Reasoning about procedures as parameters [chapter]

S. M. German, E. M. Clarke, J. Y. Halpern
1984 Lecture Notes in Computer Science  
Introduction In [2] it was shown that for sufficiently complex Algol-like languages there cannot be a Hoare axiom system which is sound and relatively complete in the sense of Cook [4]. The incompleteness exists whenever a programming language contains (or can simulate) the following combination of features: (i) procedures with procedures passed as parameters, (ii) recursion, (iii) use of non-local variables, (iv) static scoping, and (v) local procedure declarations. Moreover, if any one of the
more » ... features (i), (ii), (iv). or (v) is dropped from Algol, a sound and relatively complete axiomatization can be obtaincd for the restdting languages (called L2, 1.3, L5, and L6 in [2]). It has long been conjectured that the same is true for the language IA which results when feature (iii), use of non-local variables, is dropped. The languages I2, L3, L5, and L6 are relatively easy to axiomatize, since they all have the finite range property. Informally, this property is that for each program, there is a bound on the number of distinct larocedure environments, or associations between procedure names and bodies, that can be reached. However, IA does not have the finite range property. Intuition suggests that some new reasoning methods are needed for such programs. This intuition is supported by [9], where a precise characterization is given for the class of Hoare axiom systems based on copy rules, and it is shown that none of these axiom systems can deal adequately with in finite range. The main new results in this paper are an axiom system for reasoning about programs with infinite range and a new technique for constructing relative completeness proofs for languages with procedure parameters. We also present a new way of formalizing the semantics of programs with free procedure names. Many of the techniques introduced in this paper are of general use beyond tile immediate problem of the language L4. In the course of the relative completeness proof, we develop results of independent interest concerning the existence in general programming languages of interpreter programs; i.e., fixed programs capable of simulating any program in the language. For a brief preview of our approach to reasoning about programs with infinite range, let us consider a small example of a formula in our logic. We retain the idea of using partial correctness assertions {U}S{V}, where U and V are first order, for specifying and reasoning about statements. To specify a procedure p with a procedure parameter r, correctness assertions, to describe how the semantics of the procedure proe p(x:r); begin r(x); r(x) end we construct more complicated formulas containing partial r affects the semantics of p(r). For instance, let p be which calls the formal procedure r twice on the variable parameter x. For an arithmetic domain, p ~tisfies the formula Vr, v({y = y0} r(y){y = Y0" v} -.~ {x = x0} p(x:r) {x = x 0. v2}) Intuitively, this formula says that for all procedures r and domain values v, if the call r(y) multiplies y by v, then for the same procedure r and value v, the call p(x:0 multiplies x by v 2. At this point, one might wonder whether this approach is sufficient to specify all procedures. Indeed, the essence of the relative completoncss proof for our axiom system is that in L4, the necessary facts about procedures can always be expressed by an ~ppropriate formula of our logic. A different approach to axiomatizing procedures as parameters, based on the use of higher order logic in the assertion language, has been develope d in [10, 5], In both of these papers, the axiom system is assumed to include as axioms all of the formulae valid in a certain higher order theory related to the interpretation. In contrast, our axiom system includes as axioms only the first order theory of the interpretation. Also, in [10, 5], the notion of expressiveness used in establishing relative completeness takes a more general form, involving higher order formulas, while we use the familiar notion of expressiveness as in [4]. It has been conjectured that the two notions of expressiveness are equivalent; this problem is under study [6], Programming Language A statement has one of the forms: ::= x := e [ S1;S 2 t if b then S 1 else S 2 [ S 1 or S 2 ] begin var x; S end I begin E; S end I p(X':D The statement S 1 or S 2 makes a nondeterministic choice and executes one of the statements. In begin E; S end, E is a procedure environment; i.e., a set of procedure declarations. We sometimes abbreviate this as E [ S. In p(~':r), ~" is a list of variable identifiers and tr is a list of procedure identifiers. We often abbreviate begin E; S end to E [ S. A set 'J procedu re declarations has the form proe pt(~(rl); ~l 208 proc pro(fire:Fro); B m and introduccs possibly mutually reeursivc dcclarations of Pl "" ~ Pro' The Pi arc callcd declared procedure names;
doi:10.1007/3-540-12896-4_365 fatcat:mivqartqancfjijswqgpxuskq4