DEDALUS—The DEDuctive ALgorithm Ur-Synthesizer*

by ZOHAR MANNAStanford UniversityStanford, California

and

RICHARD WALDINGER

SRI

InternationalMenlo

Park,

California

INTRODUCTION(D2ftsagram oyn&grisrirrthgantor

The entire sequence of descriptions leadingfrom the speci-fications to tJKfiinal programis called aprogram derivation.

The transformation rules are guided by certain strategic.arc, appliedonly at the .to mwt fltf.cn cpiofftirtinm These specifications constitute 1 controls^ which enmm.thllt thffiljgft ap<pjiedwdy_^

a high-level description of UM^daafed-pwgEaffi-wbicl^ex- Upproprmtetin^arr af transformation rufe* repre.

>T pwsseg-tbc^wg^a&tbe program, without inrlirirtingthe lppHgFMt% pWaSaj? su%ct dW.nMpmeVx-\hi

'

*» .method by whfeh^rt-pwpese^t^tefe^siwa^^ pcate Vhe WaVin&of Ihe cfi&tru^of tfe spe^ficatftn \33]T»Mrhe specifications are expressedjnJenns^Ls»oO.Qn-_ and Wf labguagesV feW ni%cort&pon?^to ba^ prtiv \

{ 2

",„

stnicts^r^rSe^Qdcgac^tho-pfcrtieular obibjact domain J- WarnWpnAciplfes, vv^chVe in^end^ntofthe pai%ular\f I--,' aLtbaAawUywgWMß»»i9n <mmftßrar«*syfo** Because^k^giUa^^

■

B h these constructs are only intended to describe the purpose £««. The programs constructed by the?e techniques are guar-

K\ of the program and need not be computed, they can be of Jgpantoed to be correct and to terminate, and require no sep-a much higher level than the constructs of any programming »*X,?rate ven'fication phase. Up to now, we have not beencon-language(e.g., they can include logicalquantifiers, set con- wh , cerned with the efficiency of the targetprogram.structors, and other nonimputableoperations). The spec- U s The techniques we develop are tested in the implemen-

ification language can correspondclosely with the conceptsa programmeractually uses in thinking about the problem.

The techniques we are developing are independentof thechoice of a target programming language. The particularly!!language we use in our examples and in our experimentalsystem is a simple LISP-like languagecontaining onlybasicnumerical and list-processing operations, conditional /expressions, and recursion. In considering the formation of /programs with side effects, we extend the languageto in- /elude assignments to variables, array elements, and other jdata-structurecomponents. ITjstrr basic approach is to transform the specifications re-

peatedly according to certain rules; each rule replaces onesegment of a program description by another, equivalent,segment. The process continues until a description is ob-tained that is entirely in terms of the primitive constructs ofthe target language; this description is the desiredprogram.

" This research was supported in part by the National Science Foundationunder Grants DCR72-03737 AOl and MCS76-83655, by the Office of NavalResearch under Contracts NOOOl4-76-C-0687 and NOOOI4-75-C-0816, by theAdvanced Research Projects Agency of the Department of Defense underContract MDA9O3-76-C-0206, and a grant from the United States-Israel Bi-national Science Foundation.

tation of an experimental system called DEDALUS (DE-Ductive ALgorithm Ur-Synthesizer). This system is imple-mented in the QLISP programming language,an extensionof INTERLISP that includes pattern-matching and back-

yia-jI; of INTERLISP that includes pattern-matching and back- ~

( e<f\ y.« trac&ggfacilities. y/\ <)& '

/^fheidentification of the basic programming principles, *\\jsf w.s> u - i

/ their codification as transformation rules, and their imple- \ $r\ {tK

/ mentation in our experimental system have constituted a rf°V. \yI major component of our effort. Some of the principles we \A? \have identified so far are: c \ o

