Goto statements: semantics and deduction systems

Acta Informatica 15, 385-424 (1981)

�9 Springer-Verlag 1981

Goto Statements: Semantics and Deduction Systems

Arie de Bruin

Mathematical Centre, Kruislaan 413, 1098 SJ Amsterdam, The Netherlands

Summary. A simple language containing goto statements is presented, to- gether with a denotational and operational semantic for it. Equivalence of these semantical descriptions is proven.

Furthermore, soundness and completeness of a Hoare-like proof system for the language is shown. This is done in two steps. Firstly, a proof system is given and validity is defined using (a variant of) direct semantics. In this case soundness and completeness proofs are relatively easy. After that, a proof system is given which is more in the style of the one by Clint and Hoare [8], and validity in this system is defined using continuation semantics. This validity definition is then related to validity in the first system and, using this correspondence, soundness and completeness for the second system is proven.

1. Introduction

In this report we present several ways of looking at the meaning of goto statements. We define a simple language containing go to statements, and present an operational definition of its semantics in the sense of [9]. We also give a denotational semantics, using the concept of continuations [17]. Furthermore we prove that these definitions are equivalent.

After that we turn our attention towards a Hoare-like deduction system, as proposed in [8], for proving partial correctness of programs of our language. It appears to be surprisingly complicated to justify this system. The essential rule in the deduction system is (for programs with one label only)

{p} goto L{false} I- {p~} A1 {p} {p} go to L{falso} ~- {p} A 2 {P2}

t-- {Pl}A1; L: A2{P2 }

0001-5903/81/0015/0385/$08.00

386 A. de Bruin

and the unusual assumption {p} goto L{false} already gives an indication of possible complications. The main problem is how validity of the construct {p} A {q} has to be defined.

If we investigate how the inference rule given above will be used in correctness proofs, we observe that the assumption {p} gotoL{false} is used as a trick to indicate that p always holds before execution of gotoL. Or, stated another way, the assertion p in the assumption serves as a so called label invariant: if we want to prove partial correctness of a program S which contains a label L, then we can use the assumption {p}gotoL{fa l se} in the proof to describe that p holds whenever label L is encountered during evaluation of S. Thus the introduction of an assumption like {p} g o t o L{false} in a proof only serves the purpose to indicate what the label invariant at L will be.

This report gives two variants of the deduction system and the above ob- servations are used in the first one. Here there are no assumptions, the label invariants needed are stated explicitly within the formulae of the system. These formulae will have the form

(L1 :Pl, ..., L, :p, [ {p} A {q}),

where Pi is the invariant corresponding to label L i. Validity of a formula like this one has to be defined in terms of the meaning of statement A occurring in it. Things become too complicated if we use the customary denotational definition with continuations and environments. Techniques in the spirit of "continuation removal" [13] are used to define the meaning of statements such that a definition of validity is possible which is both perspicuous and useful. After that, soundness and completeness of the deduction system will be proved.

Once this result has been established we investigate a deduction system like the one given by Clint and Hoare. We give a definition of validity of formulae like {p} A{q} using the ordinary continuation semantics. This definition re- sembles closely the one given in [13]. Furthermore this definition of validity is such that

{p,} goto Lz {false},..., {p,} gotoL.{false} ~ {p} A {q}

holds, if and only if in the other system the formula

(L l : pl . . . . ,L , : p,[ {p} A {q} )

is valid. This result will then be used to prove soundness and completeness for the second deduction system.

This two level approach has the following advantages. In the first variant of the system we take only those elements of the Clint-Hoare system into account that are really necessary. This has as a consequence that the definition of validity and the arguments in the soundness and completeness proofs are as perspicuous as possible. Though straightforward proofs of these properties for the second system must essentially be the same as the ones for the first variant, they are bound to be obscured through all additional details which we have to deal with. The way we handle this problem is to separate the "essential proof" from the "additional details".

Goto Statements: Semantics and Deduction Systems 387

The rules and axioms in the second system are just like the ones in other Hoare-like system, and we can combine these into one system quite easily. Using the validity definition for the second variant of the system, as given in this report, it must possible to combine the results stated here with analogous results concerning other language constructs (such as while statements, recursive procedures and the like; cf. de Bakker's monograph [5], see [1, 2], and [6]).

