• Home

  • Documents

  • Hoare - An Axiomatic Basis for Computer Programming
6
An Axiomatic Basis for Computer Programming C. A. R. HOARE The Queen's University of Belfast,* Northern Ireland In this paper an attempt is made to explore the logical founda- tions of com puter programm ing by use of techniques which were first applied in the study of geometry and have later been extended to other branches of mathematics. This in- volves the elucidation of sets of axioms and rules of inference which can be used in proofs of the properties of computer programs. Examples are given of such axioms and rules, and a formal proof o f a simple theorem is displayed. Finally, it is argued that important advantages, both theoretical and prac- tical, may follow from a pursuance of these topics. KEY WOR DS AND PHRASES: axiomatic method, theory of programming' proofs of programs, form al langu age definition, programming language design, machine-independent programming, program documentat ion CR CATEGORY: 4.0, 4.21,4.22, 5.20, 5.21,5.23, 5.24 1. Introduction Com puter programming is an exact science in that all the properties of a program and all the consequences of executing it in any given environment can, in principle, be found out from the text of the program itself by means of purely deductive reasoning. Deductive reasoning in- volves the application of valid rules of inference to sets of valid axioms. It is therefore desirable and interesting to elucidate the axioms and rules of inference which underlie our reasoning about computer programs. The exact choice of axioms will to some extent depend on the choice of programming language. For illustrative purposes, this paper is confined to a very simple language, which is effec- tively a subset of all eurrent procedure-oriented languages. 2. Computer Arithmetic The first requirement in valid reasoning about a pro- gram is to know the properties of the elementary operations which it invokes, for example, addition and multiplication of integers. Unfortunately, in several respects computer arithmetic is not the same as the arithmetic familiar to mathematicians, and it is necessary to exercise some care in selecting an appropriate set of axioms. For example, the axioms displayed in Table I are rather a small selection of axioms relevant to integers. From this incomplete set * Depurtment of Computer Science of axioms it is possible to deduce such simple theorem s as: x=x+yXO y<r ~r +y X q = (r- y) +y X (1 +q) The proof of the second of these is: A5 (r--y) + y X (l+q) = (r--y)+ (yXl+yXq) A9 = (r-- y) + (y +y X q) A 3 = ((r--y)+y)+yXq A6 = r + y X q providedy < r The axioms A1 to A9 are, of course, true of the tradi- tional infinite set of integers in mathematics. However, they are also true of the finite sets of "integers" which are manipulated by computers provided that they are con- fined to nonnegative numbers. Their truth is independent of the size of the set; furthermore, it is largely independent of the choice of technique applied in the event of "over- flow"; for example: (1) Strict interpretation: the result of an overflowing operation does not exist; when overflow occurs, the offend- ing program never completes its operation. Note that in this case, the equalities of A1 to A9 are strict, in the sense that both sides exist or fail to exist together. (2) Firm boundary: the result of an overflowing opera- tion is taken as the maximum value represented. (3) Modulo arithmetic: the result of an overflowing operation is computed modulo the size of the set of integers represented. These three techniques are illustrated in Table II by addition and multiplication tables for a trivially small model in which 0, 1, 2, and 3 are the only integers repre- sented. It is interesting to note that the different systems satisfy- ing axioms A1 to A9 may be rigorously distinguished from each other by choosing a particular one of a set of mutually exclusive supplementary axioms. For example, infinite arithmetic satisfies the axiom: A10z ~3xVy (y < x), where all finite arithmetics satisfy: A10~ Vx (x < max) where "max" denotes the largest integer represented. Similarly, the three treatments of overflow may be distinguished by a choice of one of the following aMoms relating to the value of max + 1: Alls ~ 3x (x = max + 1) (strict interpretation) All, max + 1 = max (firm boundary) AllM max + 1 = 0 (modulo arithmetic) Having selected one of these axioms, it is possible to use it in deducing the properties of programs; however, 576 Comm unications of the ACM Volume 12 / Number 10 / October, 1969

Hoare - An Axiomatic Basis for Computer Programming

Embed Size (px)

Citation preview

Page 1: Hoare - An Axiomatic Basis for Computer Programming

8/3/2019 Hoare - An Axiomatic Basis for Computer Programming

http://slidepdf.com/reader/full/hoare-an-axiomatic-basis-for-computer-programming 1/6

An Axiomatic Basis for

Com puter Programming

C. A . R . HOARE

The Queen's Universi ty o f Bel fast,* Northern Irela nd

I n t his p a p e r a n a t t e m p t is m a d e t o e x p l o r e t h e l o g i c a l f o u n d a -

t io n s o f c o m p u t e r p r o g r a m m i n g b y u s e o f t e c h n i q u e s w h i ch

w e r e f ir s t a p p l i e d i n t h e st u d y o f g e o m e t r y a n d h a v e l a t e r

b e e n e x t e n d e d t o o t h e r b r a n c h e s o f m a t h em a t ic s . T h i s i n -

v o l v e s th e e l u c i d a t i o n o f s e ts o f a x i o m s a n d r u le s o f i n f e r e n c e

w h i c h c a n b e u s e d i n p r o o f s o f t h e p r o p e r t i e s o f c o m p u t e r

p r o g r a m s . E x a m p l e s a r e g i v e n o f s u c h a x i o m s a n d r u le s , a n d

a f o r m a l p r o o f o f a s i m p l e th e o r e m i s d i s p l a y e d . F i n a l l y , i t i s

a r g u e d t h a t i m p o r t a n t a d v a n t a g e s , b o t h t h e o r e ti c a l a n d p r a c -

t i c a l , m a y f o l l o w f r o m a p u r s u a n c e o f these topics .

KEY WOR DS AND PHRASES: axiom atic method, theory of programming'proofs of programs, form al langu age definition, programming language

design, machine-independentprogramming, program documentationCR CATEGORY: 4 .0 , 4 .2 1 ,4 .2 2 , 5 .2 0 , 5 .2 1 ,5 .2 3 , 5 .2 4

1 . I n t r o d u c t i o n

C o m p u t e r p r o g r a m m i n g i s a n e x a c t s c ie n c e i n t h a t a l l

t h e p r o p e r t i e s o f a p r o g r a m a n d a l l t h e c o n s e q u e n c e s o f

e x e c u t i n g i t i n a n y g i v e n e n v i r o n m e n t c a n , i n p r in c i p le ,

b e f o u n d o u t f r o m t h e t e x t o f th e p r o g r a m i ts e l f b y m e a n so f p u r e l y d e d u c t i v e r e a s o n i n g . D e d u c t i v e r e a s o n i n g i n -

v o l v e s t h e a p p l i c a t i o n o f v a l i d r u l e s o f i n f e r e n c e t o s e t s o f

v a l i d a x i o m s . I t i s t h e r e f o r e d e s ir a b l e a n d i n t e r e s t i n g t o

e l u c i d a t e t h e a x i o m s a n d r u l e s o f i n f e r e n c e w h i c h u n d e r l i e

o u r re a s o n i n g a b o u t c o m p u t e r p r o g r a m s . T h e e x a c t c h o ic e

o f a x io m s w i l l t o s o m e e x t e n t d e p e n d o n t h e c h o i c e o f

p r o g r a m m i n g l a n g ua g e . F o r i l l u s t ra t i v e p u r p o s e s, t h i s

p a p e r i s c o n f i n e d to a v e r y s i m p l e l a n g u a g e , w h i c h i s e f fe c -

t i v e l y a s u b s e t o f al l e u r r e n t p r o c e d u r e - o r i e n t e d l a n g u a g e s .