" Conditional formationyThis principle causes a case oanalysis to be introduced into the derivation, yielding X^^Da conditional expression/or test) in the ultimate pro- Cfi. \gram. U \^f

1»Recursion formatiorif-Th\s principle introduces a re- y>cursive call into the ultimate program by observing a^'*^ \gtwhen a subgoal to be achieved is actually an instance V s^»of the desired top-levelcjjal,\> x"2. A

" Well-founded orderinffyjhk termination of the recur- 4 "sive programsformed by the abovetechnique is ensured <, aby constructing a well-founded ordering with the prop-

-1 erty that the arguments of theprogram's recursive calls\ areall strictly less than theprogram's inputs.

683

expresses thefact thata propertyP holds for everyelementof a nonempty list / if it holds for the first element head(l)andfor every element of the list tail{l)of the other elements.Thisrule imposes the condition that the list / be nonempty.

In the DEDALUS system, transformation rules are rep-resented as programs in the QLISP language. The full ex-

-"as ... / *■"■'

»«»c

uii^ujcs luc tuiiuiuuii uiai iue nsi

t

oe nonempty.„ ._ . (" I cf ia\k leve ( In the DEDALUS system, transformation rules are rep-zpectfications botM&.^jf'^ Jjjj l QOAU^ resented as programs in the QLISP language. The full ex-

, JffifCl . . '.j? Sj

aC<T>lv .V &% -c72t//- "-Pressive PoweroftheProBramm 'ng language maybebroughtSpecific J-io'S cuLcef** "J £ ac jjJf In^si^inOhe' "SppiTicatioh language, we^ave/incmvC''/' PO^e^anyconstpicts (e^g., the sot const^ctoiv^nd ttte Jj^ojjpalqijantifier^that f^litate the description/of apo-f\If but that may not beOncludecMn the targetDiagramming/ Jn/language. Wpresent>below examples eff specifications f$ /fly^"PJg Prg*r.ams u sj"g-&Qme_o£,these /i^le/el^oE^tmfcts^g/

■*7A"program les's'atl(x~lj, to tesfif a numberjclsTess'tharievery element ofa list / of numbers, is specified as follows:

. to bear in representingeach rule.

l\J

Ui.ak in ItJJlcSClUlllgCclCll lUIC. p.

Derivation trees ]\*J * i ■> M"———r~~' I -j-Jhe USXt-c* A?fre<y?s: - fllk

In developinga program whose specifications are vcrioa.^/(x)<-compute P(x) $Jf)ordi"v3s>

where Q{x), -\previa* f

we establish the output description as a goal to be achieved,C ' 'viz.,wherex is a numberand

/ is a list of numbers. Goal: compute P(x).In general, the specification construct P(all(l)) denotes thatthe propertyP holds for every element of the list /.

Subgoals are derived from this goal by application of therelevant transformation rules. For example, in deriving thegcdprogram, we form the top-level goalThe specificationfor a program to compute the greatest

common divisorgcd{x y) of two nonnegativeintegersx andy is Goal 1: compute max{z: z\xand z\y]

By applyinga transformation rulegcd(x y)<Fconipure max{z:z\x and z\y]wherejr and >■ are nonnegative integers and u\vand u\w u\v and u\w-v

we obtain the subgoal

;t*oor

>'^0.The set constructor {u: P{u)} denotes the set ofallelementsu satisfying the property P. Goal 2: compute max{z : z\x and z\y—x}

The all construct (P(all(l)) and the set constructor{u: P(u)} are specification constructs that are nonprimiUve

..jj^^j^jgenot in .the jarge /progra^mjngJanguageWl^*'**~p«Hhji*fs t^^j^ransfopfha d^nptic^onFe^sirZda^the sagtificati^ presented/above, into/

If a transformation rule imposes a condition P, whichmust be true if the rule is to be applied, a subgoal of theform

Goal: prove P

lessallfx o<=compute x<all(l)

iI

i

\M

ii!

iJ

"

