An Axiomatic Basis for Computer Programming C. A. R. HOARE The Queen's University of Belfast,* Northern Ireland In this paper an attempt is made to explore the logical founda- tions of com puter programm ing by use of techniques which were first applied in the study of geometry and have later been extended to other branches of mathematics. This in- volves the elucidation of sets of axioms and rules of inference which can be used in proofs of the properties of computer programs. Examples are given of such axioms and rules, and a formal proof o f a simple theorem is displayed. Finally, it is argued that important advantages, both theoretical and prac- tical, may follow from a pursuance of these topics. KEY WOR DS AND PHRASES: axiomatic method, theory of programming' proofs of programs, form al langu age definition, programming language design, machine-independent programming, program documentat ion CR CATEGORY: 4.0, 4.21,4.22, 5.20, 5.21,5.23, 5.24 1. Introduction Com puter programming is an exact science in that all the properties of a program and all the consequences of executing it in any given environment can, in principle, be found out from the text of the program itself by means of purely deductive reasoning. Deductive reasoning in- volves the application of valid rules of inference to sets of valid axioms. It is therefore desirable and interesting to elucidate the axioms and rules of inference which underlie our reasoning about computer programs. The exact choice of axioms will to some extent depend on the choice of programming language. For illustrative purposes, this paper is confined to a very simple language, which is effec- tively a subset of all eurrent procedure-oriented languages. 2. Computer Arithmetic The first requirement in valid reasoning about a pro- gram is to know the properties of the elementary operations which it invokes, for example, addition and multiplication of integers. Unfortunately, in several respects computer arithmetic is not the same as the arithmetic familiar to mathematicians, and it is necessary to exercise some care in selecting an appropriate set of axioms. For example, the axioms displayed in Table I are rather a small selection of axioms relevant to integers. From this incomplete set * Depurtment of Computer Science of axioms it is possible to deduce such simple theorem s as: x=x+yXO y<r ~r +y X q = (r- y) +y X (1 +q) The proof of the second of these is: A5 (r--y) + y X (l+q) = (r--y)+ (yXl+yXq) A9 = (r-- y) + (y +y X q) A 3 = ((r--y)+y)+yXq A6 = r + y X q providedy < r The axioms A1 to A9 are, of course, true of the tradi- tional infinite set of integers in mathematics. However, they are also true of the finite sets of "integers" which are manipulated by computers provided that they are con- fined to nonnegative numbers. Their truth is independent of the size of the set; furthermore, it is largely independent of the choice of technique applied in the event of "over- flow"; for example: (1) Strict interpretation: the result of an overflowing operation does not exist; when overflow occurs, the offend- ing program never completes its operation. Note that in this case, the equalities of A1 to A9 are strict, in the sense that both sides exist or fail to exist together. (2) Firm boundary: the result of an overflowing opera- tion is taken as the maximum value represented. (3) Modulo arithmetic: the result of an overflowing operation is computed modulo the size of the set of integers represented. These three techniques are illustrated in Table II by addition and multiplication tables for a trivially small model in which 0, 1, 2, and 3 are the only integers repre- sented. It is interesting to note that the different systems satisfy- ing axioms A1 to A9 may be rigorously distinguished from each other by choosing a particular one of a set of mutually exclusive supplementary axioms. For example, infinite arithmetic satisfies the axiom: A10z ~3xVy (y < x), where all finite arithmetics satisfy: A10~ Vx (x < max) where "max" denotes the largest integer represented. Similarly, the three treatments of overflow may be distinguished by a choice of one of the following aMoms relating to the value of max + 1: Alls ~ 3x (x = max + 1) (strict interpretation) All, max + 1 = max (firm boundary) AllM max + 1 = 0 (modulo arithmetic) Having selected one of these axioms, it is possible to use it in deducing the properties of programs; however, 576 Comm unications of the ACM Volume 12 / Number 10 / October, 1969
6
Embed
Hoare - An Axiomatic Basis for Computer Programming
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
8/3/2019 Hoare - An Axiomatic Basis for Computer Programming
C o m p u t e r p r o g r a m m i n g i s a n e x a c t s c ie n c e i n t h a t a l l
t h e p r o p e r t i e s o f a p r o g r a m a n d a l l t h e c o n s e q u e n c e s o f
e x e c u t i n g i t i n a n y g i v e n e n v i r o n m e n t c a n , i n p r in c i p le ,
b e f o u n d o u t f r o m t h e t e x t o f th e p r o g r a m i ts e l f b y m e a n so f p u r e l y d e d u c t i v e r e a s o n i n g . D e d u c t i v e r e a s o n i n g i n -
v o l v e s t h e a p p l i c a t i o n o f v a l i d r u l e s o f i n f e r e n c e t o s e t s o f
v a l i d a x i o m s . I t i s t h e r e f o r e d e s ir a b l e a n d i n t e r e s t i n g t o
e l u c i d a t e t h e a x i o m s a n d r u l e s o f i n f e r e n c e w h i c h u n d e r l i e
o u r re a s o n i n g a b o u t c o m p u t e r p r o g r a m s . T h e e x a c t c h o ic e
o f a x io m s w i l l t o s o m e e x t e n t d e p e n d o n t h e c h o i c e o f
p r o g r a m m i n g l a n g ua g e . F o r i l l u s t ra t i v e p u r p o s e s, t h i s
p a p e r i s c o n f i n e d to a v e r y s i m p l e l a n g u a g e , w h i c h i s e f fe c -
t i v e l y a s u b s e t o f al l e u r r e n t p r o c e d u r e - o r i e n t e d l a n g u a g e s .