2 . C o m p u t e r A r i t h m e t i c

T h e f i rs t r e q u i r e m e n t i n v a l i d r e a s o n in g a b o u t a p r o -

g r a m i s t o k n o w t h e p r o p e r t ie s o f t h e e l e m e n t a r y o p e r a t i o n sw h i c h i t i n v o k e s, f o r e x a m p l e , a d d i t i o n a n d m u l t i p l i c a ti o n

o f i n t eg e r s . U n f o r t u n a t e l y , i n s e v e r a l r e sp e c t s c o m p u t e r

a r i t h m e t i c i s n o t t h e s a m e a s t h e a r i t h m e t i c f a m i l i a r t o

m a t h e m a t i c i a n s , a n d i t i s n e c e s s a r y t o e x e rc i se so m e c a r e

i n s e l e c t i n g a n a p p r o p r i a t e s e t o f a x i o m s . F o r e x a m p l e , t h e

a x i o m s d i s p l a y e d i n T a b l e I a r e r a t h e r a s m a l l s e l e c t i o n

o f a x i o m s r e l e v a n t t o in t e g e r s. F r o m t h is i n c o m p l e t e s e t

* Dep ur tme nt o f Com puter Science

o f a x io m s i t i s p o s s i b l e t o d e d u c e s u c h s i m p l e t h e o r e m s a s :

x = x + y X O

y < r ~ r + y X q = ( r - y ) + y X ( 1 + q )

T h e p r o o f o f t h e s e c o n d o f t h e s e i s :

A 5 ( r - - y ) + y X ( l + q )

= ( r - - y ) + ( y X l + y X q )

A 9 = ( r - - y ) + ( y + y X q )

A 3 = ( ( r - - y ) + y ) + y X q

A 6 = r + y X q p r o v i d e d y < r

T h e a x i o m s A 1 t o A 9 a r e , o f c o u r se , t r u e o f t h e t r a d i -

t i o n a l in f i ni t e s e t of i n t e g e rs i n m a t h e m a t i c s . H o w e v e r ,

t h e y a r e a l s o t r u e o f t h e f i ni t e s e t s o f " i n t e g e r s " w h i c h a r e

m a n i p u l a t e d b y c o m p u t e r s p r o v id e d t h a t t h e y a r e c o n -

f i n ed t o nonnegative n u m b e r s . T h e i r t r u t h i s i n d e p e n d e n t

o f t h e s i ze o f t h e s e t ; f u r t h e r m o r e , i t i s l a r ge l y i n d e p e n d e n t

o f t h e c h o i ce o f t e c h n i q u e a p p l i e d in t h e e v e n t o f " o v e r -

f l o w " ; f o r e x a m p l e :

( 1 ) S t r i c t i n t e r p r e t a t i o n : t h e r e s u l t o f a n o v e r f lo w i n g

o p e r a t i o n d o e s n o t e x i s t ; w h e n o v e r f l o w o c c u rs , t h e o f f e n d -

i n g p r o g r a m n e v e r c o m p l e t e s i t s o p e r a t i o n . N o t e t h a t i n

t h i s c a s e , t h e e q u a l i t i e s o f A 1 t o A 9 a r e s t r i c t , i n t h e s e n s e

t h a t b o t h s i d e s e x i s t o r f a i l t o e x i s t t o g e t h e r .

( 2 ) F i r m b o u n d a r y : t h e r e s u l t of a n o ve r f lo w i n g o p e r a -

t i o n i s t a k e n a s t h e m a x i m u m v a l u e r e p r e s e n t e d .

( 3 ) M o d u l o a r i t h m e t i c : t h e r e s u l t o f a n o v e r f l o w i n g

o p e r a t i o n i s c o m p u t e d m o d u l o t h e s iz e o f t h e s e t o f i n t e g e rs

r e p r e s e n t e d .

T h e s e t h r e e t e c h n i q u e s a r e i l lu s t r a t e d i n T a b l e I I b y

a d d i t i o n a n d m u l t i p l i c a t io n t a b l e s f o r a t r i v i a l l y s m a l l

m o d e l i n w h i c h 0 , 1 , 2 , a n d 3 a r e t h e o n l y i n t e g e r s r e p r e -

s e n t e d .

I t i s i n t e r e s t i n g t o n o t e t h a t t h e d i f f e re n t s y s t e m s s a t i s f y -

i n g a x i o m s A 1 t o A 9 m a y b e r i g o r o us l y d is t i n g u is h e d f r o m

e a c h o t h e r b y c h o o s i n g a p a r t i c u l a r o n e o f a s e t o f m u t u a l l y

e x c l u si v e s u p p l e m e n t a r y a x i om s . F o r e x a m p l e , i n f in i t e

a r i t h m e t i c s a t i s f i e s t h e a x i o m :

A 1 0 z ~ 3 x V y ( y < x ) ,

w h e r e a l l f i n i t e a r i t h m e t i c s s a t i s f y :

A 1 0 ~ V x ( x < m a x )

w h e r e " m a x " d e n o t e s t h e l a r g e s t i n t e g e r r e p r e s e n t e d .

S i m i l a rl y , t h e t h r e e t r e a t m e n t s o f o v e r f lo w m a y b ed i s t i n g u i s h e d b y a c h o i c e o f o n e o f t h e f o l l o w i n g a M o m s

r e l a t i n g t o t h e v a l u e o f m a x + 1 :

A l l s ~ 3 x ( x = m a x + 1 ) ( s t r ic t i n t e r p r e t a t i o n )

A l l , m a x + 1 = m a x ( fi rm b o u n d a r y )

A l l M m a x + 1 = 0 ( m o d u l o a r i t h m e t i c )

H a v i n g s e l e c t e d o n e o f t h e s e a x i o m s , i t i s p o s s i b l e t o

u s e i t in d e d u c i n g t h e p r o p e r t i e s o f p r o g r a m s ; h o w e v e r ,

5 7 6 C o m m u n i c a t i o n s o f t h e A C M V o l u m e 12 / N u m b e r 10 / O c t o b e r , 1 96 9

Page 2: Hoare - An Axiomatic Basis for Computer Programming

8/3/2019 Hoare - An Axiomatic Basis for Computer Programming

http://slidepdf.com/reader/full/hoare-an-axiomatic-basis-for-computer-programming 2/6

TABLE I

A1 x + y = y + x

A2 x X y = y X x

A3 (x + y ) + z = x+ (y + z )

A4 (xX y) X z = x X (y X z)

A5 x X ( y + z ) = x X y + x X z

A6 y < x D ( x - - y ) + y = x

A7 x+ 0 = xA8 xX0=0A9 x X l = x

addition is commutativemultiplication is commut-

ativeaddition is associativemultiplication is associa-

tive

multiplication distrib-utes through addition

addition cancels subtrac-tion

TABLE II

1.

+ 0 1

0 0 1 21 1232 2 3 *3 3 * *

• nonexistent

StrictInterpretation

23 x 012

3 0 00 0* 1 0 1 2* 2 0 2 *

* 3 0 3 *

+

2. FirmBoundary

123 × 0123

123 0 0000233 1 0123333 2 0233333 3 0333

3.

+ 012

0 0 1 21 1 2 32 2303 3 0 1

Modulo Arithmetic

3 X 0 1 2

3 0 00 00 1 0 1 21 2 02 02 3 0 3 2

these properties will not necessarily obtMn, unless the

program is executed on an implementation which satisfies

the chosen axiom.

3 . Prog r am Execu t ion

As mentioned above, the purpose of this study is to

provide a logical basis for proofs of the properties of a

program. One of the most important properties of a pro-

gram is whether or not it carries out its intended function.

The intended function of a program, or part of a program,

can be specified by making general assertions about the

values which the r elevant variables will take a f t e r execution

of the program. These assertions will usually not ascribe

particular values to each variable, but will rather specify

certain general properties of the values and the relation-

ships holding between them. We use the normal notations

of mathematical logic to express these assertions, and t

familiar rules of operator precedence have been us

wherever possible to improve legibility.

In many cases, the validity of the results of a progra

(or part of a program) will depend on the values take

by the variables before that program is initiated. Thes

initial preconditions of successful use can be specified b

the same type of general assertion as is used to describthe results obtained on termination. To state the require

connection between a preconditio n ( P), a progr am (Q

and a description of the result of its execution (R), w

introduce a new notation:

P { Q } R .

This may be interpreted " I f the assertion P is true befo

initiation of a program Q, then the assertion R will b

true on its completion." If there are no preconditions im

posed, we write true { Q } R )

The treatment given below is essentially due to Floy

[8] but is applied to texts rather than flowcharts.

3.1. Axiom OF ASSIGNMENTAssignment is undoubtedly the most characteristic fe

ture of programming a digital computer, and one th

most clearly distinguishes it from other branches of math

matics. It is surprising therefore that the axiom governi

our reasoning about assignment is quite as simple as an

to be found in elementary logic.