.-"'■' jDEDALUS 685 wl.____ yj tV— — " A\/r

"" a c „ \ tional exDressions bv case analysis have been implemented i(y r

number xis less than every element of a list Zof numbers, |^__ - IMir- havp the toD-level goal M Qwe have the top-level goal

compute x<all{l), Recursionformationwhich is obtained directly from the specifications; in at-

Supposej in constructing a program whose specificationstempting to apply the rule are

P(pll(l))^true ifempty (I) /(^compute P(x)

to this goal, we derive the subgoal where CW

Goal: prove empty U). we encounter a subgoal

From each subgoal that is derived, wecan generatefurther compute P(t)

subgoals by the application of more transformation rules. fa instance of our output specification, compute jWe thus construct a tree of goals and subgoals, which we p^ Because theprogram f[x) is intended to compute P(x)

will call aprogram derivation tree. for x satisfying its input specification Q{x), the recur-A subgoal compute sis already achieved if 5 consists sion.formation rule proposes achieving the subgoal by corn-

entirely of primitive constructs of the target language. A with a recursive call yf,). For this step to besubgoalprovePis achieved if /> is the logical constant true.

must ensure the J>ipM, COB<fft,o„ Q(f) holdsSuch goals are terminal nodes of the derivation tree. »

posed recurs ive call is executed. To ensureLet us now discuss some of the basic programming pnn- recursivc call wiU not cause the program to

ciples used in developing the derivation tree. indefinitely, the rule must also establish a terminationcondition, showing that the argument t is strictly less than j-

/ £2A) o?yH_ the inputx in some well-founded ordering. (A well-founded^ p. fcPROGRAMMING PRINCIPLES WeW^ is one in which no infinite strictly decreasing 552

quences can exist.) This condition precludes the possibility HI

Conditional formation fc^ U n that an infinite sequence of recursive calls might occur dur- * y1 I .^ P ing the execution of theprogram. H<^

Manv of the transformation rules impostconditioning., Forexample, theDEDALUS system derived theprogramii\^^ynS^ve)thatmustbeBatiBdedfor !«««(* I),whichtestswhether agiven number* is less than

«^STo 'aP in attempting to apply everyelement ofa givenlist /ofnumbers. The specificationstherule to be appnea. oup^usc i...»t ... :&> "7. D 7aparticular rule, we fail to prove or disprove^cond.tionP, for this program arewhereP is expressed entirely in terms of the primitive con- iessaU(x /^computex<all(l)structs of the programming language;in such a situation, the fa

&

number andstructs of the programminglanguage; in such a

situation,

me

&

number andconditional-formationrule is invoked. This rule allows us to 7, 1

;fa

a of numbers .introduce a case analysis, and consider separately the casein which Pis true and Pis false. Suppose wejucc^edjn/ in deriving this program, we developa subgoal

constructing aprogram segment S, that solve<gu^roblem) x<«//(fa«7(D)under the assumption that P is true, and another program » l1

segment S, that solves the problem under the assumption m the case that /is nonempty. This subgoal is an instance

that? is false Then theconditional-formation principle puts of our output specification, with the input /replaced cy

these two program segments together into a conditional rfl(7(/);

therefore,

therecursion-formation pnnc.ple proposesIxpressTon that we achieve the subgoal by introducing a recursive callCXPre * lessallix /«//(/))"To ensure that this step is valid, the rule

if P then S_. else S2 , establishes an input condition, thatwhich solves our problem regardless ofwhether P is true orfalse. ]

\ j/hTfwe happen to generate the program segment 52 , say,

i^without using the case assumption that P is

false,

then S 2

A solves our problem regardless of whether or not Pis true.