2 . C o m p u t e r A r i t h m e t i c
T h e f i rs t r e q u i r e m e n t i n v a l i d r e a s o n in g a b o u t a p r o -
g r a m i s t o k n o w t h e p r o p e r t ie s o f t h e e l e m e n t a r y o p e r a t i o n sw h i c h i t i n v o k e s, f o r e x a m p l e , a d d i t i o n a n d m u l t i p l i c a ti o n
o f i n t eg e r s . U n f o r t u n a t e l y , i n s e v e r a l r e sp e c t s c o m p u t e r
a r i t h m e t i c i s n o t t h e s a m e a s t h e a r i t h m e t i c f a m i l i a r t o
m a t h e m a t i c i a n s , a n d i t i s n e c e s s a r y t o e x e rc i se so m e c a r e
i n s e l e c t i n g a n a p p r o p r i a t e s e t o f a x i o m s . F o r e x a m p l e , t h e
a x i o m s d i s p l a y e d i n T a b l e I a r e r a t h e r a s m a l l s e l e c t i o n
o f a x i o m s r e l e v a n t t o in t e g e r s. F r o m t h is i n c o m p l e t e s e t
* Dep ur tme nt o f Com puter Science
o f a x io m s i t i s p o s s i b l e t o d e d u c e s u c h s i m p l e t h e o r e m s a s :
x = x + y X O
y < r ~ r + y X q = ( r - y ) + y X ( 1 + q )
T h e p r o o f o f t h e s e c o n d o f t h e s e i s :
A 5 ( r - - y ) + y X ( l + q )
= ( r - - y ) + ( y X l + y X q )
A 9 = ( r - - y ) + ( y + y X q )
A 3 = ( ( r - - y ) + y ) + y X q
A 6 = r + y X q p r o v i d e d y < r
T h e a x i o m s A 1 t o A 9 a r e , o f c o u r se , t r u e o f t h e t r a d i -
t i o n a l in f i ni t e s e t of i n t e g e rs i n m a t h e m a t i c s . H o w e v e r ,
t h e y a r e a l s o t r u e o f t h e f i ni t e s e t s o f " i n t e g e r s " w h i c h a r e
m a n i p u l a t e d b y c o m p u t e r s p r o v id e d t h a t t h e y a r e c o n -
f i n ed t o nonnegative n u m b e r s . T h e i r t r u t h i s i n d e p e n d e n t
o f t h e s i ze o f t h e s e t ; f u r t h e r m o r e , i t i s l a r ge l y i n d e p e n d e n t
o f t h e c h o i ce o f t e c h n i q u e a p p l i e d in t h e e v e n t o f " o v e r -
f l o w " ; f o r e x a m p l e :
( 1 ) S t r i c t i n t e r p r e t a t i o n : t h e r e s u l t o f a n o v e r f lo w i n g
o p e r a t i o n d o e s n o t e x i s t ; w h e n o v e r f l o w o c c u rs , t h e o f f e n d -
i n g p r o g r a m n e v e r c o m p l e t e s i t s o p e r a t i o n . N o t e t h a t i n
t h i s c a s e , t h e e q u a l i t i e s o f A 1 t o A 9 a r e s t r i c t , i n t h e s e n s e
t h a t b o t h s i d e s e x i s t o r f a i l t o e x i s t t o g e t h e r .
( 2 ) F i r m b o u n d a r y : t h e r e s u l t of a n o ve r f lo w i n g o p e r a -
t i o n i s t a k e n a s t h e m a x i m u m v a l u e r e p r e s e n t e d .
( 3 ) M o d u l o a r i t h m e t i c : t h e r e s u l t o f a n o v e r f l o w i n g
o p e r a t i o n i s c o m p u t e d m o d u l o t h e s iz e o f t h e s e t o f i n t e g e rs
r e p r e s e n t e d .
T h e s e t h r e e t e c h n i q u e s a r e i l lu s t r a t e d i n T a b l e I I b y
a d d i t i o n a n d m u l t i p l i c a t io n t a b l e s f o r a t r i v i a l l y s m a l l
m o d e l i n w h i c h 0 , 1 , 2 , a n d 3 a r e t h e o n l y i n t e g e r s r e p r e -
s e n t e d .
I t i s i n t e r e s t i n g t o n o t e t h a t t h e d i f f e re n t s y s t e m s s a t i s f y -
i n g a x i o m s A 1 t o A 9 m a y b e r i g o r o us l y d is t i n g u is h e d f r o m
e a c h o t h e r b y c h o o s i n g a p a r t i c u l a r o n e o f a s e t o f m u t u a l l y
e x c l u si v e s u p p l e m e n t a r y a x i om s . F o r e x a m p l e , i n f in i t e
a r i t h m e t i c s a t i s f i e s t h e a x i o m :
A 1 0 z ~ 3 x V y ( y < x ) ,
w h e r e a l l f i n i t e a r i t h m e t i c s s a t i s f y :
A 1 0 ~ V x ( x < m a x )
w h e r e " m a x " d e n o t e s t h e l a r g e s t i n t e g e r r e p r e s e n t e d .