Consider the assignment statement:

x : = f

where

x is an identifier for a simple variable;

f is an expression of a programming language witho

side effects, but possibly containing x.Now an y assertion P (x) which is to be true of (the val

of ) x a f t e r the assignment is made must also have bee

true of (the value of) the expression f, take n be f o re th

assignment is made, i.e. with the old value of x. Thu

if P (x) is to be true after the assignment, then P (f) mu

be true before the assignment. This fact may be expresse

more formally:

DO Axiom of Assignmen t

-P0 {x := f} Pwhere

x is a vari able identifier;

f is an expression;

P0 is obtained fr om P by subs tituting f for all occurences of x.

It may be noticed that DO is not really an axiom at al

but rather an axiom schema, describing an infinite set

axioms which share a common pattern. This pattern

described in purely syntactic terms, and it is easy

cheek whether any finite text conforms to the patter

thereby qualifying as an axiom, which may validly appe

in any line of a proof.

1 If this can be proved in our formal system, we use the famillogical symbol for theoremhood: [-P {Q} R

Volume 12 / Numb er 10 / October, 1969 Com mun ica tio ns of the ACM 5

Page 3: Hoare - An Axiomatic Basis for Computer Programming

8/3/2019 Hoare - An Axiomatic Basis for Computer Programming

http://slidepdf.com/reader/full/hoare-an-axiomatic-basis-for-computer-programming 3/6

3.2. RULES OF CONSEQUENCE

I n a d d i t i o n t o a x i o m s , a d e d u c t i v e s c i e nc e r e q u i r e s a t

l e a s t o n e r u l e o f i n f e re n c e , w h i c h p e r m i t s t h e d e d u c t i o n o f

n e w t h e o r e m s f r o m o n e o r m o r e a x i o m s o r t h e o r e m s a l -

r e a d y p r o v e d . A ru l e o f i n f e r e n c e t a k e s t h e f o r m " I f ~ -X

an d ~- Y th en ~ -Z", i . e . i f a s se r t i o n s o f t h e fo rm X an d Y

h a v e b e e n p r o v e d a s t h e o r e m s , t h e n Z a l s o i s t h e r e b y

p r o v e d a s a t h e o r e m . T h e s i m p l e s t e x a m p l e o f a n i n f e r e n c e

r u l e s t a t e s t h a t i f t h e e x e c u t i o n o f a p r o g r a m Q e n -

s u r e s th e t r u t h o f t h e a s s e r t io n R, t h e n i t a l s o e n s u r e s t h e

t r u t h o f e v e r y a s s e r t i o n l o g ic a l ly im p l i e d b y R . A l s o, i f

P i s k n o w n t o b e a p r e c o n d i t i o n f o r a p r o g r a m Q t o p r o -

d u c e r e s u l t R, t h e n s o is a n y o t h e r a s s e r t i o n w h i c h l o g i c a ll y

i m p l i e s P . T h e s e r u l e s m a y b e e x p r e s s e d m o r e f o r m a l l y :

D 1 R u l e s o f C o n s e q u e n c e

I f ~-P{Q}Rand ~-R D S t h e n ~-P{Q}SI f ~-P{Q}Ran d ~ -S ~ P t h e n ~-S{Q}R

3 .3 . RULE OF COMPOSITION

A p r o g r a m g e n e r a l l y c o ns i s ts o f a s e q u e n c e o f s t a t e m e n t s

w h i c h a r e e x e c u te d o n e a f te r a n o t h e r. T h e s t a t e m e n t s m a y

b e s e p a r a t e d b y a s e m i c o l o n o r e q u i v a l e n t s y m b o l d e n o t i n g

p ro ce d u r a l c o m p o s i t i o n : (Q1 ; Q2 ; " ' " ; Q~) . I n o rd er t o

a v o i d t h e a w k w a r d n e s s o f d o t s , i t i s p o s s i b l e t o d e a l i n i -

t i a l l y w i t h o n l y t w o s t a t e m e n t s (Q1 ; Q 2) , s i n c e l o n g e r s e-

q u e n c e s c a n b e r e c o n s t r u c t e d b y n e s t i n g , t h u s (Q~ ; ( Q2 ;

( " " ( Q ,- 1 ; Q . ) - ' " ) ) ) . T h e r e m o v a l o f t h e b r a c k e t s o f

t h i s n e s t m a y b e r e g a r d e d a s c o n v e n t i o n b a se d o n t h e

a s s o c i a t i v i ty o f t h e " ; - o p e r a t o r " , i n t h e s a m e w a y a s b r a c k -

e t s a r e r e m o v e d f r o m a n a r i t h m e t i c e x p r e s s i o n ( 6 + (t2 +

( . . - (t,_~ + t , ) - - . ) ) ) .

T h e i n f e r e n c e ru l e a s s o c i a te d w i t h c o m p o s i t i o n s t a t e s

t h a t i f t h e p r o v e n r e s u l t o f t h e f i r s t p a r t o f a p r o g r a m i s

i d e n t i c a l w i t h t h e p r e c o n d i t i o n u n d e r w h i c h t h e s e c o n d p a r t

o f t h e p r o g r a m p r o d u c e s i ts i n t e n d e d r e s u lt , t h e n t h e w h o l ep r o g r a m w i l l p r o d u c e t h e i n t e n d e d r e s u lt , p r o v i d e d t h a t t h e

p r e c o n d i t i o n o f t h e f i r s t p a r t i s s a t i sf i e d .

I n m o r e f o r m a l te r m s :

D 2 R u l e o f C o m p o s i t i o n

I f ~-P{QdR1a n d ~-R~{Q2}R he n ~-P{ (Q~ ; Q2)}R

3 .4 . R v L~ OF ITERATION

T h e e s s e n t i al f e a t u r e o f a s t o r e d p r o g r a m c o m p u t e r i s

t h e a b i l i t y t o e x e c u t e s o m e p o r t i o n o f p r o g r a m ( S ) r e -

p e a t e d l y u n t i l a c o n d i t i o n ( B ) g o e s f a ls e . A s i m p l e w a y o f

e x p r e s s i n g s u c h a n i t e r a t i o n i s t o a d a p t t h e A L G O L 6 0

w h i l e n o t a t i o n :

w h i l e B d o S

I n e x e c u t i n g t h i s s t a t e m e n t , a c o m p u t e r f i rs t t e s t s t h e c o n -

d i t i o n B . I f t h i s i s f a l se , S i s o m i t t e d , a n d e x e c u t i o n o f t h e

l o o p i s c o m p l e t e . O t h e r w i s e , S i s e x e c u t e d a n d B i s t e s t e d

a g a i n . T h i s a c t i o n i s r e p e a t e d u n t i l B i s f o u n d t o b e f a l s e .

T h e r e a s o n i n g w h i c h l e a d s t o a f o r m u l a t i o n o f a n i n f e r e n c e

r u l e f o r i t e r a t i o n i s a s f o l lo w s . S u p p o s e P t o b e a n a s s e r t i o n

w h i c h i s a lw a y s t r u e o n c o m p l e t i o n o f S , p r o v i d e d t h a t i t is

a l s o t r u e o n i n i t ia t i o n . T h e n o b v i o u s l y P w i l l s t il l b e t r u e

a f t e r a n y n u m b e r o f i t e r a t i o n s of t h e s t a t e m e n t S ( e v e n

n o i t e r a t i o n s ) . F u r t h e r m o r e , i t is k n o w n t h a t t h e c o n -

t r o l l i n g c o n d i t i o n B i s f a l s e w h e n t h e i t e r a t i o n f i n a l l y

t e r m i n a t e s . A s l i g h t l y m o r e p o w e r f u l f o r m u l a t i o n is p o s -

s i bl e i n l ig h t o f t h e f a c t t h a t B m a y b e a s s u m e d t o b e t r u e

o n i n i t i a t i o n o f S :

