Algebraic Description of Programs with Assertions: Verification and Simulation | Study notes Calculus

AN ALGEBRAIC DESCRIPTION OF PROGRAMS WITH ASSERTIONS, VERIFICATION AkD SIMULATION

Rod M. Burstall

Dept. of Machine Intelligence and Perception

University of Edinburgh

Hope Park Square

Meadow Lane

Edinburgh EH8 9NW

Scotland

Abstract

A program in flow diagram form is described by a functor frcm a free category to the category of sets

and relations. Attaching assertions to it is described as a natural transformation and so is sim~lation

one program by another with the same shape of flow diagram. These notions are used to prove the

theorems justifying Floyd's method of proving correctness by verification and Milner's method of proving

simulatio~ restricted to programs of similar form. The treatment is novel but the results are not new,

except that non-deterministic programs are dealt with throughout.

Introduction

In this psper we show how a program in flow diagram form can conveniently be described in category

theoretic terms. We leave aside consideration of the syntactic form of the programming language and just

deal with the graph structure of the flow diagram and the functions associated with the arcs of the flow

diagram (for non-deterministic programs we have relations rather than functions). We treat programs with

assertions (Ployd 1967) by associating a set of states with each node of the flow diagram, namely the

states satisfying the assertion. We prove a simple proposition about free categories which when applied

to programs with assertions justifies the inductive procedure used by Floyd to prove the correctness of

programs by verification. We then use the same proposition to justify a method of proving that one

program simulates another, essentially the technique of Milner (1971) but each node simulated by a unique

node. Thus we can prove that a program simulates another program which has a]ready been proved correct.

As Milner points out this can be advantageous if the first program is a more efficient but less

perspicuous version of the second, or it is obtained from it by compilation. We note the need for less

restrictive notions of simulation, particularly one where ~ command is simulated by a whole subprogram.

We deal with non-deterministic programs throughout instead of restricting the discussion to deter-

ministic ones (Cooper 1971 touches on this in respect of verification as does Manna 1970, but Milner's

simulation work is restricted to deterministic programs).

I believe that the elementary notions of category theory used make the definitions and proofs pithy

and natural. The definitions of the terms category, functor and natural transformation are given in the

Appendix, of. Cohn (1965), MacLane and Birkhoff (1967).

Before plunging into formal definitions and theorems the reader might appreciate an informal outline.

We consider programs written in the usual Ylow diagram form, that is, using tests and assignment commands

~r indeed any kind of co~and whose effect on the state can be defined), but omitting any subroutine

structure or Algol-like block structure. Following Karp (1959) and Landin (1969) we simplify the flow

diagrams by replacing two-exit tests by pairs of one-exit tests. Thus

o is replaced by [no

A program can then be viewed abstractly as a binary graph with a relation associated with each arc.

If the states of the program are n-tuples of integers, the values of n integer variables, then for an

assignment co~and the relation is a total function from n-tuples to n-tuples changing one component, and

for a test the relation is a partial identity function, undefined for n-tuples which fail the test (cf.

Manna 1970@. If assertions are attached to the nodes in the flow diagram we associate with each node the

set of all states satisfying the assertion; in the absence of a specific assertion we simply take the set

of all possible states. This graph (without the associated sets and relations) now generates a free

categor~ whose objects are the nodes and whose morphisms are the arcs of the graphs and their free

compositions compatible with the starting and finishing nodes of the arcs. We see that the morphisms from

one node (object) to another represent all the possible execution paths between these n6des, including

paths round loops of course.

The function which associates a set with each node and a relation with each arc generates a functor

from the free category to the category of sets and relations. In a sense this functor, including its

domain and co-domain, i__~s the program. The functor carries a composition of arcs (an execution path) into

the composition of the relations associated with the arcs, that is the relation computed along that

execution path. Taking the union of the relations computed along all paths from one node to another we

get the relation computed by the program from one node to another, for example from an entry node to an

exit node.

Now

consider

two programs which differ in the assertions, or even in the commands associated with the

graph. A difference in assertions arises if we add assertions to a program in order to prove its correct-

ness by verification; a difference Jn commands arises if we have one program simulating another. For

Algebraic Description of Programs with Assertions: Verification and Simulation, Study notes of Calculus

Related documents

Partial preview of the text

Download Algebraic Description of Programs with Assertions: Verification and Simulation and more Study notes Calculus in PDF only on Docsity!

o is replaced by [no

P(a). P(~) P(b)

p , ~ f ) " P ' (b)

then 17 i s a n a t u r a l t r a n s f o r m a t i o n "~ : ,.~ P "~ ~ P '.