S i m i l a rl y , t h e t h r e e t r e a t m e n t s o f o v e r f lo w m a y b ed i s t i n g u i s h e d b y a c h o i c e o f o n e o f t h e f o l l o w i n g a M o m s
r e l a t i n g t o t h e v a l u e o f m a x + 1 :
A l l s ~ 3 x ( x = m a x + 1 ) ( s t r ic t i n t e r p r e t a t i o n )
A l l , m a x + 1 = m a x ( fi rm b o u n d a r y )
A l l M m a x + 1 = 0 ( m o d u l o a r i t h m e t i c )
H a v i n g s e l e c t e d o n e o f t h e s e a x i o m s , i t i s p o s s i b l e t o
u s e i t in d e d u c i n g t h e p r o p e r t i e s o f p r o g r a m s ; h o w e v e r ,
5 7 6 C o m m u n i c a t i o n s o f t h e A C M V o l u m e 12 / N u m b e r 10 / O c t o b e r , 1 96 9
8/3/2019 Hoare - An Axiomatic Basis for Computer Programming
I n a d d i t i o n t o a x i o m s , a d e d u c t i v e s c i e nc e r e q u i r e s a t
l e a s t o n e r u l e o f i n f e re n c e , w h i c h p e r m i t s t h e d e d u c t i o n o f
n e w t h e o r e m s f r o m o n e o r m o r e a x i o m s o r t h e o r e m s a l -
r e a d y p r o v e d . A ru l e o f i n f e r e n c e t a k e s t h e f o r m " I f ~ -X
an d ~- Y th en ~ -Z", i . e . i f a s se r t i o n s o f t h e fo rm X an d Y
h a v e b e e n p r o v e d a s t h e o r e m s , t h e n Z a l s o i s t h e r e b y
p r o v e d a s a t h e o r e m . T h e s i m p l e s t e x a m p l e o f a n i n f e r e n c e
r u l e s t a t e s t h a t i f t h e e x e c u t i o n o f a p r o g r a m Q e n -
s u r e s th e t r u t h o f t h e a s s e r t io n R, t h e n i t a l s o e n s u r e s t h e
t r u t h o f e v e r y a s s e r t i o n l o g ic a l ly im p l i e d b y R . A l s o, i f
P i s k n o w n t o b e a p r e c o n d i t i o n f o r a p r o g r a m Q t o p r o -
d u c e r e s u l t R, t h e n s o is a n y o t h e r a s s e r t i o n w h i c h l o g i c a ll y
i m p l i e s P . T h e s e r u l e s m a y b e e x p r e s s e d m o r e f o r m a l l y :
D 1 R u l e s o f C o n s e q u e n c e
I f ~-P{Q}Rand ~-R D S t h e n ~-P{Q}SI f ~-P{Q}Ran d ~ -S ~ P t h e n ~-S{Q}R
3 .3 . RULE OF COMPOSITION
A p r o g r a m g e n e r a l l y c o ns i s ts o f a s e q u e n c e o f s t a t e m e n t s
w h i c h a r e e x e c u te d o n e a f te r a n o t h e r. T h e s t a t e m e n t s m a y
b e s e p a r a t e d b y a s e m i c o l o n o r e q u i v a l e n t s y m b o l d e n o t i n g
p ro ce d u r a l c o m p o s i t i o n : (Q1 ; Q2 ; " ' " ; Q~) . I n o rd er t o
a v o i d t h e a w k w a r d n e s s o f d o t s , i t i s p o s s i b l e t o d e a l i n i -
t i a l l y w i t h o n l y t w o s t a t e m e n t s (Q1 ; Q 2) , s i n c e l o n g e r s e-
q u e n c e s c a n b e r e c o n s t r u c t e d b y n e s t i n g , t h u s (Q~ ; ( Q2 ;
( " " ( Q ,- 1 ; Q . ) - ' " ) ) ) . T h e r e m o v a l o f t h e b r a c k e t s o f
t h i s n e s t m a y b e r e g a r d e d a s c o n v e n t i o n b a se d o n t h e
a s s o c i a t i v i ty o f t h e " ; - o p e r a t o r " , i n t h e s a m e w a y a s b r a c k -
e t s a r e r e m o v e d f r o m a n a r i t h m e t i c e x p r e s s i o n ( 6 + (t2 +
( . . - (t,_~ + t , ) - - . ) ) ) .
T h e i n f e r e n c e ru l e a s s o c i a te d w i t h c o m p o s i t i o n s t a t e s
t h a t i f t h e p r o v e n r e s u l t o f t h e f i r s t p a r t o f a p r o g r a m i s
i d e n t i c a l w i t h t h e p r e c o n d i t i o n u n d e r w h i c h t h e s e c o n d p a r t
o f t h e p r o g r a m p r o d u c e s i ts i n t e n d e d r e s u lt , t h e n t h e w h o l ep r o g r a m w i l l p r o d u c e t h e i n t e n d e d r e s u lt , p r o v i d e d t h a t t h e
p r e c o n d i t i o n o f t h e f i r s t p a r t i s s a t i sf i e d .
I n m o r e f o r m a l te r m s :
D 2 R u l e o f C o m p o s i t i o n
I f ~-P{QdR1a n d ~-R~{Q2}R he n ~-P{ (Q~ ; Q2)}R
3 .4 . R v L~ OF ITERATION
T h e e s s e n t i al f e a t u r e o f a s t o r e d p r o g r a m c o m p u t e r i s
t h e a b i l i t y t o e x e c u t e s o m e p o r t i o n o f p r o g r a m ( S ) r e -
p e a t e d l y u n t i l a c o n d i t i o n ( B ) g o e s f a ls e . A s i m p l e w a y o f
e x p r e s s i n g s u c h a n i t e r a t i o n i s t o a d a p t t h e A L G O L 6 0
w h i l e n o t a t i o n :
w h i l e B d o S
I n e x e c u t i n g t h i s s t a t e m e n t , a c o m p u t e r f i rs t t e s t s t h e c o n -
d i t i o n B . I f t h i s i s f a l se , S i s o m i t t e d , a n d e x e c u t i o n o f t h e
l o o p i s c o m p l e t e . O t h e r w i s e , S i s e x e c u t e d a n d B i s t e s t e d
a g a i n . T h i s a c t i o n i s r e p e a t e d u n t i l B i s f o u n d t o b e f a l s e .