2. Syntax

We use the following classes of symbols:

~ , , the (infinite) class of variables with typical elements x, y, z. We assume this class to be ordered ~ v ~ , , the class of label variables with typical element L f f ~ = {fu 1, ...,fum}, the class of function symbols. We denote the arity of fu i by arf~ ~ o g ~ = {re 1 . . . . , re,}, the class of relation symbols. The arity of re i is denoted by arri.

Next, using a self-explanatory variant of BNF, we define the classes ~ p (boolean expressions) with typical element b, #xf i (expressions) with typical elements s, t, Seggg (statements) with typical element A, and ~*~7 (programs) with typical element S: ~ e x f i b ..:= t ruelb 1 vb2 l - ]b[rea(s l , . . . , s .... )[ ... Ire , (s l , . . . , s . . . . ) d~ s :: = x l f ul (sl , . . . , s,~f ,)[ . . . [ f Um(Sl, . . . , Sarf~ ) ~ / ~ # A : : = x:=sl(A1; A2) I if b then A 1 else A 2 f i lgoto L ~ 7 S ::= L : A I L : A ; S

with the additional requirement: if L 1 : A 1 ; " ' " ; Ln : An i s a p r o -

gram, then all labels L i are different. The symbols fu~ and re~ are the primitive function and relation symbols.

We did not specify them further, because we do not wish to go into details concerning the basic calculations our programs S can perform. Rather do we want to describe the way programs specify more complex calculations using these primitives as building blocks.

The clause (A1;A2) in the definition of Sfgad deserves some comment. It is usual to omit parentheses in cases like this one, thus admitting the grammar to be ambiguous. In general there is no problem there, because the meaning of, say ( A t ; A z ) ; A 3 and A1; (Az;A3) will be the same. Of course this holds in our case too. However, complications show up in our definition of the operational semantics. For instance, for the auxiliary semantic function cd~m/i the equality

c ~ ((A I ; A 2) ; A 3 ) = ~ e (A1; (A 2 ; A 3)) does not hold.

Putting parentheses all over the place is tedious though. We therefore use the convention that the operator " ; " associates to the right, which means that A1;A2; . . . ;A , should be read as ( A 1 ; ( A 2 ; ( . . . ; A n ) . . ) ) .

388 A. de Bruin

Anticipating the deduction systems of Sects. 6 and 8 we give the definition of the syntactical class d o o ~ (the assertions) with typical elements p, q.

d o ~ p :-'= t rue IPz v Pz lTp l rez ( s z , "",Sarrx)] "'" Ire.(sl . . . . , s .... )1 3 x [ p l

It turns out that s J o ~ is just a language ~gf for the first order predicate calculus, based on the classes ~ 5 ~ r and N o ~ . Furthermore we see that g x f i is exactly the class of the terms of ~ , and that ~ , x / ~ is the set of all quantifier free formulae of ~ .

The rest of this paragraph gives some notational conventions and useful definitions. We use the symbol -- to refer to syntactical identity, i.e., B = C means that B and C are the same sequence of symbols. The following abbre- viations will be used:

b l a b 2 - - l ( T b a v 7b2)

b l ~ b z - 7 b a r b 2

if bt t h e n b 2 else b 3 fi - (b 1 A b 2 ) v ( - l b 1 A b 3)

fa lse - 7 t rue

[Li:Ai]~= 1 --= LI : A1 ; . . . ; L , : A , .

We define the property that a label L occurs in A inductively by

a) no label occurs in a statement of the form x . '= s

b) L occurs in (A1;Az) and in if b then A 1 e l s e A 2 fi, if either L occurs in A 1 or L occurs in A 2

c) the only label occurring in g o t o L is L.

Let S - [L i �9 Ai]~= 1. We say that

+) L is declared in S if L - L i for some i (1 < i < n )

+) L occurs in S if either L is declared in S or L occurs in some A i (1 < i < n )

+) S is normal if all labels occurring in S are declared in S.

3. Operational Semantics

In our semantics functions will be used abundantly. Often these functions will be of higher order, which means that they have functions as arguments and/or values. In order to keep our notation as clear as possible we first state some conventions on this point.

a) The class of all functions with domain A and range B will be denoted by (A ~ B)

b) The class of all partial functions with domain A and range B will be denoted by ( A ~ B )

c) The convention will be used that "--*" associates to the right. For example, A -+ B ~ C must be read as A --~ (B--* C)

d) We will in general omit parentheses around arguments, using the convention that function application associates to the left. Thus, assuming


f ~ ( A ~ B ~ C ~ D ) , a e A , beB , c ~ C , for some A , B , C and D, the entity ((f(a))(b))(c) can be written a s f a b c

e) The above convention has the following exception: every syntactic entity used as an argument will be enclosed in [[. ]]-type brackets. This is done to provide a clear distinction between the object language of Sect. 2 and the language used to denote the semantic objects.