Proof By d e f i n i t i o n "~ i s a n a t u r a l t r a n s f o r m a t i o n i f f o r each merphism f : a --~ b o f ~ D t h e above

T.

Example of a program

Consider the following program written in the conventional notation.

value of x is n.)O, an integer) $i

YES

(We assume that the initial

NO

I

The flow diagram for this is D, a basis for a category. Let the objects of D be 1,2,3,4,5 and the

morphisms of D be f12: i "@ 2, f 2 3 : 2 -@ 3, f 3 4 : 3 "-~ 4, f#2: # -@ 2, f 2 5 : 2 -@ 5.

f122 I f

f

The set of possible states foT-this program is N x N, where N is the set of integers, since a state

is determined by a value for x and one four y. Thu~ in the absenc~ cf ~ c i f i c assertions we associate

N X N with each point. The commands correspond to relations over N ~ N, i.e. subsets of (N ~ N) × (N ~ N).

The abstract program is P: D - ~ , a basis for a functor, thus

P(1) = N ~ N

P(2) = N × N

etc.

P(f~o) = {((x,y),(x',y'))~x'---x and y'=lJ

P(fo~) = { ( ( x , y! , ( x ' , y ' ) ) ~ x ~ O and x'--x and y'--y~

P ( f ~ , ) { ( ( x , y ) , ( x ' , y ' ) ) l x ' = x and y'=2xT~

P(f~2) = { ( ( x , y ) , ( x ' , y ' ) ) i x ' = x - i and y ' - - y }

Consider a s i m i l a r program w i t h some s p e c i f i c a s s e r t i o n s

N¢

YES

ly := 2 ~

I -'= 1

I

yx2X=x n and x~O

y=2 n

~yx2X=2 n and x~O

.... yy~2x=2~2 n and x)O

The abstract program is P': D - ~ t h u s (assuming P'(a) _~ N X N for each object a)

etc.

and assuming P'(f) .~ (N X N) X (N × N) for each morphism f)

P'(fl2 ) = ~((x,y),(x',y'))Ix'=x and y'=l and x=n, and y'x2x':2 n and x'~O}

etc.

Execution of programs

A flow diagram, D, is a basis for a category and generates a free category ~ D. Each morphism of

~ D is equal to the composition of a unique finite sequence of morphisms of D, i.e. arcs of the flow

diagram. Thus the morphisms of ~ D are the possible execution paths of the computation associated with

the flow diagram and HO~D(a,b), i.e. ~flf: a -~ b in ~ D ~ , is the set of all possible execution paths

starting at a and finishing at b.

An abstract~rogram, P: D - ~ , is a basis for a functor and generates a functor ~ P : ~ D " ~.

If f: a -~ b in ~ D is an execution path then ~ P ( f ) is the relation computed along that path.

We can now define the relation computed by the program from a to b, say Compp(a,b), as

Compp(a,b) = U { P(f)If: a * b in

Here we have considered the relation computed along each computation path from a to b and taken the

union of these. Thus when the program is run if a state s I occurs at the point a, then a state s2 can

occur later at the point b iff (sl,s2) ~ Compp(a,b).

In the above example ~ D has objects {1,2,3,4,5} and morphisms (f11,f22,f33,f44,f55,f12,f23,f34,f42,

f25'f12 ' f23'f23 ' f34 .... 3 where fii,i=1 ..... 5 are the identities. HOm~D(1,5) = ~ f 1 2 " f 2 5 , f $ 2 " f ~ ' f ~ "

f25,f12.f23,f34.f42.f23.f34.f42-f25,... ~, and so on.

Correctness

Floyd (1967) gives a method of proving the correctness of a program by attaching 'assertions' to the

points in the program and 'verifying' that each assertion, except the one on the entry point, follows

from the preceding assertion or assertions. Suppose that this 'verification' has been carried out, then

~loyd shows that if the program is started in a state satisfying the assertion at the entry point and then

reaches a given exit point, it will do so in a state satisfying the assertion at that exit point. Let us

call this the 'Verification Theorem'. Floyd proves it by induction on the length of the execution paths.

We will now see how the theorem can be expressed in our terms and how a proof analogous to Floyd's can be

obtained rather directly.

The program without assertions will have a set associated with each point in the flow diagram, the

same set for each point, namely the set of all possible states for programs in that language, say using

some given set of variables. Attaching assertions to it will be thought of as specifying another program

with the same flow diagram but possibly more restricted sets of states attached to the points, the set

of all states satisfying the assertion at the point. The relations corresponding to the commands will be

the previous ones restricted to the sets of states attached to their starting and finishing points.

We shall reduce proof of correctness to checking that a certain diagram commutes for each arc in the

flow diagram, which corresponds to Floyd's verification of each assertion.