T h e r e a s o n i n g w h i c h l e a d s t o a f o r m u l a t i o n o f a n i n f e r e n c e
r u l e f o r i t e r a t i o n i s a s f o l lo w s . S u p p o s e P t o b e a n a s s e r t i o n
w h i c h i s a lw a y s t r u e o n c o m p l e t i o n o f S , p r o v i d e d t h a t i t is
a l s o t r u e o n i n i t ia t i o n . T h e n o b v i o u s l y P w i l l s t il l b e t r u e
a f t e r a n y n u m b e r o f i t e r a t i o n s of t h e s t a t e m e n t S ( e v e n
n o i t e r a t i o n s ) . F u r t h e r m o r e , i t is k n o w n t h a t t h e c o n -
t r o l l i n g c o n d i t i o n B i s f a l s e w h e n t h e i t e r a t i o n f i n a l l y
t e r m i n a t e s . A s l i g h t l y m o r e p o w e r f u l f o r m u l a t i o n is p o s -
s i bl e i n l ig h t o f t h e f a c t t h a t B m a y b e a s s u m e d t o b e t r u e
o n i n i t i a t i o n o f S :
D 3 R u l e o f I t e r a t i o n
I f ~P A B{S}P t h e n ~ - P { w h il e B d o S } ~ B A P
3 .5 . EXAMPLE
T h e a x i o m s q u o t e d a b o v e a r e s u f fi c ie n t t o c o n s t r u c t t h e
p r o o f o f p r o p e r t i e s o f s i m p l e p r o g r a m s , f o r e x a m p l e , a
r o u t i n e i n t e n d e d t o f i n d t h e q u o t i e n t q a n d r e m a i n d e r r
o b t a i n e d o n d i v i d in g x b y y . A l l v a r i a b l e s a r e a s s u m e d t o
r a n g e o v e r a s e t o f n o n n e g a t i v e i n t e g e r s c o n f o r m i n g t o t h e
a x i o m s l i s t e d i n T a b l e I . F o r s i m p l i c i t y w e u s e t h e t r i v i a l
b u t i n e ff i c ie n t m e t h o d o f su c c e s s iv e s u b t r a c t i o n . T h e p r o -
p o s e d p r o g r a m i s :
( ( r : = x ; q : = 0 ) ; w h i l e
y<rdo ( r : = r - - y ; q : = l + q ) )
A n i m p o r t a n t p r o p e r t y o f t h is p r o g r a m i s t h a t w h e n i t
t e r m i n a t e s , w e c a n re c o v e r th e n u m e r a t o r x b y a d d i n g t o
t h e r e m a i n d e r r t h e p r o d u c t o f t h e d i v i s o r y a n d t h e q u o -t i e n t q (i .e . x = r + y X q ) . F u r t h e r m o r e , t h e r e m a i n d e r
i s l es s t h a n t h e d i v is o r . T h e s e p r o p e r t i e s m a y b e e x p r e s s e d
f o r m a l l y :
t r u e { Q } ~ y ~< r A x = r + y X q
w h e r e Q s ta n d s f o r t h e p r o g r a m d i s p l a y e d a b o v e . T h i s
e x p r e s s e s a n e c e s s a r y ( b u t n o t s u f f i c i e n t ) c o n d i t i o n f o r
t h e " c o r r e c t n e s s " o f th e p r o g ra m .
A f o r m a l p r o o f o f t h i s t h e o r e m i s g i v e n i n T a b l e I I I .
L i k e a l l f o r m a l p r o o f s , i t i s e x c e s s i v e l y t e d i o u s , a n d i t
w o u l d b e f a i r l y e a s y t o i n t r o d u c e n o t a t i o n a l c o n v e n t i o n s
w h i c h w o u l d s i g n if i c a n tl y s h o r t e n it . A n e v e n m o r e p o w e r -
f u l m e t h o d o f r e d u c i n g t h e t e d i u m o f f o r m a l p r o o f s is t od e r i v e g e n e r a l r ul e s f o r p r o o f c o n s t r u c t i o n o u t o f t h e s i m p l e
r u l es a c c e p t e d a s p o s t u l a t e s . T h e s e g e n e r a l r u le s w o u l d b e
s h o w n t o b e v a l id b y d e m o n s t r a t i n g h o w e v e r y t h e o r e m
p r o v e d w i t h t h e i r a s s i st a n c e c o u l d e q u a l l y w e l l ( i f m o r e
t e d i o u s l y ) h a v e b e e n p r o v e d w i t h o u t . O n c e a p o w e r f u l se t
o f s u p p l e m e n t a r y r u l e s h a s b e e n d e v e lo p e d , a " f o r m a l
p r o o f " r e d u c e s t o l i t t l e m o r e t h a n a n i n f o r m a l i n d i c a t i o n
o f h o w a f o r m a l p r o o f c o u l d b e c o n s t r u c t e d .
4 . G e n e r a l R e s e r v a t i o n s
T h e a x i o m s a n d r u le s o f i n f e r e n c e q u o t e d i n t h is p a p e r
h a v e i m p l i c i t ly a s s u m e d t h e a b s e n c e o f s i de e f f e c t s o f t h e
e v a l u a t i o n o f e x p r e ss i o n s a n d c o n d i t io n s . I n p r o v i n g p r o p -e r t ie s o f p r o g r a m s e x p r e s s e d i n a l a n g u a g e p e r m i t t i n g s i d e
e f f e c t s , i t w o u l d b e n e c e s s a r y t o p r o v e t h e i r a b s e n c e i n
e a c h e a s e b e f o r e a p p l y i n g t h e a p p r o p r i a t e p r o o f t e c h n i q u e .
I f t h e m a i n p u r p o s e o f a h ig h l e v e l p r o g r a m m i n g l a n g u a g e
i s t o a s s i s t i n t h e c o n s t r u c t i o n a n d v e r i f i c a t i o n o f c o r r e c t
p r o g r a m s , i t i s d o u b t f u l w h e t h e r t h e u s e o f f u n c t io n a l
n o t a t i o n t o c a l l p r o c e d u r e s w i t h s i d e e ff e c t s i s a g e n u i n e
a d v a n t a g e .