I In this case, no conditional expression is formed, and the( program constructed is simply St . Thus, cond.t.onal expres- /

stops are generated only for truly relevant condUions. J'-'The conditional-formation rule is among the best-under- <

stood of our basic programming principles and was among

the first to be incorporated into the DEDALUS implemen-

tation. Other program-synthesis systems that form condi-

/

jt is a number andtail{l) is a list of numbers,

and a termination-condition that the argument pair (x tail {I))

is less than the input pair (x I) in a well-founded ordenng.

This termination condition holds because tail (I) is aproper

sublist of/.The final program we obtain is

lessall(x l}^ifempty (/)then trueelse x<head(l)and lessall{xtail (I)).

Suppose in deriving a program we obtain two subgoalsGoal A: compute R(a(x))

Goal B: compute /?(/),

which isan instance, not of the output specificationcomputeP(x), but of some previously generated subgoal andGoal A: compute R(x). GoalB: compute R(b(x)),

The procedure-formationprinciple proposes that we intro-duce a new procedure g(x) whose output specification isneither ofwhich is an instance of the other but both ofwhichare instances of the more generalexpression

compute R(y).In this way, we can achieve both Goals A and B by calls_*(*) and g(t) to a single procedure. In the case that Goal Bhas been derived from Goal A, the call to g(t) will be arecursive call; otherwise,both calls will be simple procedurecalls.

Then the extended procedure-formationrule proposes thatwe introduce a new procedure, whose output specificationis

#(;y)<£compute R(y),For example, in constructing aprogramcart{s t) to com-pute the Cartesian product s and t), of two sets, we aregiven the specification

so that we willbe able to satisfy Goal A by a procedurecallg(a(x)) and Goal B by a procedure call g(b(x)).For example, in constructing a program reverse (/) toreverse a list /, we derive two subgoalscart(s recompute {(x y):xesand yet}

wheres and / are finite sets. Goal A: computeappend(reverse(tail(i))In deriving theprogram, we obtain a subgoalGoal A: compute {(x y):x=*head(s)and yet}

cons(head(l)nil))

andin the case that j is nonempty. Developing Goal A furtherwe derive the subgoal Goal B: compute append(reverse(tail(tail(l)))Goal B: compute {{x y):x=head(s)and yetail(t)}

in the case that t is nonempty. Goal B is an instance of GoalA; therefore, the procedure-formation rule proposes intro-ducing a new procedurecarthead{s i) whose output speci-fication is

cons(head(tail(l))cons(head(l)nil))).

Each of these goals is an instance of the more generalexpression

compute append(reverse{tail(I))carthead{s recompute {(* y):x=head(s)andyet}

so that we can achieve Goal A with a procedure call cart-head(s t) and Goal B with a (recursive) call carthead (stail{t)).The carthead procedure is constructed by the techniqueswe have already introduced. The final system of programswe obtain is

cons(head(l)m));

therefore, the extended procedure-formation rule proposesintroducing a new procedurereversegen (I m), whose outputspecification is

»')).This procedure reverses a nonempty list / and appends

theresult to m. Although the procedure solves a more gen-eral problem than the reverse program we actually require

else carthead (s t) Ucart(tail (s) t),

national Computer

Conference,

1978 f'J " (J l"^ <jLs' L \— =*-/i H \

■n.

■

r X/^ / ~^Ihe recursion-formation principle is well-understood and where/is included in the DEDALUS implementation.The principle /is the same as the "folding rule" of the Burstall and Dar- farthead(s tfcif empty(t)lington3 program transformation system. / then { }.— J / else {(head(s) head(/))} UProcedureformation vam^ U \~~~-

carthead{s tail{t)).