D 3 R u l e o f I t e r a t i o n

I f ~P A B{S}P t h e n ~ - P { w h il e B d o S } ~ B A P

3 .5 . EXAMPLE

T h e a x i o m s q u o t e d a b o v e a r e s u f fi c ie n t t o c o n s t r u c t t h e

p r o o f o f p r o p e r t i e s o f s i m p l e p r o g r a m s , f o r e x a m p l e , a

r o u t i n e i n t e n d e d t o f i n d t h e q u o t i e n t q a n d r e m a i n d e r r

o b t a i n e d o n d i v i d in g x b y y . A l l v a r i a b l e s a r e a s s u m e d t o

r a n g e o v e r a s e t o f n o n n e g a t i v e i n t e g e r s c o n f o r m i n g t o t h e

a x i o m s l i s t e d i n T a b l e I . F o r s i m p l i c i t y w e u s e t h e t r i v i a l

b u t i n e ff i c ie n t m e t h o d o f su c c e s s iv e s u b t r a c t i o n . T h e p r o -

p o s e d p r o g r a m i s :

( ( r : = x ; q : = 0 ) ; w h i l e

y<rdo ( r : = r - - y ; q : = l + q ) )

A n i m p o r t a n t p r o p e r t y o f t h is p r o g r a m i s t h a t w h e n i t

t e r m i n a t e s , w e c a n re c o v e r th e n u m e r a t o r x b y a d d i n g t o

t h e r e m a i n d e r r t h e p r o d u c t o f t h e d i v i s o r y a n d t h e q u o -t i e n t q (i .e . x = r + y X q ) . F u r t h e r m o r e , t h e r e m a i n d e r

i s l es s t h a n t h e d i v is o r . T h e s e p r o p e r t i e s m a y b e e x p r e s s e d

f o r m a l l y :

t r u e { Q } ~ y ~< r A x = r + y X q

w h e r e Q s ta n d s f o r t h e p r o g r a m d i s p l a y e d a b o v e . T h i s

e x p r e s s e s a n e c e s s a r y ( b u t n o t s u f f i c i e n t ) c o n d i t i o n f o r

t h e " c o r r e c t n e s s " o f th e p r o g ra m .

A f o r m a l p r o o f o f t h i s t h e o r e m i s g i v e n i n T a b l e I I I .

L i k e a l l f o r m a l p r o o f s , i t i s e x c e s s i v e l y t e d i o u s , a n d i t

w o u l d b e f a i r l y e a s y t o i n t r o d u c e n o t a t i o n a l c o n v e n t i o n s

w h i c h w o u l d s i g n if i c a n tl y s h o r t e n it . A n e v e n m o r e p o w e r -

f u l m e t h o d o f r e d u c i n g t h e t e d i u m o f f o r m a l p r o o f s is t od e r i v e g e n e r a l r ul e s f o r p r o o f c o n s t r u c t i o n o u t o f t h e s i m p l e

r u l es a c c e p t e d a s p o s t u l a t e s . T h e s e g e n e r a l r u le s w o u l d b e

s h o w n t o b e v a l id b y d e m o n s t r a t i n g h o w e v e r y t h e o r e m

p r o v e d w i t h t h e i r a s s i st a n c e c o u l d e q u a l l y w e l l ( i f m o r e

t e d i o u s l y ) h a v e b e e n p r o v e d w i t h o u t . O n c e a p o w e r f u l se t

o f s u p p l e m e n t a r y r u l e s h a s b e e n d e v e lo p e d , a " f o r m a l

p r o o f " r e d u c e s t o l i t t l e m o r e t h a n a n i n f o r m a l i n d i c a t i o n

o f h o w a f o r m a l p r o o f c o u l d b e c o n s t r u c t e d .

4 . G e n e r a l R e s e r v a t i o n s

T h e a x i o m s a n d r u le s o f i n f e r e n c e q u o t e d i n t h is p a p e r

h a v e i m p l i c i t ly a s s u m e d t h e a b s e n c e o f s i de e f f e c t s o f t h e

e v a l u a t i o n o f e x p r e ss i o n s a n d c o n d i t io n s . I n p r o v i n g p r o p -e r t ie s o f p r o g r a m s e x p r e s s e d i n a l a n g u a g e p e r m i t t i n g s i d e

e f f e c t s , i t w o u l d b e n e c e s s a r y t o p r o v e t h e i r a b s e n c e i n

e a c h e a s e b e f o r e a p p l y i n g t h e a p p r o p r i a t e p r o o f t e c h n i q u e .

I f t h e m a i n p u r p o s e o f a h ig h l e v e l p r o g r a m m i n g l a n g u a g e

i s t o a s s i s t i n t h e c o n s t r u c t i o n a n d v e r i f i c a t i o n o f c o r r e c t

p r o g r a m s , i t i s d o u b t f u l w h e t h e r t h e u s e o f f u n c t io n a l

n o t a t i o n t o c a l l p r o c e d u r e s w i t h s i d e e ff e c t s i s a g e n u i n e

a d v a n t a g e .

A n o t h e r d e f i c i en c y i n t h e a x i o m s a n d r u le s q u o t e d a b o v e

5 7 8 C o m m u n i c a t i o n s o f t h e ACM Vo lu m e 1 2 / Nu m b er 1 0 / Oc to b e r , 1 96 9

Page 4: Hoare - An Axiomatic Basis for Computer Programming

8/3/2019 Hoare - An Axiomatic Basis for Computer Programming

http://slidepdf.com/reader/full/hoare-an-axiomatic-basis-for-computer-programming 4/6

i s t h a t t h e y g i v e n o b a s is f o r a p r o o f t h a t a p r o g r a m s u c -

c e s sf u ll y t e r m i n a t e s . F a i l u r e t o t e r m i n a t e m a y b e d u e t o a n

i n f i n i t e l o o p ; o r i t m a y b e d u e t o v i o l a t i o n o f a n i m p l e -

m e n t a t i o n - d e f i n e d l i m i t, f o r e x a m p l e , t h e r a n g e o f n u m e r i c

o p e r a n d s , t h e s i z e o f s t o r ag e , o r a n o p e r a t i n g s y s t e m t i m e

l i m i t . T h u s t h e n o t a t i o n "PIQ}R" s h o u l d b e i n t e r p r e t e d

" p r o v i d e d t h a t t h e p r o g r a m s u c c e s sf u l ly t e r m i n a t e s , t h e

p r o p e r t i e s o f i t s r e s u l t s a r e d e s c r i b e d b y R . " I t i s f a i r l y

e a s y t o a d a p t t h e a x i o m s s o t h a t t h e y c a n n o t b e u s e d t op r e d i c t t h e " r e s u l t s " o f n o n t e r m i n a t i n g p r o g r a m s ; b u t t h e

a c t u a l u s e o f t h e a x i o m s w o u l d n o w d e p e n d o n k n o w l e d g e

o f m a n y i m p l e m e n t a t i o n - d e p e n d e n t f e a t u r e s , f o r e x a m p l e ,

t h e s i ze a n d s p e e d o f th e c o m p u t e r , t h e r a n g e o f n u m b e r s ,

a n d t h e c h o i ce o f o v e r f lo w t e c h n iq u e . A p a r t f r o m p r o o f s o f

t h e a v o i d a n c e o f i n f i n i te lo o p s , it i s p r o b a b l y b e t t e r t o

p r o v e t h e " c o n d i t i o n a l " c o r r e c t n e s s o f a p r o g r a m a n d r e l y

o n a n i m p l e m e n t a t i o n t o g i v e a w a r n i n g i f i t h a s h a d t o

TABLE III

Linenumber Formal proof Justification

1 tr ue ~x = x ~ y X 0 Le mm al

2 x = x - { - y X O { r : = x } x = r . - t - y X O DO

3 x = r ~ y X O { q : = O } x = r . - b y X q DO

4 t r u e { r := x} x = r ~ y X 0 D1 (1, 2)

5 t r ue {r := x; q := 0} x = r -t- y X q D2 (4, 3)

6 x = r ~ y X q A y ~ r ~ x =

( r - y ) ~ y X (1-t-q) Le mm a 2

7 x = ( r - - y ) .- {- y X (1-t-q){r := r - y } x =

r + y X (l +q ) DO

8 x = r + y X (l +q )[ q := 1 . - b q } x =

r - t - y X q DO

9 x = ( r - - y ) -~ y X (l +q) {r := r - - y ;

q := 1+q } x = r + y X q D2 (7, 8)

10 x = r + y X q A y ~ r { r : = r - - y ;

, q := l + q} x = r + y X q D1 (6 , 9 )

11 x = r -b y X q [w hi le y ~ r do

( r : = r - - y ; q := 1--bq)}

~- -Ty < r /~ x = r ~ y X q D3 (10)

12 tr ue {((r := x; q := 0); whi le y ~ rdo

( r : = r - - y ; q := l+q) )} -~y ~ rAx =

r + y X q D2 (5, 11)

NOTES

i. The left han d column is used to nu mb er the lines, and the

right hand column to justify each line, by appealing to an axiom,

a le mm a or a rule of inference applied to one or two previous

l ines , ind icated in b rackets . Nei ther of these columns is pa rtof the formal proof. For example, l ine 2 is an instance of theaxiom of assignm ent (DO); l ine 12 is obtain ed fro m lines 5 and 11by appl icat ion of the ru le o f composi t ion (D2) .