A n o t h e r d e f i c i en c y i n t h e a x i o m s a n d r u le s q u o t e d a b o v e
5 7 8 C o m m u n i c a t i o n s o f t h e ACM Vo lu m e 1 2 / Nu m b er 1 0 / Oc to b e r , 1 96 9
8/3/2019 Hoare - An Axiomatic Basis for Computer Programming
i s t h a t t h e y g i v e n o b a s is f o r a p r o o f t h a t a p r o g r a m s u c -
c e s sf u ll y t e r m i n a t e s . F a i l u r e t o t e r m i n a t e m a y b e d u e t o a n
i n f i n i t e l o o p ; o r i t m a y b e d u e t o v i o l a t i o n o f a n i m p l e -
m e n t a t i o n - d e f i n e d l i m i t, f o r e x a m p l e , t h e r a n g e o f n u m e r i c
o p e r a n d s , t h e s i z e o f s t o r ag e , o r a n o p e r a t i n g s y s t e m t i m e
l i m i t . T h u s t h e n o t a t i o n "PIQ}R" s h o u l d b e i n t e r p r e t e d
" p r o v i d e d t h a t t h e p r o g r a m s u c c e s sf u l ly t e r m i n a t e s , t h e
p r o p e r t i e s o f i t s r e s u l t s a r e d e s c r i b e d b y R . " I t i s f a i r l y
e a s y t o a d a p t t h e a x i o m s s o t h a t t h e y c a n n o t b e u s e d t op r e d i c t t h e " r e s u l t s " o f n o n t e r m i n a t i n g p r o g r a m s ; b u t t h e
a c t u a l u s e o f t h e a x i o m s w o u l d n o w d e p e n d o n k n o w l e d g e
o f m a n y i m p l e m e n t a t i o n - d e p e n d e n t f e a t u r e s , f o r e x a m p l e ,
t h e s i ze a n d s p e e d o f th e c o m p u t e r , t h e r a n g e o f n u m b e r s ,
a n d t h e c h o i ce o f o v e r f lo w t e c h n iq u e . A p a r t f r o m p r o o f s o f
t h e a v o i d a n c e o f i n f i n i te lo o p s , it i s p r o b a b l y b e t t e r t o
p r o v e t h e " c o n d i t i o n a l " c o r r e c t n e s s o f a p r o g r a m a n d r e l y
o n a n i m p l e m e n t a t i o n t o g i v e a w a r n i n g i f i t h a s h a d t o
TABLE III
Linenumber Formal proof Justification
1 tr ue ~x = x ~ y X 0 Le mm al
2 x = x - { - y X O { r : = x } x = r . - t - y X O DO
3 x = r ~ y X O { q : = O } x = r . - b y X q DO
4 t r u e { r := x} x = r ~ y X 0 D1 (1, 2)
5 t r ue {r := x; q := 0} x = r -t- y X q D2 (4, 3)
6 x = r ~ y X q A y ~ r ~ x =
( r - y ) ~ y X (1-t-q) Le mm a 2
7 x = ( r - - y ) .- {- y X (1-t-q){r := r - y } x =
r + y X (l +q ) DO
8 x = r + y X (l +q )[ q := 1 . - b q } x =
r - t - y X q DO
9 x = ( r - - y ) -~ y X (l +q) {r := r - - y ;
q := 1+q } x = r + y X q D2 (7, 8)
10 x = r + y X q A y ~ r { r : = r - - y ;
, q := l + q} x = r + y X q D1 (6 , 9 )
11 x = r -b y X q [w hi le y ~ r do
( r : = r - - y ; q := 1--bq)}
~- -Ty < r /~ x = r ~ y X q D3 (10)
12 tr ue {((r := x; q := 0); whi le y ~ rdo
( r : = r - - y ; q := l+q) )} -~y ~ rAx =
r + y X q D2 (5, 11)
NOTES
i. The left han d column is used to nu mb er the lines, and the
right hand column to justify each line, by appealing to an axiom,
a le mm a or a rule of inference applied to one or two previous
l ines , ind icated in b rackets . Nei ther of these columns is pa rtof the formal proof. For example, l ine 2 is an instance of theaxiom of assignm ent (DO); l ine 12 is obtain ed fro m lines 5 and 11by appl icat ion of the ru le o f composi t ion (D2) .
2 . Lemma 1 ma y be proved f rom ax ioms A7 and AS.3 . Lemm a 2 fo l lows d i rect ly f rom the theorem proved in See. 2 .
a b a n d o n e x e c u t i o n o f t h e p r o g r a m a s a r e s u l t o f v i o l a t i o
o f a n i m p l e m e n t a t i o n l i m i t .
F i n a l l y i t i s n e c e s s a r y t o l is t s o m e o f t h e a r e a s w h i c h h a v
n o t b e e n c o v e r e d : f o r e x a m p l e , r e a l a r i t h m e t i c , b i t a n
c h a r a c t e r m a n i p u l a t io n , c o m p l e x a r i th m e t i c , f r a c t i o n
a r i t h m e t i c , a r r a y s , r e c o r d s , o v e r l a y d e f in i t i o n , f il es , i n p u t
o u t p u t , d e c l a r a t i o n s , s u b r o u t i n e s , p a r a m e t e r s , r e c u r s i o n
a n d p a r a l le l e x e c u t io n . E v e n t h e c h a r a c t e r i z a t i o n o f in t e g e
a r i t h m e t i c i s f a r f r o m c o m p l e t e . T h e r e d o e s n o t a p p e a r tb e a n y g r e a t d i f f i c u l t y i n d e a l i n g w i t h t h e s e p o i n t s , p r o
v i d e d t h a t t h e p r o g r a m m i n g l a n g u a g e i s k e p t s i m p l e
A r e a s w h i c h d o p r e s e n t r e a l d i f f i c u lt y a r e l a b e l s a n d j u m p s
p o i n t e rs , a n d n a m e p a r a m e t e r s . P r o o f s of p r o g r a m s w h i c
m a d e u s e o f t h e s e f e a t u r e s a r e l i k e l y to b e e l a b o r a t e , a n
i t i s n o t s u r p r i s i n g t h a t t h i s s h o u l d b e r e f l e c t e d i n t h
c o m p l e x i t y o f t h e u n d e r l y i n g a x i o m s .