' I The basic Procedure-formation principle has been imple-Suppose in developingaprogramwhose specificationsare T l"^^DEDALUS system can carry out this andof the form other such derivations. However, our method for proving

flr^ . ,D , fte terminat'on ofordinary recursive calls does not alwavs/M<=compute PM j extend to the multiple-procedure casey

where Q(x) L— " :—~we encounter a subgoal Generalization v.sus^<y(0

£(*K=compute R(x).

reversegen (I m)<rcompute append(reverse(tail(l))cons(head(l)cart(s tK=ifempty (s)

then { }

i

I687DEDALUS

it turns out that thereversegen procedure is actually easier To circumvent difficulties of this sort, we have introducedto construct. The final system of programs we obtain is the followingsimultaneous-goal principle: To satisfy a goal I

reverse(l)4^if empty(I)then nilelse reversegen (Inil)

where

reversegen(l mfe'if empty(tail(/))thencons(head(l) m)else reversegen(tail(l)

cons(head(l)

~The generalization mechanism and the extended proce^dure-formation principle are justbeginning to be formulated; 'the elaboration of these concepts is an importantpart of ourprojected effort. Generalization was proposed as a program-synthesis techniqueby Siklossy,4 and is routinely performedby theorem-proving systems for proofs by induction (e.g./see Boyer and Moore5).

STRUCTURE-CHANGING PROGRAMS ,~Pr pssiWv- ekn"t«j -h neJ l-

In the discussion so far, we have been concerned withstructure-maintaining (i.e., "side-effect-free") programs,which producean output but effect no permanent changeinthe data objects of the programming environment. To pro-duce structure-changing programs, which can effect suchchanges, we introduce structure-changing primitives, suchas assignmentstatements, into our target language.To spec-ify such programs, we admit new constructs into our spec-ification language. Most notably, we employ achieveP to

denote a program intended to make the condition P true.

All theprinciples we have appliedto construct structure-maintaining programs may be adapted to construct struc-ture-changingprogramsas well. However,certain new prob-lems arise in the synthesis of structure-changing programs;among these is the simultaneous-goal problem.

In constructing a program to achieve two conditions P,and P 2 , it is not sufficient to decompose the problem byconstructing two independent programs to achieve Pi andP2 respectively. The program that achieves P2 may in theprocess make Px false, and vice versa. Thus, the concaten-ation of the two programs willnot achieve both conditions.

For example,suppose we want to construct aprogram tosort the values of three variables

x,

y, and z; in otherwords,we want to permute the values of the variables to achievethe two conditions x^y and y=sz simultaneously. Assumethat we are given the primitive instruction sort2(u v), whichsorts the values of its input variables u and v. Then we canachieve each of our desired conditions independently byexecuting the programsegmentsort2(x y)andsort2(y z)re-spectively. However, theconcatenation

sort2(x y)sort2(y z)

of these two segments will not achieve both conditions si-multaneously; in sorting y and z, the second segmentsort2(y z) may make the first condition x<y false.

JK of formV^'tjt ach

f'\^ ' flrstcolI ? I achieve\ modific\ preconc

first construct a program F to achieveP,, then modify F toachieveP2 while protecting P, at theend ofP. The program-modification techniquewe employ isbased on the "weakest-precondition operator" (Dijkstra6). A special "protectionmechanism" (cf. Sussman7) ensures that no modification ispermitted that destroys the truth of the protected conditionP, at theend of the program.

achievePi and P2,I

To apply this principle to the goal

achievex^yand y^z

in the sorting problem, we first construct the program seg-ment sort2(x y) that achieves the first condition. We thenmodify this program to achieve the second condition y^z.We cannotachieve thiscondition by inserting the instructionsort2(y z) at the end of the program, because (as we haveseen) this modification violates thecondition x^y,which wemust protect.

However, our program-modification technique allows usto achieve a goal by inserting modifications at any point inthe program, not merely at the end. In this case, the tech-nique causes us to introduce the two instructions

ify<x then sort2(x z)

andifx^y then sort2(y z)

at thebeginning of theprogram segment. The modified pro-gram,

ify<x thensort2(x z)ifxsy thensort2(y z)sort2(x y),

will achieve both conditions Jtssy and_y^_z_slniultaneously.Similar techniques"ar^einployed by the system of War-

ren. 17

The derivation of straight-line programs with simple side- Ieffects is now fairly well understood; much work needs to /be done on the derivation of structure-changing programs /with conditional expressions and loops, and the derivation /of programsthat alter list structures and other complexdata/objects. ___

,7 -Tio-A

i + fAPPLICATIONS TO PROGRAMMING __ je^e \-\lyt "METHODOLOGY >4r-"— o^ a

i tjf.