2 . Lemma 1 ma y be proved f rom ax ioms A7 and AS.3 . Lemm a 2 fo l lows d i rect ly f rom the theorem proved in See. 2 .

a b a n d o n e x e c u t i o n o f t h e p r o g r a m a s a r e s u l t o f v i o l a t i o

o f a n i m p l e m e n t a t i o n l i m i t .

F i n a l l y i t i s n e c e s s a r y t o l is t s o m e o f t h e a r e a s w h i c h h a v

n o t b e e n c o v e r e d : f o r e x a m p l e , r e a l a r i t h m e t i c , b i t a n

c h a r a c t e r m a n i p u l a t io n , c o m p l e x a r i th m e t i c , f r a c t i o n

a r i t h m e t i c , a r r a y s , r e c o r d s , o v e r l a y d e f in i t i o n , f il es , i n p u t

o u t p u t , d e c l a r a t i o n s , s u b r o u t i n e s , p a r a m e t e r s , r e c u r s i o n

a n d p a r a l le l e x e c u t io n . E v e n t h e c h a r a c t e r i z a t i o n o f in t e g e

a r i t h m e t i c i s f a r f r o m c o m p l e t e . T h e r e d o e s n o t a p p e a r tb e a n y g r e a t d i f f i c u l t y i n d e a l i n g w i t h t h e s e p o i n t s , p r o

v i d e d t h a t t h e p r o g r a m m i n g l a n g u a g e i s k e p t s i m p l e

A r e a s w h i c h d o p r e s e n t r e a l d i f f i c u lt y a r e l a b e l s a n d j u m p s

p o i n t e rs , a n d n a m e p a r a m e t e r s . P r o o f s of p r o g r a m s w h i c

m a d e u s e o f t h e s e f e a t u r e s a r e l i k e l y to b e e l a b o r a t e , a n

i t i s n o t s u r p r i s i n g t h a t t h i s s h o u l d b e r e f l e c t e d i n t h

c o m p l e x i t y o f t h e u n d e r l y i n g a x i o m s .

5. P r o o f s o f P r o g r a m C o r r e c t n e s s

T h e m o s t i m p o r t a n t p r o p e r t y o f a p r o g r a m i s w h e t h e r

a c c o m p l i s h e s t h e i n t e n t i o n s o f i t s u s e r. I f t h e s e i n t e n t i o n

c a n b e d e s c r i b e d r i g o r o u s ly b y m a k i n g a s s e rt i o ns a b o u t t h

v a l u e s o f v a r i a b l e s a t t h e e n d ( o r a t i n t e r m e d i a t e p o i n t s ) ot h e e x e c u t i o n o f t h e p r o g r a m , t h e n t h e t e c h n i q u e s d e s c r i b e

i n t h is p a p e r m a y b e u s e d t o p r o v e t h e c o r r e c t n es s o f t h

p r o g r a m , p r o v i d e d t h a t t h e i m p l e m e n t a t i o n o f t h e p r

g r a m m i n g l a n g u a g e c o n f o r m s t o t h e a x i o m s a n d r u le s w h i c

h a v e b e e n u s e d i n t h e p r o o f . T h i s f a c t i t se l f m i g h t a l so b

e s t a b l i s h e d b y d e d u c t i v e r e a s o n i n g , u s i n g a n a x i o m s

w h i c h d e s c r i b e s t h e l o g i c a l p r o p e r t i e s o f t h e h a r d w a r

c i r c u i ts . W h e n t h e c o r r e c t n e s s o f a p r o g r a m , i t s c o m p i l e

a n d t h e h a r d w a r e o f t h e c o m p u t e r h a v e a l l b e e n e s t a b l is h e

w i t h m a t h e m a t i c a l c e r t a i n t y , i t w i l l b e p o s s i b l e t o p l a c

g r e a t r e l i an c e o n t h e r e s u l t s o f t h e p r o g r a m , a n d p r e d i

t h e i r p r o p e r t i e s w i t h a c o n f i d e n c e l i m i t ed o n l y b y t h

r e l i a b i l i t y o f t h e e l e c t r o n ic s .T h e p r a c t i c e o f s u p p l y i n g p r o of s f o r n o n t ri v i a l p r o g r a m

w i ll n o t b e c o m e w i d e s p r e a d u n t i l c o n s i d e r a b l y m o r e p o w e

f u l p r o o f t e c h n i q u e s b e c o m e a v a i la b l e , a n d e v e n t h e n w

n o t b e e a s y . B u t t h e p r a c t i c a l a d v a n t a g e s o f p r o g r a m p r o

i n g w i l l e v e n t u a l l y o u t w e i g h t h e d i ff i c u lt i e s, i n v i e w o f t h

i n c r e a si n g c o s t s o f p r o g r a m m i n g e r r o r . A t p r e s e n t , t h

m e t h o d w h i c h a p r o g r a m m e r u s e s t o c o n v i n c e h i m s e l f

t h e c o r r e c tn e s s o f h i s p r o g r a m i s t o t r y i t o u t i n p a r t i c u l

c a s es a n d t o m o d i f y i t if t h e r e s u l ts p r o d u c e d d o n o t c o

r e s p o n d t o h i s i n t e n ti o n s . A f t e r h e h a s f o u n d a r e a s o n a b

w i d e v a r i e t y o f e x a m p l e c a s e s o n w h i c h t h e p r o g r a m s e e m

t o w o r k , h e b e l i e v e s t h a t i t w i l l a l w a y s w o r k . T h e t i m

s p e n t i n t h i s p r o g r a m t e s t i n g i s o f t e n m o r e t h a n h a l f t ht i m e s p e n t o n t h e e n t i r e p r o g r a m m i n g p r o j e c t ; a n d w i t h

r e a l i s ti c c o s t in g o f m a c h i n e t i m e , t w o t h i r d s ( o r m o r e )

t h e c o s t o f th e p r o j e c t i s in v o l v e d i n r e m o v i n g e r r o r s d u r i n

t h i s p h a s e .

T h e c o s t o f r e m o v i n g e r r o r s d i s c o v e r e d a f t e r a p r o g r a

h a s g o n e i n t o u s e i s o f t e n g r e a t e r , p a r t i c u l a r l y i n t h e c a

o f i t e m s o f c o m p u t e r m a n u f a c t u r e r ' s s o f t w a r e f o r w h i c h

l a r g e p a r t o f th e e x p e n s e is b o r n e b y t h e u s e r. A n d f i n a ll

t h e c o s t o f e rr o r i n c e r t a i n t y p e s o f p r o g r a m m a y b e a l m o

V o l u m e 12 / Num ber 10 / Oct obe r, 1969 Com mun ica ti ons o f t h e ACM 5

Page 5: Hoare - An Axiomatic Basis for Computer Programming

8/3/2019 Hoare - An Axiomatic Basis for Computer Programming

http://slidepdf.com/reader/full/hoare-an-axiomatic-basis-for-computer-programming 5/6

i n e a l c u l a b l e - - a l o s t s p a c e c r a f t , a c o l l a p s e d b u i l d i n g , a

c r a s h e d a e r o p l a n e , o r a w o r l d w a r . T h u s t h e p r a c t i c e o f

p r o g r a m p r o v i n g i s n o t o n l y a t h e o r e t i c a l p u r s u it , f o l l o w e d

i n t h e i n t e r e s t s o f a c a d e m i c r e s p e c t a b i l i t y , b u t a s e ri o u s

r e c o m m e n d a t i o n f o r th e r e d u c t i o n o f t h e c o s t s a s s o c i a t e d

w i t h p r o g r a m m i n g e r r o r .