5. P r o o f s o f P r o g r a m C o r r e c t n e s s
T h e m o s t i m p o r t a n t p r o p e r t y o f a p r o g r a m i s w h e t h e r
a c c o m p l i s h e s t h e i n t e n t i o n s o f i t s u s e r. I f t h e s e i n t e n t i o n
c a n b e d e s c r i b e d r i g o r o u s ly b y m a k i n g a s s e rt i o ns a b o u t t h
v a l u e s o f v a r i a b l e s a t t h e e n d ( o r a t i n t e r m e d i a t e p o i n t s ) ot h e e x e c u t i o n o f t h e p r o g r a m , t h e n t h e t e c h n i q u e s d e s c r i b e
i n t h is p a p e r m a y b e u s e d t o p r o v e t h e c o r r e c t n es s o f t h
p r o g r a m , p r o v i d e d t h a t t h e i m p l e m e n t a t i o n o f t h e p r
g r a m m i n g l a n g u a g e c o n f o r m s t o t h e a x i o m s a n d r u le s w h i c
h a v e b e e n u s e d i n t h e p r o o f . T h i s f a c t i t se l f m i g h t a l so b
e s t a b l i s h e d b y d e d u c t i v e r e a s o n i n g , u s i n g a n a x i o m s
w h i c h d e s c r i b e s t h e l o g i c a l p r o p e r t i e s o f t h e h a r d w a r
c i r c u i ts . W h e n t h e c o r r e c t n e s s o f a p r o g r a m , i t s c o m p i l e
a n d t h e h a r d w a r e o f t h e c o m p u t e r h a v e a l l b e e n e s t a b l is h e
w i t h m a t h e m a t i c a l c e r t a i n t y , i t w i l l b e p o s s i b l e t o p l a c
g r e a t r e l i an c e o n t h e r e s u l t s o f t h e p r o g r a m , a n d p r e d i
t h e i r p r o p e r t i e s w i t h a c o n f i d e n c e l i m i t ed o n l y b y t h
r e l i a b i l i t y o f t h e e l e c t r o n ic s .T h e p r a c t i c e o f s u p p l y i n g p r o of s f o r n o n t ri v i a l p r o g r a m
w i ll n o t b e c o m e w i d e s p r e a d u n t i l c o n s i d e r a b l y m o r e p o w e
f u l p r o o f t e c h n i q u e s b e c o m e a v a i la b l e , a n d e v e n t h e n w
n o t b e e a s y . B u t t h e p r a c t i c a l a d v a n t a g e s o f p r o g r a m p r o
i n g w i l l e v e n t u a l l y o u t w e i g h t h e d i ff i c u lt i e s, i n v i e w o f t h
i n c r e a si n g c o s t s o f p r o g r a m m i n g e r r o r . A t p r e s e n t , t h
m e t h o d w h i c h a p r o g r a m m e r u s e s t o c o n v i n c e h i m s e l f
t h e c o r r e c tn e s s o f h i s p r o g r a m i s t o t r y i t o u t i n p a r t i c u l
c a s es a n d t o m o d i f y i t if t h e r e s u l ts p r o d u c e d d o n o t c o
r e s p o n d t o h i s i n t e n ti o n s . A f t e r h e h a s f o u n d a r e a s o n a b
w i d e v a r i e t y o f e x a m p l e c a s e s o n w h i c h t h e p r o g r a m s e e m
t o w o r k , h e b e l i e v e s t h a t i t w i l l a l w a y s w o r k . T h e t i m
s p e n t i n t h i s p r o g r a m t e s t i n g i s o f t e n m o r e t h a n h a l f t ht i m e s p e n t o n t h e e n t i r e p r o g r a m m i n g p r o j e c t ; a n d w i t h
r e a l i s ti c c o s t in g o f m a c h i n e t i m e , t w o t h i r d s ( o r m o r e )
t h e c o s t o f th e p r o j e c t i s in v o l v e d i n r e m o v i n g e r r o r s d u r i n
t h i s p h a s e .
T h e c o s t o f r e m o v i n g e r r o r s d i s c o v e r e d a f t e r a p r o g r a
h a s g o n e i n t o u s e i s o f t e n g r e a t e r , p a r t i c u l a r l y i n t h e c a
o f i t e m s o f c o m p u t e r m a n u f a c t u r e r ' s s o f t w a r e f o r w h i c h
l a r g e p a r t o f th e e x p e n s e is b o r n e b y t h e u s e r. A n d f i n a ll
t h e c o s t o f e rr o r i n c e r t a i n t y p e s o f p r o g r a m m a y b e a l m o
V o l u m e 12 / Num ber 10 / Oct obe r, 1969 Com mun ica ti ons o f t h e ACM 5
8/3/2019 Hoare - An Axiomatic Basis for Computer Programming
i n e a l c u l a b l e - - a l o s t s p a c e c r a f t , a c o l l a p s e d b u i l d i n g , a
c r a s h e d a e r o p l a n e , o r a w o r l d w a r . T h u s t h e p r a c t i c e o f
p r o g r a m p r o v i n g i s n o t o n l y a t h e o r e t i c a l p u r s u it , f o l l o w e d
i n t h e i n t e r e s t s o f a c a d e m i c r e s p e c t a b i l i t y , b u t a s e ri o u s
r e c o m m e n d a t i o n f o r th e r e d u c t i o n o f t h e c o s t s a s s o c i a t e d
w i t h p r o g r a m m i n g e r r o r .