As a starting point of our semantical considerations we first discuss the meaning given to the symbols in ~ r and ~o~r An interpretation J of the primitive symbols is an (m + n + 1)-tuple ( D, fu I . . . . ,fUm, re I . . . . , re,) , where

D is a non-empty domain,

fu i is a function in (Da~Y'~ D), for i= 1,... ,m, and

r__e i is a relation c D .... (i = 1 . . . . . n).

All semantic functions to be defined will depend on an underlying interpretation of the primitive symbols, though the notation we use won't show this dependence. For instance, the function giving the meaning of the expressions will be denoted by ~,, instead of ~ or something like that.

We now choose an arbitrary interpretation J and assume this interpretation to remain fixed for the rest of this paper (unless we explicitly state otherwise).

A state is a valuation of the variables from ~U~ in our domain of interpretation D. The set of all states is denoted by S, with typical element a. In principle the meaning of a statement will be a partial function from states to states. The function is partial, due to the possibility of nonterminating com- putations. We consider it useful not to allow partial functions and therefore include the undefined state _1_ in Z. This leads to the following definition:

Z = ( ~ l r , z ~ D ) u { l }.

We denote the set of all defined states by S o, i.e. S o = ( : ~ ~ D). Let d~D. A variant a{d/x} of a state ~r is a state a' differing from a only in

the variable x, or explicitly

/ • if a = • and otherwise {a/x} r

] [ a ' ~ S o such that a'l[y]]---{d[[Y]] i f x , y if x - y .

The next syntactic classes to be handled are ~ ,x /~ and gxfi . We will define inductively the semantic functions

"r g x fi ---~ Z o ---~ D

~C : ~ , x p - - ~ So--~ ( f f tt}.

Note that ~r a, and ~/C[b]] a are not defined for a = _l_.

Definition of ~.

~ [ [ x ] ] o = al~x]]

[[ fu i ( s l , ..., s~r a =fu i (~e'[[Sl]] o" . . . . . r a).

390 A. de Bruin

Definit ion of ~ .

~ r l r t r u e ] ] o. = t t

"tU lib 1 v bE]] o. = tt, if ~/Ui[b a]] o. = t t or z~U[[b2]] o. = tt, and f f otherwise

~tt/'[[ 7 b]] o. = tt, if ~r o. = f f , and f f otherwise

( t t , if (Y/'[[S 1]] O., " ' " ~U" [~Sarri] ] ffff) ~ r.__r ~U[[rei(s 1 . . . . . s,~)]] o.--=]ff, otherwise.

The semant ic definitions given above are basic in the sense that they will be the same for the denota t iona l semantics. We now turn to the opera t ional semantics proper.

We want to define the meaning of a s ta tement A as a function that, given an initial state o. as an argument , yields a so-called computat ion sequence z. Such a computa t ion sequence is a possibly infinite row of states f rom I;, the elements of which can be viewed as the successive in termediate states p roduced by evaluat ion of the s ta tement A start ing in initial state o.. The semant ic func- t ion that maps s ta tements on their meaning in the above sense will be called ~ / ~ .

In order to be able to handle these compu ta t ion sequences, we present the following definitions:

a) ( C o m p u t a t i o n Sequences )

X + is the class of all non-empty finite sequences (o. o, .. . , o.,) for some n>__0, such that o. i e I; for i = 0, 1, . . . , n

X '~ is the class of all infinite sequences (o.o,o.1, ...5, such that o.~eX for all i e lN

2;00, with typical element z, is defined through I2oo= 2;+w I2 ~'.

b) ( C o n c a t e n a t i o n )

Let zl, z 2 6 S ~176 The concatenat ion of z 1 and z 2, nota t ion ZlnZ2, is defined by

1) i f z l = ( o . o , . . . , o . . ) ~ Z + and Z2=(O.~) . . . . ,O.m) E ~ + then ~1 t"l T2 ~--- (O.0, . . . ' o.n, O.~) . . . . . o.ln~ E z~ +

2) if z 1 =(o .o , . . . , o . . ) e ,2 + and z2-- (o.~),o.' l . . . . . )E2 ; ~ then !