T h e p r a c t i c e o f p r o v i n g p r o g r a m s i s l i k e l y t o a l l e v i a t e

s o m e o f t h e o t h e r p r o b l e m s w h i c h a f fl ic t t h e c o m p u t i n g

w o r l d . F o r e x a m p l e , t h e r e i s t h e p r o b l e m o f p r o g r a m d o c u -

m e n t a t i o n , w h i c h i s e s s e n t i a l , f i r s t l y , t o i n f o r m a p o t e n t i a l

u s e r o f a s u b r o u t i n e h o w t o u s e it a n d w h a t i t a c c o m p l i s h e s,

a n d s e c o n d ly , t o a s s is t in f u r t h e r d e v e l o p m e n t w h e n i t

b e c o m e s n e c e s s a r y t o u p d a t e a p r o g r a m t o m e e t c h a n g i n g

c i r c u m s t a n c e s o r t o i m p r o v e i t i n t h e l i g h t o f i n c r e a s e d

k n o w l e d g e . T h e m o s t r ig o r o u s m e t h o d o f f o r m u l a t i n g t h e

p u r p o s e o f a s u b r o u t i n e , a s w e l l a s t h e c o n d i t i o n s o f i t s

p r o p e r u s e , is t o m a k e a s s e r ti o n s a b o u t t h e v a l u e s o f v a r i-

a b l es b e f o r e a n d a f t e r i t s e x e c u t io n . T h e p r o o f o f th e c o r -

r e c t n e s s o f t h e s e a s s e r ti o n s c a n t h e n b e u s e d a s a l e m m a i n

t h e p r o o f o f a n y p r o g r a m w h i c h c a l ls t h e s u b r o u t i n e . T h u s ,

i n a l a rg e p r o g r a m , t h e s t r u c t u r e o f t h e w h o l e c a n b e c l e a rl y

m i r r o r e d i n t h e s t r u c t u r e o f i t s p r o o f . F u r t h e r m o r e , w h e ni t b e c o m e s n e c e s s a r y t o m o d i f y a p r o g r a m , i t w i ll a l w a y s b e

v a l i d t o r e p l a c e a n y s u b r o u t i n e b y a n o t h e r w h i c h s a t i s f i e s

t h e s a m e c r i t e ri o n o f c o r r e c tn e s s . F i n a l ly , w h e n e x a m i n i n g

t h e d e t a i l o f t h e a l g o r i t h m , i t s e e m s p r o b a b l e t h a t t h e p r o o f

w i l l b e h e l p f u l i n e x p l a i n i n g n o t o n l y what i s h a p p e n i n g

b u t why.

A n o t h e r p r o b l e m w h i c h c a n b e s o l v e d , i n s o f a r a s i t i s

s o lu b l e, b y t h e p r a c t i c e o f p r o g r a m p r o o fs is t h a t o f tr a n s -

f e r r i n g p r o g r a m s f r o m o n e d e s i g n o f c o m p u t e r t o a n o t h e r .

E v e n w h e n w r i t t e n i n a s o - c a l l e d m a c h i n e - i n d e p e n d e n t

p r o g r a m m i n g l a n gu a g e , m a n y l a r g e p r o g r a m s i n a d v e r t -

e n t l y ta k e a d v a n t a g e o f s om e m a c h i n e - d e p e n d e n t p r o p -

e r t y o f a p a r t i c u l a r i m p l e m e n t a t i o n , a n d u n p l e a s a n t a n de x p e n s i v e s u r p ri s e s c a n r e s u l t w h e n a t t e m p t i n g t o t r a n s f e r

i t t o a n o t h e r m a c h i n e . H o w e v e r , p r e s e n c e o f a m a c h i n e -

d e p e n d e n t f e a t u r e w i l l a l w a y s b e r e v e a l e d i n a d v a n c e b y

t h e f M l u r e o f a n a t t e m p t t o p r o v e t h e p r o g r a m f r o m m a -

c h i n e - i n d e p e n d e n t a x i om s . T h e p r o g r a m m e r w il l t h e n h a v e

t h e c h o i c e o f f o r m u l a t i n g h i s a l g o r i t h m i n a m a c h i n e -

i n d e p e n d e n t f a s h i o n , p o ss i b ly w i t h t h e h e l p o f e n v i r o n m e n t

e n q u i r i e s ; o r i f t h i s i n v o l v e s t o o m u c h e f f o r t o r in e f f i c ie n c y ,

h e c a n d e l i b e r a t e l y c o n s t r u c t a m a c h i n e - d e p e n d e n t p r o -

g r a m , a n d r e l y f o r h is p r o o f o n s o m e m a c h i n e - d e p e n d e n t

a x i o m , f o r e x a m p l e , o n e o f t h e v e r s i o n s o f A 1 1 ( S e c t i o n 2 ) .

I n t h e l a t t e r c a s e, t h e a x i o m m u s t b e e x p l i c i tl y q u o t e d a s

o n e o f t h e p r e c o n d i t i o n s o f s u c c e s s f u l u s e o f t h e p r o g r a m .T h e p r o g r a m c a n s t il l, w i t h c o m p l e t e c o n f i d en c e , be t r a n s -

f e r r e d to a n y o t h e r m a c h i n e w h i c h h a p p e n s t o s a t i s f y th e

s a m e m a c h i n e - d e p e n d e n t a x i o m ; b u t i f i t b e c o m e s n ec e s -

s a r y t o t r a n s f e r i t t o a n i m p l e m e n t a t i o n w h i c h d o e s n o t ,

t h e n a l l t h e p l a c e s w h e r e c h a n g e s a r e r e q u i r e d [ w i l l b e

c l e a r l y a n n o t a t e d b y t h e f a c t t h a t t h e p r o o f a t t h a t p o i n t

a p p e a l s t o t h e t r u t h o f t h e o f f e n d in g m a c h i n e - d e p e n d e n t

a x i o m .

T h u s t h e p r a c t i c e o f p r o v i n g p r o g r a m s w o u l d s e e m t o

l e a d t o s o l u t i o n o f t h r e e o f t h e m o s t p r e s s i n g p r o b l e m s i n

s o f t w a r e a n d p r o g r a m m i n g , n a m e l y , r e l ia b i l it y , d o c u m e n -

t a t i o n , a n d c o m p a t i b i l it y . H o w e v e r , p r o g r a m p r o v i n g , c e r-

t a i n l y a t p r e s e n t , w i l l b e d i f f ic u l t e v e n f o r p r o g r a m m e r s o f

h i g h c a l i be r ; a n d m a y b e a p p l i c a bl e o n l y t o q u i t e s i m p l e

p r o g r a m d e s i g n s . A s i n o t h e r a r e a s , r e l i a b i l i t y c a n b e p u r -

c h a s e d o n l y a t t h e p r i c e o f s i m p l i c i t y .

6 . F o r m a l L a n g u a g e D e f i n i ti o n

A h i g h l e v e l p r o g r a m m i n g l a n g u a g e , s u c h a s A L c~ oL ,

F OR TR A N, o r C O BO L, s u s u a l l y i n t e n d e d t o b e i m p l e m e n t e d

o n a v a r i e t y o f c o m p u t e r s o f d if f e r i n g s i ze , c o n f i g u r a t i o n ,

a n d d e s i g n . I t h a s b e e n f o u n d a s e r io u s p r o b l e m t o d e f i n e

t h e s e l a n g u a g e s w i t h s u f f i c i e n t r i g o u r t o e n s u r e c o m p a t -

i b i li t y a m o n g a l l i m p l e m e n t o r s . S i n c e t h e p u r p o s e o f c o m -

p a t i b i l i ty i s t o f a c i l it a t e i n te r c h a n g e o f p r o g r a m s e x -

p r e s s e d in t h e l a n g u a g e , o n e w a y t o a c h i e v e t h is w o u l d b e t o

i n s is t t h a t a ll im p l e m e n t a t i o n s o f t h e l a n g u a g e s h a l l " s a t -

i s f y " t h e a x i o m s a n d r u le s o f in f e r e n c e w h i c h u n d e r l i e

p r o o f s o f t h e p r o p e r t i e s o f p r o g r a m s e x p r e s s e d i n t h e

l a n g u a g e , s o t h a t a l l p r e d i c t i o n s b a s e d o n t h e s e p r o o f s w i l l

b e f u l fi l le d , e x c e p t i n t h e e v e n t o f h a r d w a r e f a i l u re . I ne f f e c t , t h i s i s e q u i v a l e n t t o a c c e p t i n g t h e a x i o m s a n d r u l e s

o f i n f e r e n c e a s t h e u l t i m a t e l y d e f i n i t i v e s p e c i fi c a t i o n of t h e

m e a n i n g o f t h e l a n g u a g e.