T h e p r a c t i c e o f p r o v i n g p r o g r a m s i s l i k e l y t o a l l e v i a t e
s o m e o f t h e o t h e r p r o b l e m s w h i c h a f fl ic t t h e c o m p u t i n g
w o r l d . F o r e x a m p l e , t h e r e i s t h e p r o b l e m o f p r o g r a m d o c u -
m e n t a t i o n , w h i c h i s e s s e n t i a l , f i r s t l y , t o i n f o r m a p o t e n t i a l
u s e r o f a s u b r o u t i n e h o w t o u s e it a n d w h a t i t a c c o m p l i s h e s,
a n d s e c o n d ly , t o a s s is t in f u r t h e r d e v e l o p m e n t w h e n i t
b e c o m e s n e c e s s a r y t o u p d a t e a p r o g r a m t o m e e t c h a n g i n g
c i r c u m s t a n c e s o r t o i m p r o v e i t i n t h e l i g h t o f i n c r e a s e d
k n o w l e d g e . T h e m o s t r ig o r o u s m e t h o d o f f o r m u l a t i n g t h e
p u r p o s e o f a s u b r o u t i n e , a s w e l l a s t h e c o n d i t i o n s o f i t s
p r o p e r u s e , is t o m a k e a s s e r ti o n s a b o u t t h e v a l u e s o f v a r i-
a b l es b e f o r e a n d a f t e r i t s e x e c u t io n . T h e p r o o f o f th e c o r -
r e c t n e s s o f t h e s e a s s e r ti o n s c a n t h e n b e u s e d a s a l e m m a i n
t h e p r o o f o f a n y p r o g r a m w h i c h c a l ls t h e s u b r o u t i n e . T h u s ,
i n a l a rg e p r o g r a m , t h e s t r u c t u r e o f t h e w h o l e c a n b e c l e a rl y
m i r r o r e d i n t h e s t r u c t u r e o f i t s p r o o f . F u r t h e r m o r e , w h e ni t b e c o m e s n e c e s s a r y t o m o d i f y a p r o g r a m , i t w i ll a l w a y s b e
v a l i d t o r e p l a c e a n y s u b r o u t i n e b y a n o t h e r w h i c h s a t i s f i e s
t h e s a m e c r i t e ri o n o f c o r r e c tn e s s . F i n a l ly , w h e n e x a m i n i n g
t h e d e t a i l o f t h e a l g o r i t h m , i t s e e m s p r o b a b l e t h a t t h e p r o o f
w i l l b e h e l p f u l i n e x p l a i n i n g n o t o n l y what i s h a p p e n i n g
b u t why.
A n o t h e r p r o b l e m w h i c h c a n b e s o l v e d , i n s o f a r a s i t i s
s o lu b l e, b y t h e p r a c t i c e o f p r o g r a m p r o o fs is t h a t o f tr a n s -
f e r r i n g p r o g r a m s f r o m o n e d e s i g n o f c o m p u t e r t o a n o t h e r .
E v e n w h e n w r i t t e n i n a s o - c a l l e d m a c h i n e - i n d e p e n d e n t
p r o g r a m m i n g l a n gu a g e , m a n y l a r g e p r o g r a m s i n a d v e r t -
e n t l y ta k e a d v a n t a g e o f s om e m a c h i n e - d e p e n d e n t p r o p -
e r t y o f a p a r t i c u l a r i m p l e m e n t a t i o n , a n d u n p l e a s a n t a n de x p e n s i v e s u r p ri s e s c a n r e s u l t w h e n a t t e m p t i n g t o t r a n s f e r
i t t o a n o t h e r m a c h i n e . H o w e v e r , p r e s e n c e o f a m a c h i n e -
d e p e n d e n t f e a t u r e w i l l a l w a y s b e r e v e a l e d i n a d v a n c e b y
t h e f M l u r e o f a n a t t e m p t t o p r o v e t h e p r o g r a m f r o m m a -
c h i n e - i n d e p e n d e n t a x i om s . T h e p r o g r a m m e r w il l t h e n h a v e
t h e c h o i c e o f f o r m u l a t i n g h i s a l g o r i t h m i n a m a c h i n e -
i n d e p e n d e n t f a s h i o n , p o ss i b ly w i t h t h e h e l p o f e n v i r o n m e n t
e n q u i r i e s ; o r i f t h i s i n v o l v e s t o o m u c h e f f o r t o r in e f f i c ie n c y ,
h e c a n d e l i b e r a t e l y c o n s t r u c t a m a c h i n e - d e p e n d e n t p r o -
g r a m , a n d r e l y f o r h is p r o o f o n s o m e m a c h i n e - d e p e n d e n t
a x i o m , f o r e x a m p l e , o n e o f t h e v e r s i o n s o f A 1 1 ( S e c t i o n 2 ) .
I n t h e l a t t e r c a s e, t h e a x i o m m u s t b e e x p l i c i tl y q u o t e d a s
o n e o f t h e p r e c o n d i t i o n s o f s u c c e s s f u l u s e o f t h e p r o g r a m .T h e p r o g r a m c a n s t il l, w i t h c o m p l e t e c o n f i d en c e , be t r a n s -
f e r r e d to a n y o t h e r m a c h i n e w h i c h h a p p e n s t o s a t i s f y th e
s a m e m a c h i n e - d e p e n d e n t a x i o m ; b u t i f i t b e c o m e s n ec e s -
s a r y t o t r a n s f e r i t t o a n i m p l e m e n t a t i o n w h i c h d o e s n o t ,
t h e n a l l t h e p l a c e s w h e r e c h a n g e s a r e r e q u i r e d [ w i l l b e
c l e a r l y a n n o t a t e d b y t h e f a c t t h a t t h e p r o o f a t t h a t p o i n t
a p p e a l s t o t h e t r u t h o f t h e o f f e n d in g m a c h i n e - d e p e n d e n t
a x i o m .
T h u s t h e p r a c t i c e o f p r o v i n g p r o g r a m s w o u l d s e e m t o
l e a d t o s o l u t i o n o f t h r e e o f t h e m o s t p r e s s i n g p r o b l e m s i n
s o f t w a r e a n d p r o g r a m m i n g , n a m e l y , r e l ia b i l it y , d o c u m e n -
t a t i o n , a n d c o m p a t i b i l it y . H o w e v e r , p r o g r a m p r o v i n g , c e r-
t a i n l y a t p r e s e n t , w i l l b e d i f f ic u l t e v e n f o r p r o g r a m m e r s o f
h i g h c a l i be r ; a n d m a y b e a p p l i c a bl e o n l y t o q u i t e s i m p l e
p r o g r a m d e s i g n s . A s i n o t h e r a r e a s , r e l i a b i l i t y c a n b e p u r -
c h a s e d o n l y a t t h e p r i c e o f s i m p l i c i t y .
