c o m p u t i n g
w o r l d . F o r e x a m p l e , t h e r e i s t h e p r o b l e m o f p r o g r a m d o c u -
m e n t a t i o n , w h i c h i s e s s e n t i a l , f i r s t l y , t o i n f o r m a p o t e n t i a l
u s e r o f a s u b r o u t i n e h o w t o u s e it a n d w h a t i t a c c o m p l i s h e s,
a n d s e c o n d ly , t o a s s is t in f u r t h e r d e v e l o p m e n t w h e n i t
b e c o m e s n e c e s s a r y t o u p d a t e a p r o g r a m t o m e e t c h a n g i n g
c i r c u m s t a n c e s o r t o i m p r o v e i t i n t h e l i g h t o f i n c r e a s e d
k n o w l e d g e . T h e m o s t r ig o r o u s m e t h o d o f f o r m u l a t i n g t h e
p u r p o s e o f a s u b r o u t i n e , a s w e l l a s t h e c o n d i t i o n s o f i t s
p r o p e r u s e , is t o m a k e a s s e r ti o n s a b o u t t h e v a l u e s o f v a r i-
a b l es b e f o r e a n d a f t e r i t s e x e c u t io n . T h e p r o o f o f th e c o r -
r e c t n e s s o f t h e s e a s s e r ti o n s c a n t h e n b e u s e d a s a l e m m a i n
t h e p r o o f o f a n y p r o g r a m w h i c h c a l ls t h e s u b r o u t i n e . T h u s ,
i n a l a rg e p r o g r a m , t h e s t r u c t u r e o f t h e w h o l e c a n b e c l e a rl y
m i r r o r e d i n t h e s t r u c t u r e o f i t s p r o o f . F u r t h e r m o r e , w h e ni t b e c o m e s n e c e s s a r y t o m o d i f y a p r o g r a m , i t w i ll a l w a y s b e
v a l i d t o r e p l a c e a n y s u b r o u t i n e b y a n o t h e r w h i c h s a t i s f i e s
t h e s a m e c r i t e ri o n o f c o r r e c tn e s s . F i n a l ly , w h e n e x a m i n i n g
t h e d e t a i l o f t h e a l g o r i t h m , i t s e e m s p r o b a b l e t h a t t h e p r o o f
w i l l b e h e l p f u l i n e x p l a i n i n g n o t o n l y what i s h a p p e n i n g
b u t why.
A n o t h e r p r o b l e m w h i c h c a n b e s o l v e d , i n s o f a r a s i t i s
s o lu b l e, b y t h e p r a c t i c e o f p r o g r a m p r o o fs is t h a t o f tr a n s -
f e r r i n g p r o g r a m s f r o m o n e d e s i g n o f c o m p u t e r t o a n o t h e r .
E v e n w h e n w r i t t e n i n a s o - c a l l e d m a c h i n e - i n d e p e n d e n t
p r o g r a m m i n g l a n gu a g e , m a n y l a r g e p r o g r a m s i n a d v e r t -
e n t l y ta k e a d v a n t a g e o f s om e m a c h i n e - d e p e n d e n t p r o p -
e r t y o f a p a r t i c u l a r i m p l e m e n t a t i o n , a n d u n p l e a s a n t a n de x p e n s i v e s u r p ri s e s c a n r e s u l t w h e n a t t e m p t i n g t o t r a n s f e r
i t t o a n o t h e r m a c h i n e . H o w e v e r , p r e s e n c e o f a m a c h i n e -
d e p e n d e n t f e a t u r e w i l l a l w a y s b e r e v e a l e d i n a d v a n c e b y
t h e f M l u r e o f a n a t t e m p t t o p r o v e t h e p r o g r a m f r o m m a -
c h i n e - i n d e p e n d e n t a x i om s . T h e p r o g r a m m e r w il l t h e n h a v e
t h e c h o i c e o f f o r m u l a t i n g h i s a l g o r i t h m i n a m a c h i n e -
i n d e p e n d e n t f a s h i o n , p o ss i b ly w i t h t h e h e l p o f e n v i r o n m e n t
e n q u i r i e s ; o r i f t h i s i n v o l v e s t o o m u c h e f f o r t o r in e f f i c ie n c y ,
h e c a n d e l i b e r a t e l y c o n s t r u c t a m a c h i n e - d e p e n d e n t p r o -
g r a m , a n d r e l y f o r h is p r o o f o n s o m e m a c h i n e - d e p e n d e n t
a x i o m , f o r e x a m p l e , o n e o f t h e v e r s i o n s o f A 1 1 ( S e c t i o n 2 ) .