Z l n Z 2 _ _ (O.O, O.1 . . . . , o.n, G~), O.1 . . . . ) ~ 2;o~

3) if T1EX '~ then Z ln~2=Zl .

c) (K-Func t ion ) The function ~ e (So~___~ 2;) is defined by

~c(z) = {_L, if z e Z ~~

o.,, if z = ( o . 0 . . . . . o . , ) e Z +.

There is a last r emark to be made before we give an exact definition of cg~ /~ . We must be aware of the fact that A can contain subs ta tements of the form goto L, and we should have a way to get to know how evaluat ion of A proceeds once such a subs ta tement is reached. We therefore supply the func-


tion egos# with an extra argument, namely an element of ~ r meant to provide the "declaration" of the labels occurring in A. ~ o ~ p will then have the following functionality:

9 ' ~ A : ~ , ~ x ~ g ~ l ~ Z ~ - * Z ~

and the computation sequence ~ # [ [ ( S , A ) I ] ~ is meant to be the row of intermediate states appearing during evaluation of A starting in state r where the labels are defined by the program S.

Definition ( ~ A ) . A. ~ / ~ [[(S, A)]] G= (_1_) if a = / .

B. ~o~/~[[(S,A)]I a for o-eZ 0 is defined recursively by

1. ~ A i(S,x: =s)ll G = (~ {~[sll ~lx}) 2. qC~--A [[(S, if b then A 1 else A 2 fi)]] = J ' ( O ' ) n ~ f i [[(S, A1)]] ~, if ~[[b~ a = t t

1 ( o ) n q f ~ # [~(S, A2)]] G, if ~K[[b]] a = f f

3. rg,~ A n-(S, goto L)]I o [O>n~/4<S,A,;A,+I,. . . ,4,>ll~, if S=-[L~:AI]L1,

=~ and L - L , for some i, l <i<n (undefined, otherwise

4. 9 ' ~ A [[(S, (x: = s;A'))]] o = (a {~[[s]] alx}) ~cgc~mp [[(S, A')]] (o {q/" [[s]] a/x}) 5. c g ~ # [[ (S, ((A" ; A'"); A')>]] a = ( a ) n ~ o ~ [[(S, (A" ; (A'" ; A'))>~ p 6. ~g, ,~f i [[<S, (if b then A" else A'" fi; A')>]] a =

{ ( a ) n ~ # I[(S,(A"; A'))]I G, ifW'[[b]] o=tt ( o ) n ~ # [[(S,A'"; A'))]] tr, if ~[[b]] ~ = f f

7. ~ m ~ [(S, (gotoL; A') > ]] o = ( a ) n ~om# [(S, g o t o L ) ] o.

Some remarks on this definition will be useful. This style of defining is taken from Cook [9]. The definition should be viewed as a method for step- wise generating computation sequences. Each step will consist of replacing an occurrence of some expression ~ A [ [ ( S , A ) ] ] a using a rule from the definition. The rule to be applied depends on the form of A and is in fact uniquely determined by A. It is possible that this process won't terminate. In that case an element z of Z ~ will be generated. However this z is well defined in the sense that every member of it is precisely determined.

The difficulties that arise by allowing go to statements in the language are reflected in clauses 4 to 7 of the definition. The problem is that qfo~fi[(S,(A~ ;A2))]]o" cannot be defined easily in terms of ~ # [ [ ( S , A1)]I and cgo~#[[(S, A2)]T, because evaluation of A 1 may terminate through execution of a substatement which is a jump out of A~. The solution given here is to decompose a statement (A~;A2) , using rule 5 or 6, as long as it remains unclear whether an assignment or a jump has to be executed first. When this has become known, rule 4 or 7 can be applied.

The extra states ( a ) which are added in the right-hand sides of clauses 2,5,6 and 7 are strictly speaking superfluous. They are introduced in order to be able to use induction in the proof of lemma 5.2 in a more elegant way. Note however that the ( o ) added in rule 3 is necessary, because we want c ~ A [ [ ( L : g o t o L, g o t o L)]J~ to be equal to ( a , a . . . . ) ~ Z ~ not to ( a ) ~ Z +.

392 A. de Bruin

Finally, from the definition it can be seen that the following holds: if all labels in A and S are declared in S, then c g o ~ [[(S,A)]] o- is defined for all a.