6 . F o r m a l L a n g u a g e D e f i n i ti o n
A h i g h l e v e l p r o g r a m m i n g l a n g u a g e , s u c h a s A L c~ oL ,
F OR TR A N, o r C O BO L, s u s u a l l y i n t e n d e d t o b e i m p l e m e n t e d
o n a v a r i e t y o f c o m p u t e r s o f d if f e r i n g s i ze , c o n f i g u r a t i o n ,
a n d d e s i g n . I t h a s b e e n f o u n d a s e r io u s p r o b l e m t o d e f i n e
t h e s e l a n g u a g e s w i t h s u f f i c i e n t r i g o u r t o e n s u r e c o m p a t -
i b i li t y a m o n g a l l i m p l e m e n t o r s . S i n c e t h e p u r p o s e o f c o m -
p a t i b i l i ty i s t o f a c i l it a t e i n te r c h a n g e o f p r o g r a m s e x -
p r e s s e d in t h e l a n g u a g e , o n e w a y t o a c h i e v e t h is w o u l d b e t o
i n s is t t h a t a ll im p l e m e n t a t i o n s o f t h e l a n g u a g e s h a l l " s a t -
i s f y " t h e a x i o m s a n d r u le s o f in f e r e n c e w h i c h u n d e r l i e
p r o o f s o f t h e p r o p e r t i e s o f p r o g r a m s e x p r e s s e d i n t h e
l a n g u a g e , s o t h a t a l l p r e d i c t i o n s b a s e d o n t h e s e p r o o f s w i l l
b e f u l fi l le d , e x c e p t i n t h e e v e n t o f h a r d w a r e f a i l u re . I ne f f e c t , t h i s i s e q u i v a l e n t t o a c c e p t i n g t h e a x i o m s a n d r u l e s
o f i n f e r e n c e a s t h e u l t i m a t e l y d e f i n i t i v e s p e c i fi c a t i o n of t h e
m e a n i n g o f t h e l a n g u a g e.
A p a r t f r o m g i v i n g a n i m m e d i a t e a n d p o s s i b l y e v e n
p r o v a b l e c r i t e ri o n f o r t h e c o r r e c t n e ss o f a n i m p l e m e n t a t i o n ,
t h e a x i o m a t i c t e c h n i q u e f o r t h e d e f i n i ti o n of p r o g r a m m i n g
l a n g u a g e s e m a n t i c s a p p e a r s t o b e li k e th e f o r m a l s y n t a x o f
t h e A L a O L 6 0 r e p o r t , i n t h a t i t i s s u f fi c i e n t l y s i m p l e t o b e
u n d e r s t o o d b o t h b y t h e i m p l e m e n t o r a n d b y t h e r e a s o n a b l y
s o p h i s t i c a t e d u s e r o f t h e l a n g u a g e . I t i s o n l y b y b r i d g i n g
t h i s w i d e n i n g c o m m u n i c a t i o n g a p i n a s i n g l e d o c u m e n t
( p e rh a p s e v e n p r o v a b l y c o n s is t e n t) t h a t t h e m a x i m u m
a d v a n t a g e c a n b e o b t a i n e d f r o m a f o r m a l l a n g u a g e de f -i n i t i o n .
A n o t h e r o f t h e g r e a t a d v a n t a g e s o f u s i n g a n a x i o m a t i c
a p p r o a c h i s t h a t a x i o m s o f f e r a s i m p l e a n d f l e x ib l e t e c h -
n i q u e f o r l e a v i n g c e r t a i n a s p e c t s o f a l a n g u a g e undefined,
f o r e x a m p l e , r a n g e o f i n te g e r s , a c c u r a c y o f f l o a t i n g p o i n t ,
a n d c h o i c e o f o v e r f l o w t e c h n i q u e . T h i s i s a b s o l u t e l y e s -
s e n t i a l f o r s t a n d a r d i z a t i o n p u r p o s e s , s i n c e o t h e r w i s e t h e
l a n g u a g e w i l l b e i m p o s s i b l e t o i m p l e m e n t e f f i c i e n tl y o n
d i ff e r in g h a r d w a r e d e s ig n s. T h u s a p r o g r a m m i n g l a n g u a g e
s t a n d a r d s h o u l d c o n s i s t o f a s e t o f a x i o m s o f u n i v e r s a l
a p p l i c a b i l i t y , t o g e t h e r w i t h a c h o i c e f r o m a s e t o f s u p p l e -
m e n t a r y a x i o m s d e s c r i bi n g t h e r a n g e o f ch o i ce s f a c in g a n
i m p l e m e n t o r . A n e x a m p l e o f t h e u s e o f a x i o m s f o r th i sp u r p o s e w a s g i v e n i n S e c t i o n 2 .
A n o t h e r o f t h e o b j e c t i v e s o f f o r m a l l a n g u a g e d e f i n it i o n
i s t o a s s i s t i n t h e d e s i g n o f b e t t e r p r o g r a m m i n g l a n g u a g e s .
T h e r e g u l a r i t y , c l a r i ty , a n d e a s e of i m p l e m e n t a t i o n o f t h e
A LG OL 6 0 s y n t a x m a y a t l e a s t i n p a r t b e d u e t o t h e u s e o f
a n e l e g a n t f o r m a l t e c h n i q u e f o r it s d e f i ni t io n . T h e u s e o f
a x i o m s m a y l e a d t o s i m i l a r a d v a n t a g e s i n t h e a r e a o f
" s e m a n t i c s , " s i n c e i t se e m s l ik e l y t h a t a l a n g u a g e w h i c h c a n
(Continued on p. 583)
5 8 0 C o m m u n i c a t i o n s o f t h e A C M V o l u m e 12 / N u m b e r 10 / O c t o b e r , 1 96 9
8/3/2019 Hoare - An Axiomatic Basis for Computer Programming