I n t h e l a t t e r c a s e, t h e a x i o m m u s t b e e x p l i c i tl y q u o t e d a s
o n e o f t h e p r e c o n d i t i o n s o f s u c c e s s f u l u s e o f t h e p r o g r a m .T h e p r o g r a m c a n s t il l, w i t h c o m p l e t e c o n f i d en c e , be t r a n s -
f e r r e d to a n y o t h e r m a c h i n e w h i c h h a p p e n s t o s a t i s f y th e
s a m e m a c h i n e - d e p e n d e n t a x i o m ; b u t i f i t b e c o m e s n ec e s -
s a r y t o t r a n s f e r i t t o a n i m p l e m e n t a t i o n w h i c h d o e s n o t ,
t h e n a l l t h e p l a c e s w h e r e c h a n g e s a r e r e q u i r e d [ w i l l b e
c l e a r l y a n n o t a t e d b y t h e f a c t t h a t t h e p r o o f a t t h a t p o i n t
a p p e a l s t o t h e t r u t h o f t h e o f f e n d in g m a c h i n e - d e p e n d e n t
a x i o m .
T h u s t h e p r a c t i c e o f p r o v i n g p r o g r a m s w o u l d s e e m t o
l e a d t o s o l u t i o n o f t h r e e o f t h e m o s t p r e s s i n g p r o b l e m s i n
s o f t w a r e a n d p r o g r a m m i n g , n a m e l y , r e l ia b i l it y , d o c u m e n -
t a t i o n , a n d c o m p a t i b i l it y . H o w e v e r , p r o g r a m p r o v i n g , c e r-
t a i n l y a t p r e s e n t , w i l l b e d i f f ic u l t e v e n f o r p r o g r a m m e r s o f
h i g h c a l i be r ; a n d m a y b e a p p l i c a bl e o n l y t o q u i t e s i m p l e
p r o g r a m d e s i g n s . A s i n o t h e r a r e a s , r e l i a b i l i t y c a n b e p u r -
c h a s e d o n l y a t t h e p r i c e o f s i m p l i c i t y .
6 . F o r m a l L a n g u a g e D e f i n i ti o n
A h i g h l e v e l p r o g r a m m i n g l a n g u a g e , s u c h a s A L c~ oL ,
F OR TR A N, o r C O BO L, s u s u a l l y i n t e n d e d t o b e i m p l e m e n t e d
o n a v a r i e t y o f c o m p u t e r s o f d if f e r i n g s i ze , c o n f i g u r a t i o n ,
a n d d e s i g n . I t h a s b e e n f o u n d a s e r io u s p r o b l e m t o d e f i n e
t h e s e l a n g u a g e s w i t h s u f f i c i e n t r i g o u r t o e n s u r e c o m p a t -
i b i li t y a m o n g a l l i m p l e m e n t o r s . S i n c e t h e p u r p o s e o f c o m -
p a t i b i l i ty i s t o f a c i l it a t e i n te r c h a n g e o f p r o g r a m s e x -
p r e s s e d in t h e l a n g u a g e , o n e w a y t o a c h i e v e t h is w o u l d b e t o
i n s is t t h a t a ll im p l e m e n t a t i o n s o f t h e l a n g u a g e s h a l l " s a t -
i s f y " t h e a x i o m s a n d r u le s o f in f e r e n c e w h i c h u n d e r l i e
p r o o f s o f t h e p r o p e r t i e s o f p r o g r a m s e x p r e s s e d i n t h e
l a n g u a g e , s o t h a t a l l p r e d i c t i o n s b a s e d o n t h e s e p r o o f s w i l l
b e f u l fi l le d , e x c e p t i n t h e e v e n t o f h a r d w a r e f a i l u re . I ne f f e c t , t h i s i s e q u i v a l e n t t o a c c e p t i n g t h e a x i o m s a n d r u l e s
o f i n f e r e n c e a s t h e u l t i m a t e l y d e f i n i t i v e s p e c i fi c a t i o n of t h e
m e a n i n g o f t h e l a n g u a g e.