&

Although the developmentof apractical program-synthe- <»■< ■

Quysis system requires considerable research

effort,

certain ap- o^e/t/plications of program-synthesis techniques to more re- Jy^sLstricted problems will be of more immediate practical value. . " \*.\

Various programming disciplines have been evolvingthat . £attempt to make the programming process simpler or more freliable. Let us consider several of these disciplines, to see fu**'-"where program-synthesis techniques may be applicable. d

\

688 National Computer Conference, 1978

" Structured Programming-Like program synthesisstructured programming (cf. Dijkstra8) presents princi-ples for deriving a program systematically from giverspecifications. However, the principles of structuredprogramming are intended to guide a human program-mer, whereas the principles of program synthesis aremeant to direct a computer system. Nevertheless wehave found that some of the techniques we have de-veloped for a program-synthesis system could well beemployed by a human programmer. In particular, therecursion-formation principle is a better

tured-programming method for the same task." Program Transformation—ln this approach (cf. Bur-stall and Darlington3), the programmer constructs atransparentprogramfor his task, which is likely to becorrect but which may be inefficient. This program is

then transformed into an efficient equivalentprogramwh.ch may be more difficult to understand. This trans-formation process is guaranteed to produce a programequivalentto the original.Program transformation may

lhc target program is also expressedin LISP syntaxbe regarded as a synthesis task in which the specifica- rules are expressedas^ograms in thotions are given in the form of a clear program in the language. For LAaiiipfe^hernfe^fa^-target language. All the program synthesis techniques

"

W9 den°**d by "^^"^ Aa4%^we have developedcan be appliedto program transfer- Q and true 4> O~^ /mation as well. * * yj^eCprogrammer

ties are well-defined but whose precise machmej^rej J^c/| > plete, represenTatfonsTbr its abstract data types are\) |- °hoSen and the pr°eram 'S transformed to replace theyL° operat.ons on the abstract data types by the corre-yy spondmg concrete operationson the chosen represen-

< tat,on (cf- Guttag et al. 9).7.'> " Program Modification—It is often observed that pro-

in developing new programs. This process is particularly fraught with error, because in modifying a program, the programmeris likely to make some changethat interferes with the program's original functioningWe have remarked that a program-modification tech-nique was developed to support the simultaneous-goalprinciple. This technique can also be applied to performindependent program-modification tasks. The protec-

tended.

IMPLEMENTATION

It is difficult to develop or evaluate heuristic techniqueswithout experimenting with an implementation. The DE-DALUS system is a laboratory tool rather than a practicalproduct. The system is implemented in QLISP (Wilber 10)an extension of INTERLISP (Teitelman") that includes pat-

u

mation as well." Data Abstraction—In this approach, the

II

I

V

ri

y

DEDALUS 689

jl When a new goal is generated, the QLISP system retrieves List Programs:

J those rules whose patterns match the form ofthe goal. Thu, . finding the

' retrieval is facilitated by arranging the rules in a class.fica- . testing if a

j tion tree according to their patterns; thus the two rule-, ) . tf sabove would be classified on the same branch of the ree. l of numbel

ii This mechanism allows us to avoid matching every rule ml/ . testing tf ,K the system against eachnewT^-ger*^ , than ever

goal' !subexpressions are established as subgoals. If no rule Sst¥ro&ams:2^ . : r

o «;von

onal a failure occurs,

loserswhose patterns ma'tch the form of the goal. This . fmding the maximum elementof a list