A p a r t f r o m g i v i n g a n i m m e d i a t e a n d p o s s i b l y e v e n

p r o v a b l e c r i t e ri o n f o r t h e c o r r e c t n e ss o f a n i m p l e m e n t a t i o n ,

t h e a x i o m a t i c t e c h n i q u e f o r t h e d e f i n i ti o n of p r o g r a m m i n g

l a n g u a g e s e m a n t i c s a p p e a r s t o b e li k e th e f o r m a l s y n t a x o f

t h e A L a O L 6 0 r e p o r t , i n t h a t i t i s s u f fi c i e n t l y s i m p l e t o b e

u n d e r s t o o d b o t h b y t h e i m p l e m e n t o r a n d b y t h e r e a s o n a b l y

s o p h i s t i c a t e d u s e r o f t h e l a n g u a g e . I t i s o n l y b y b r i d g i n g

t h i s w i d e n i n g c o m m u n i c a t i o n g a p i n a s i n g l e d o c u m e n t

( p e rh a p s e v e n p r o v a b l y c o n s is t e n t) t h a t t h e m a x i m u m

a d v a n t a g e c a n b e o b t a i n e d f r o m a f o r m a l l a n g u a g e de f -i n i t i o n .

A n o t h e r o f t h e g r e a t a d v a n t a g e s o f u s i n g a n a x i o m a t i c

a p p r o a c h i s t h a t a x i o m s o f f e r a s i m p l e a n d f l e x ib l e t e c h -

n i q u e f o r l e a v i n g c e r t a i n a s p e c t s o f a l a n g u a g e undefined,

f o r e x a m p l e , r a n g e o f i n te g e r s , a c c u r a c y o f f l o a t i n g p o i n t ,

a n d c h o i c e o f o v e r f l o w t e c h n i q u e . T h i s i s a b s o l u t e l y e s -

s e n t i a l f o r s t a n d a r d i z a t i o n p u r p o s e s , s i n c e o t h e r w i s e t h e

l a n g u a g e w i l l b e i m p o s s i b l e t o i m p l e m e n t e f f i c i e n tl y o n

d i ff e r in g h a r d w a r e d e s ig n s. T h u s a p r o g r a m m i n g l a n g u a g e

s t a n d a r d s h o u l d c o n s i s t o f a s e t o f a x i o m s o f u n i v e r s a l

a p p l i c a b i l i t y , t o g e t h e r w i t h a c h o i c e f r o m a s e t o f s u p p l e -

m e n t a r y a x i o m s d e s c r i bi n g t h e r a n g e o f ch o i ce s f a c in g a n

i m p l e m e n t o r . A n e x a m p l e o f t h e u s e o f a x i o m s f o r th i sp u r p o s e w a s g i v e n i n S e c t i o n 2 .

A n o t h e r o f t h e o b j e c t i v e s o f f o r m a l l a n g u a g e d e f i n it i o n

i s t o a s s i s t i n t h e d e s i g n o f b e t t e r p r o g r a m m i n g l a n g u a g e s .

T h e r e g u l a r i t y , c l a r i ty , a n d e a s e of i m p l e m e n t a t i o n o f t h e

A LG OL 6 0 s y n t a x m a y a t l e a s t i n p a r t b e d u e t o t h e u s e o f

a n e l e g a n t f o r m a l t e c h n i q u e f o r it s d e f i ni t io n . T h e u s e o f

a x i o m s m a y l e a d t o s i m i l a r a d v a n t a g e s i n t h e a r e a o f

" s e m a n t i c s , " s i n c e i t se e m s l ik e l y t h a t a l a n g u a g e w h i c h c a n

(Continued on p. 583)

5 8 0 C o m m u n i c a t i o n s o f t h e A C M V o l u m e 12 / N u m b e r 10 / O c t o b e r , 1 96 9

Page 6: Hoare - An Axiomatic Basis for Computer Programming

8/3/2019 Hoare - An Axiomatic Basis for Computer Programming

http://slidepdf.com/reader/full/hoare-an-axiomatic-basis-for-computer-programming 6/6

by Lowe. In addition, we define F ( j ) = ~ = ~ f ( i) and

write Ix] for the greatest integer no t exceeding x.

In a packed list file, the bucket which contains the first

element of list j will have its first

F ( j ) - - C [ F ( j ) / C ] (1)

positions occupied by lists j - 1, j - 2, .. . . For any

pract ical file, when j is not a smal l integer, (1) behaves as

a random variable uniformly distributed between 0 and C.In other words, the start of a list is independent of bucket

boundaries. It is easy to see that the expected number of

accesses required to re trieve list j is f ( j ) / C ~ 1.

Hence we have

T , = t~ ( f ( j ) / C + 1 ) p ( j ) ,

( 2 ). ' . T , / t , - - 1 + ~ f ( j ) p ( j ) / C ,

since ~f=l p ( j ) = 1. Equat ion (2) corresponds to (1

in [1].

The assumptions on f ( j ) and p ( j ) in [1] may be su

stituted into (2). The first two assumptions yield

T r / t , = 1 + S / N C , (

and the third assumption, for large N, yields approximate

T~/t~ = 1 + ( lnN + ~)-2~-V6. (

These equations should be compared with the right-han

inequalities of (13) and (24) in [1].

RECEIVED MARCH 1969; REVISED JUNE 1969

REFERENCES

1. LOWE, THOMAS C. The influence of data- base chara cteri sti

and usage on direct-access file organization. J . A C M 1

4 (Oct. 1968), 535-548.

A

C . A . R. H O A R E - - c o n t ' d from p a g e 5 8 0

be described by a few "self-evident" axioms from which

proofs will be relatively easy to construct will be preferable

to a language with many obscure axioms which are dif-

ficult to apply in proofs. Furthermore, axioms enable the

language designer to express his general i n t e n t io n s quite

simply and directly, without the mass of detail which

usually accompanies algorithmic descriptions. Finally, ax-

ioms can be formulated in a manner largely independent

of each other, so that the designer can work freely on one

axiom or group of axioms without fear of unexpected in-

teraction effects with other parts of the language.

Ackn o wle d g m e n t s . Many axiomatic treatments of com-

puter programming [1, 2, 3] tackle the problem of proving

the equivalence, rather t han the correctness, of algorithms.

Other approaches [4, 5] take recursive functions rather

than programs as a starting point for the theory. The

suggestion to use axioms for defining the primitive opera-

tions of a computer appears in [6, 7]. The importance ofprogram proofs is clearly emphasized in [9], and an in-

formal technique for providing them is described. The

suggestion that the specification of proof techniques pro-

vides an adequate formal definition of a programming

language first appears in [8]. The formal trea tmen t of pro-

gram execution presented in this paper is clearly derived

from Floyd. The main contributions of the a uthor appear

to be: (1) a suggestion tha t axioms may provide a simple

solution to the problem of leaving certain aspects of a

language undefined; (2) a comprehensive evaluation

the possible benefits to be gained by adopting this approac

both for program proving and for formal language defin

tion.

However, the formal material presented here has on

an expository status and represents only a minute propo

tion of what remains to be done. It is hoped that many othe fascinating problems involved will be taken up b

others.