A p a r t f r o m g i v i n g a n i m m e d i a t e a n d p o s s i b l y e v e n
p r o v a b l e c r i t e ri o n f o r t h e c o r r e c t n e ss o f a n i m p l e m e n t a t i o n ,
t h e a x i o m a t i c t e c h n i q u e f o r t h e d e f i n i ti o n of p r o g r a m m i n g
l a n g u a g e s e m a n t i c s a p p e a r s t o b e li k e th e f o r m a l s y n t a x o f
t h e A L a O L 6 0 r e p o r t , i n t h a t i t i s s u f fi c i e n t l y s i m p l e t o b e
u n d e r s t o o d b o t h b y t h e i m p l e m e n t o r a n d b y t h e r e a s o n a b l y
s o p h i s t i c a t e d u s e r o f t h e l a n g u a g e . I t i s o n l y b y b r i d g i n g
t h i s w i d e n i n g c o m m u n i c a t i o n g a p i n a s i n g l e d o c u m e n t
( p e rh a p s e v e n p r o v a b l y c o n s is t e n t) t h a t t h e m a x i m u m
a d v a n t a g e c a n b e o b t a i n e d f r o m a f o r m a l l a n g u a g e de f -i n i t i o n .
A n o t h e r o f t h e g r e a t a d v a n t a g e s o f u s i n g a n a x i o m a t i c
a p p r o a c h i s t h a t a x i o m s o f f e r a s i m p l e a n d f l e x ib l e t e c h -
n i q u e f o r l e a v i n g c e r t a i n a s p e c t s o f a l a n g u a g e undefined,
f o r e x a m p l e , r a n g e o f i n te g e r s , a c c u r a c y o f f l o a t i n g p o i n t ,
a n d c h o i c e o f o v e r f l o w t e c h n i q u e . T h i s i s a b s o l u t e l y e s -
s e n t i a l f o r s t a n d a r d i z a t i o n p u r p o s e s , s i n c e o t h e r w i s e t h e
l a n g u a g e w i l l b e i m p o s s i b l e t o i m p l e m e n t e f f i c i e n tl y o n
d i ff e r in g h a r d w a r e d e s ig n s. T h u s a p r o g r a m m i n g l a n g u a g e
s t a n d a r d s h o u l d c o n s i s t o f a s e t o f a x i o m s o f u n i v e r s a l
a p p l i c a b i l i t y , t o g e t h e r w i t h a c h o i c e f r o m a s e t o f s u p p l e -
m e n t a r y a x i o m s d e s c r i bi n g t h e r a n g e o f ch o i ce s f a c in g a n
i m p l e m e n t o r . A n e x a m p l e o f t h e u s e o f a x i o m s f o r th i sp u r p o s e w a s g i v e n i n S e c t i o n 2 .
A n o t h e r o f t h e o b j e c t i v e s o f f o r m a l l a n g u a g e d e f i n it i o n
i s t o a s s i s t i n t h e d e s i g n o f b e t t e r p r o g r a m m i n g l a n g u a g e s .
T h e r e g u l a r i t y , c l a r i ty , a n d e a s e of i m p l e m e n t a t i o n o f t h e
A LG OL 6 0 s y n t a x m a y a t l e a s t i n p a r t b e d u e t o t h e u s e o f
a n e l e g a n t f o r m a l t e c h n i q u e f o r it s d e f i ni t io n . T h e u s e o f
a x i o m s m a y l e a d t o s i m i l a r a d v a n t a g e s i n t h e a r e a o f
" s e m a n t i c s , " s i n c e i t se e m s l ik e l y t h a t a l a n g u a g e w h i c h c a n
(Continued on p. 583)
5 8 0 C o m m u n i c a t i o n s o f t h e A C M V o l u m e 12 / N u m b e r 10 / O c t o b e r , 1 96 9
8/3/2019 Hoare - An Axiomatic Basis for Computer Programming
http://slidepdf.com/reader/full/hoare-an-axiomatic-basis-for-computer-programming 6/6
by Lowe. In addition, we define F ( j ) = ~ = ~ f ( i) and
write Ix] for the greatest integer no t exceeding x.
In a packed list file, the bucket which contains the first
element of list j will have its first
F ( j ) - - C [ F ( j ) / C ] (1)
positions occupied by lists j - 1, j - 2, .. . . For any
pract ical file, when j is not a smal l integer, (1) behaves as
a random variable uniformly distributed between 0 and C.In other words, the start of a list is independent of bucket
boundaries. It is easy to see that the expected number of
accesses required to re trieve list j is f ( j ) / C ~ 1.