-Mrieval is facilitated by arranging the rules in a classifica- . testing if a list is sortedi„mM,t nf a list

■bn tree according to their patterns; thus the two rules ) . testing tf a number is less than every element of a list

.w,. wnuld be classified on the same branch of the tree. , f numbers (lessall))Siis mechanism SEw. us to avoid matching every rule J/ . testing if every element of one Ust of numbers ,s less

the system against each riewjyjeneratedgoal. _^ than every element of another

subexpressions are established as subgoals. If no rule ty y<matches any subexpressionofa giver, goal a/a,

"^ occurs^ computing the union or intersection of two sets - £

operation is commutative, the rule 27= - — / V^fi and true *Q, I COMPARISONS WITH AUTOMATIC PROGRAMMING V,

represented as the QLISP program \(^ that> for a COmplex V^

(QLAMBDA (AND^Q TRUE,

$Q)

. \ WjcanbeappUedlogosdsoffon,."."."^""^ 0 . £££. ,„ IpLityhw an aitline-reservation system .nop- Rj.„„«, „»«". For thi, reason, commutatmty rules suchj^ J- f* „, spacecratt.g„<,ano= systtnn to^exam

PonJQ=, Qn„,P c^v^-J^^ne/goati aJinslaice Can (See, e.g., Green" and Baiter et _. »or the survey

ruk, iKerefoyis a * ,on basic programming principles, we have

/Recursive cajKgc^y x)./ / / / / , y C "in,ra, techniaues that apply to any subject/ Thef^progralnwe obp4 IS / / / I foeused -^-J*^framing sysl.m, of

>£yW< / J no".'will combine speeiiic snbjec, knowledge Mr, gen-

v / then gcd(y/x) / / js^ \enA deductivejnethods-- _^^ J\_/*'K*yt^ " '"ft sJ^Uei " —

i^v^ **7c*> v / - .

■

'^^ " . _

.V

690 National Computer Conference, 1978

A7.

Sussman,

G. }.. A Computer Model ofSkill Acquisition, American El-

sevier,

New York, NY., 1975.8. Dijkstra, E. W., A Discipline ofProgramming, Prentice-Hall,Englewood

Cliffs,

NJ., 1976.9. Guttag, J. V., E. Horowitz and D. R. Musser, AbstractData Types andSoftware Validation. Technical Report, Information Sciences InstituteManna del Rey,

CA.,

August 1976.10. Wilber, B. M„ A

QLISP

Reference Manual. Technical Report SRIInternational,Menlo Park, CA., March 1976.11. Teitelman, W., INTERUSP Reference Manual. Xerox Research CenterPaloiMto,CA., 1974.12. Waldinger,R. J., "Achieving SeveralGoals Simultaneously,"in MachineIntelligence 8: Machine Representations ofKnowledge, (E W Elcockand D. Michie, eds.), Ellis Horwood Ltd.,

Chichester,

England 1977pp. 94-136. '

13. Balzer, R. M., AutomaticProgramming, Technical Report, InformationScience Institute, University of Southern

California,

Marina del Rev

CA.,

September 1972.14. Green C. C, "The Design of the PSI Program Synthesis System "Proceedings of the Second InternationalConference on SoftwareEngi-

neering, San Francisco, CA, October 1976,pp. 4-1815. Balzer, R. M., N.

Goldman,

and D. Wile. "Informality in Program Spec-

ifications,

" Proceedings of the Fifth InternationalJoint Conference onArtificial Intelligence, Cambridge, MA, August 1977 pp 389-39716. Heidom, G. E., "Automatic Programming Through Natural LanguageDrogue: A Survey," IBM JournalofResearch andDevelopment Vol20, No. 4, July 1976, pp. 302-313.17. Warren, D. H. D., WARPIAN:A Systemfor Generating Plans Tech-nical Report, Department of Computational Logic, University of Edin-burgh, Edinburgh,

Scotland,

June 1974.