RECEIVED NOVEMBER, 1968;REVISED MAY, 1969

R E F E R E N C E S

i . Y A N O V , Y u I. Lo g i c a l o p e r a t o r s c h e m e s . K y b e r n e t i k a I, ( 1 9 5 8 )

2 . IG A R AS H I , S . A n a x i o m a t i c a p p r o a c h t o e q u i v a l e n c e p r o b l e m

o f a l g o r i t h m s w i t h a p p l i c a t i o n s . P h . D . Th e s i s 1 9 6 4 . R e p

C o m p t . C e n t r e , U . To k y o , 1 9 6 8 , p p . i - I0 1 .

3 . D E BAK IC ER , J . W . Ax i o m a t i c s o f s i m p l e a s s i g n m e n t s t a t e m e n t s

M . R . 9 4 , M a t h e m a t i s c h C e n t r u m , A m s t e r d a m , J u n e 1 9 6 8 .

4 . M c C A R T H Y , J . T o w a r d s a m a t h e m a t i c a l t h e o r y o f c o m p u t a t i o n .

P r o c . I F I P C o n g . 1 9 6 2 , N o r t h H o l l a n d P u b . C o . , A m s t e r d a m ,

1 9 6 3 .

5. BURSTALL,R. Proving properties of programs by structural i

duction. Experimental Programming Reports: No. 17 DMIPEdinburgh, Feb. 1968.

6. VAN WIJNGAARDEN, A. Numerical analysis as an independe

science. B I T 6 (1966), 66-81.

7. LASKI, J. Sets and o ther types . ALGOL Bull. 27, 1968.

8. FLOYD, R. W. Assigning meanings to programs. Proc. AmeMath. Soc. Symposi a in Applied Mathemat ics, Vol. 19, p19-31.

9. N~_uR, P. P roof of algorithms by general sna pshot s. B I T

(1966), 310-316.

Volu me 12 / Numb er 10 / October, 1969 Com mun ica tio ns of the ACM 58


Viewpoint Retrospective: An Axiomatic Basis for Computer … · Retrospective: An Axiomatic Basis for Computer Programming C ... Prospective (2009–) In 1969, I was afraid industrial

Viewpoint Retrospective: An Axiomatic Basis for Computer … · Retrospective: An Axiomatic Basis for Computer Programming C ... Prospective (2009–) In 1969, I was afraid industrial

Documents
Hoare Laboratory Engineering Limited Case Study · Hoare Laboratory Engineering Limited Case Study Hoare Laboratory Engineering Ltd Tel: 01322 866110 Unit 3, Lullingstone Park Farm

Hoare Laboratory Engineering Limited Case Study · Hoare Laboratory Engineering Limited Case Study Hoare Laboratory Engineering Ltd Tel: 01322 866110 Unit 3, Lullingstone Park Farm

Documents
AXIOMATIC FORMULATIONS

AXIOMATIC FORMULATIONS

Documents
Part 2: Hoare Logic

Part 2: Hoare Logic

Documents
Axiomatic systems By Micah McKee. VOCAB: Axiomatic system Postulate/Axiom Theorem Axiomatic system Line segment Ray Point Line Plane

Axiomatic systems By Micah McKee. VOCAB: Axiomatic system Postulate/Axiom Theorem Axiomatic system Line segment Ray Point Line Plane

Documents
PARALLEL PROGRAMMING: AN AXIOMATIC APPROACH · PARALLEL PROGRAMMING: AN AXIOMATIC APPROACH BY C. A, R. HOARE SUPPORTED BY ADVANCED RESEARCH PROJECTS AGENCY ARPA ORDER NO. 457 OCTOBER

PARALLEL PROGRAMMING: AN AXIOMATIC APPROACH · PARALLEL PROGRAMMING: AN AXIOMATIC APPROACH BY C. A, R. HOARE SUPPORTED BY ADVANCED RESEARCH PROJECTS AGENCY ARPA ORDER NO. 457 OCTOBER

Documents
Hoare Logic - USTCstaff.ustc.edu.cn/~xyfeng/teaching/FOPL/lectureNotes/07_Hoare.pdf · Floyd-Hoare Logic This class is concerned with Floyd-Hoare Logic I also known just as Hoare

Hoare Logic - USTCstaff.ustc.edu.cn/~xyfeng/teaching/FOPL/lectureNotes/07_Hoare.pdf · Floyd-Hoare Logic This class is concerned with Floyd-Hoare Logic I also known just as Hoare

Documents
Geometry: Axiomatic System

Geometry: Axiomatic System

Documents
Hoare Examples & Proof Theory

Hoare Examples & Proof Theory

Documents
AXIOMATIC MISINTERPRETATION

AXIOMATIC MISINTERPRETATION

Documents
Anders Møller Hoare Logic - Computer Science AUamoeller/talks/hoare.pdf · Program Verification with Hoare Logic 3 Hoare Logic Hoare, 1969: use Floyd’s ideas to define axiomatic

Anders Møller Hoare Logic - Computer Science AUamoeller/talks/hoare.pdf · Program Verification with Hoare Logic 3 Hoare Logic Hoare, 1969: use Floyd’s ideas to define axiomatic

Documents
Hoare Logic - Research School of Computer Science · Hoare Logic COMP2600 — Formal Methods for Software Engineering ... COMP 2600 — Hoare Logic 5. ... likely to take the formal

Hoare Logic - Research School of Computer Science · Hoare Logic COMP2600 — Formal Methods for Software Engineering ... COMP 2600 — Hoare Logic 5. ... likely to take the formal

Documents
Axiomatic system2

Axiomatic system2

Documents
Able Seaman MARWOOD HOARE

Able Seaman MARWOOD HOARE

Documents
Abstract Hoare Logics - devel.isa-afp.org · Abstract Hoare Logics Tobias Nipkow January 20, 2021 Abstract These therories describe Hoare logics for a number of imperative language

Abstract Hoare Logics - devel.isa-afp.org · Abstract Hoare Logics Tobias Nipkow January 20, 2021 Abstract These therories describe Hoare logics for a number of imperative language

Documents
Axiomatic System

Axiomatic System

Documents
2 Axiomatic Design

2 Axiomatic Design

Documents
Axiomatic Design Theory

Axiomatic Design Theory

Documents
Axiomatic Semantics

Axiomatic Semantics

Documents
Hoare Lumoto Algorithm

Hoare Lumoto Algorithm

Documents
Semantics of Hoare Logic

Semantics of Hoare Logic

Documents
An Axiomatic Basis for Computer Programmingcrary/819-f09/Hoare69.pdf · Title: An Axiomatic Basis for Computer Programming Author: C. A. R. Hoare Created Date: 1/31/1999 4:27:57 PM

An Axiomatic Basis for Computer Programmingcrary/819-f09/Hoare69.pdf · Title: An Axiomatic Basis for Computer Programming Author: C. A. R. Hoare Created Date: 1/31/1999 4:27:57 PM

Documents
Axiomatic Intro

Axiomatic Intro

Documents
Hoare Logic - Uppsala Universityuser.it.uu.se/~jarst116/slides/week1.pdf · Hoare Logic JariStenman February10,2012 Jari Stenman Hoare Logic February 10, 2012 1 / 25

Hoare Logic - Uppsala Universityuser.it.uu.se/~jarst116/slides/week1.pdf · Hoare Logic JariStenman February10,2012 Jari Stenman Hoare Logic February 10, 2012 1 / 25

Documents
C.A.R. Hoare

C.A.R. Hoare

Documents
Prof. Charles Antony Richard Hoare Tony Hoare. Born in Colombo (Sri Lanka) British parents

Prof. Charles Antony Richard Hoare Tony Hoare. Born in Colombo (Sri Lanka) British parents

Documents
Ben Hoare, Lewisham Council

Ben Hoare, Lewisham Council

Technology
Introduction to Axiomatic Semantics (1/2)web.eecs.umich.edu/.../lectures/weimer-gradpl-08.pdf · 2017-09-08 · #10 Tony Hoare Quote •“Thus the practice of proving programs would

Introduction to Axiomatic Semantics (1/2)web.eecs.umich.edu/.../lectures/weimer-gradpl-08.pdf · 2017-09-08 · #10 Tony Hoare Quote •“Thus the practice of proving programs would

Documents
Axiomatic o Ejemplo

Axiomatic o Ejemplo

Documents
Axiomatic DEsign Case

Axiomatic DEsign Case

Documents