Hence we have
T , = t~ ( f ( j ) / C + 1 ) p ( j ) ,
( 2 ). ' . T , / t , - - 1 + ~ f ( j ) p ( j ) / C ,
since ~f=l p ( j ) = 1. Equat ion (2) corresponds to (1
in [1].
The assumptions on f ( j ) and p ( j ) in [1] may be su
stituted into (2). The first two assumptions yield
T r / t , = 1 + S / N C , (
and the third assumption, for large N, yields approximate
T~/t~ = 1 + ( lnN + ~)-2~-V6. (
These equations should be compared with the right-han
inequalities of (13) and (24) in [1].
RECEIVED MARCH 1969; REVISED JUNE 1969
REFERENCES
1. LOWE, THOMAS C. The influence of data- base chara cteri sti
and usage on direct-access file organization. J . A C M 1
4 (Oct. 1968), 535-548.
A
C . A . R. H O A R E - - c o n t ' d from p a g e 5 8 0
be described by a few "self-evident" axioms from which
proofs will be relatively easy to construct will be preferable
to a language with many obscure axioms which are dif-
ficult to apply in proofs. Furthermore, axioms enable the
language designer to express his general i n t e n t io n s quite
simply and directly, without the mass of detail which
usually accompanies algorithmic descriptions. Finally, ax-
ioms can be formulated in a manner largely independent
of each other, so that the designer can work freely on one
axiom or group of axioms without fear of unexpected in-
teraction effects with other parts of the language.
Ackn o wle d g m e n t s . Many axiomatic treatments of com-
puter programming [1, 2, 3] tackle the problem of proving
the equivalence, rather t han the correctness, of algorithms.
Other approaches [4, 5] take recursive functions rather
than programs as a starting point for the theory. The
suggestion to use axioms for defining the primitive opera-
tions of a computer appears in [6, 7]. The importance ofprogram proofs is clearly emphasized in [9], and an in-
formal technique for providing them is described. The
suggestion that the specification of proof techniques pro-
vides an adequate formal definition of a programming
language first appears in [8]. The formal trea tmen t of pro-
gram execution presented in this paper is clearly derived
from Floyd. The main contributions of the a uthor appear
to be: (1) a suggestion tha t axioms may provide a simple
solution to the problem of leaving certain aspects of a
language undefined; (2) a comprehensive evaluation
the possible benefits to be gained by adopting this approac
both for program proving and for formal language defin
tion.
However, the formal material presented here has on
an expository status and represents only a minute propo
tion of what remains to be done. It is hoped that many othe fascinating problems involved will be taken up b
others.
RECEIVED NOVEMBER, 1968;REVISED MAY, 1969
R E F E R E N C E S
i . Y A N O V , Y u I. Lo g i c a l o p e r a t o r s c h e m e s . K y b e r n e t i k a I, ( 1 9 5 8 )
2 . IG A R AS H I , S . A n a x i o m a t i c a p p r o a c h t o e q u i v a l e n c e p r o b l e m
o f a l g o r i t h m s w i t h a p p l i c a t i o n s . P h . D . Th e s i s 1 9 6 4 . R e p
C o m p t . C e n t r e , U . To k y o , 1 9 6 8 , p p . i - I0 1 .
3 . D E BAK IC ER , J . W . Ax i o m a t i c s o f s i m p l e a s s i g n m e n t s t a t e m e n t s
M . R . 9 4 , M a t h e m a t i s c h C e n t r u m , A m s t e r d a m , J u n e 1 9 6 8 .
4 . M c C A R T H Y , J . T o w a r d s a m a t h e m a t i c a l t h e o r y o f c o m p u t a t i o n .
P r o c . I F I P C o n g . 1 9 6 2 , N o r t h H o l l a n d P u b . C o . , A m s t e r d a m ,
1 9 6 3 .
5. BURSTALL,R. Proving properties of programs by structural i
duction. Experimental Programming Reports: No. 17 DMIPEdinburgh, Feb. 1968.
6. VAN WIJNGAARDEN, A. Numerical analysis as an independe
science. B I T 6 (1966), 66-81.
7. LASKI, J. Sets and o ther types . ALGOL Bull. 27, 1968.
8. FLOYD, R. W. Assigning meanings to programs. Proc. AmeMath. Soc. Symposi a in Applied Mathemat ics, Vol. 19, p19-31.
9. N~_uR, P. P roof of algorithms by general sna pshot s. B I T
(1966), 310-316.
Volu me 12 / Numb er 10 / October, 1969 Com mun ica tio ns of the ACM 58
top related