We close this chapter by defining the operational meaning (9[[S]] for each program S in ~w~ . This meaning will be a state transformation, i.e. an element of ( S ~ S ) . The state (9[[S]]a is meant to be the last element of the computation sequence z, generated by evaluation of S starting in state a. More precisely:

Definition ((9). The function (9 has functionality

and is defined by

if S = - [L i :Ai]~' = 1. (9 [[S]] a = ~: (~o~fi [[(S, A 1 ;. . . A,)I] a),

4. Denotationai Semantics

We now give semantical definitions in the style of Scott & Strachey r15], with additions (due to Strachey & Wadsworth [17-] among others) to accomodate the peculiarities that goto-statements entail. The mathematical concepts used in these definitions are summarized below, so that we will be able to refer to them later on. Furthermore it can serve as a very concise introduction for those who are not yet acquainted with it. More details can be found in [5] or [16] for instance.

1. A pair (C, V-) is called a complete partial order (or a cpo) iff C is a non- empty set and ___ a partial order (i.e. a relation that is reflexive, transitive and anti-symmetric) such that

a) C contains a smallest element, called bottom and written as _1_ c or just _1_, i.e. V c e C : _l_r--c

b) Every sequence ClV-czV-.. . of elements from C (called a chain, notation (cl)[= 1 or (ci)i) has a least upper bound II c i, satisfying

i c~) V q: ciV- LJ cj (upper bound)

J

/~) Vde C: [(Vci: cir-d ) =*, [_lciEd ] (the least one). i

2. S as defined in the previous chapter, supplied with partial order F , defined by

o E o" . ~ (o"= o" v o = U_)

is a cpo. A cpo with partial order defined this way is called discrete.

3. Let A and B be cpo's, a n d f e ( A - - * B )

a) f is called monotonic iff V a, b e A: aV-b =, faF- fb

b) f is called strict ifff_l_--A_. The class of all strict functions from A to B will be denoted by (A ~ B)

G o t o Statements: Semantics and Deduct ion Systems 393

c) f is called continuous iff f is monotonic and for every chain (al)i in A, we have f ( l la i )= II (fai), The class of all continuous functions in (A ~ B ) will

i i be denoted by [A ~ B].

4. Let A and B be cpo's. Then [A-o B] is a cpo, if order, bottom and lub are defined by

a) f E - g r V a e A : f a r - g a

b ) s �9 s

c) if ( f / ) / i s a chain then O f / = 2 a - U ( f / a ) . i i

5. Let A i be a cpo for i---1 . . . . ,n. Then A 1 • ... • is a cpo, if order, bottom and lub are defined by

a) (a 1 .... ,a,)[-(a'l, ...,a',) iff ail--a; for i= 1 . . . . ,n

b) _J_A1 . . . . . An=( & . . . . . J-)

c) if (#1/) . . . . ~/~ ,a , ) is a chain, then U((a~/), . . . ,at,~ (Ua~/), ..., Ua~/)). i i i

6. Let A be a cpo. Every continuous function fe[A---,A] has a least fixed point, written p f, with properties

a) f (# f ) = # f fixed point property, notation fpp b) V x e A[f(x)F-x =:, p f ~ x] least fixed point property (Ifp) c) p f = I Jf~(• with f~(_l_) defined by f~ .1_, f~+' (•

We now discuss the denotational semantics for statements from 5~lag. Again we are faced with problems about what to do with substatements of the form g o t o L. In the operational semantics this was solved by giving c g ~ an extra argument S=[L~:Ai]7= 1, which was used in essence to associate with each label Li the statement Ai; . . . ;A,. The meaning of goto L~ was practically the same as the maning of A~; . . . ;A, , which could be reduced to a state transformation (i.e. xoCg~p [[(S,A~;...;A,)]], always a strict function). This function, applied to a state a yields a final state a', which is the result of evaluation of the statement A~; . . . ;A,. In other words, a' is the result of evaluation of the rest of the program which will be executed after goto L~ has been evaluated.

The denotational semantics uses the same approach but in a more abstract way. Instead of giving for each label a program text that specificies a state transformation, we now provide this transformation directly. This is organized as follows: the semantic function Jr" is given an extra argument ~, called an environment, which is a function from s to ( 2 : ~ 2 7 ) . In the definition of ~4 r we then will have a clause like X~goIoL] ]7=~I [L] ] . (How this 7I[L~ is obtained from the declaration of L in a program S will be discussed later when we come to define the meaning of programs.)

Thus we see that the meaning yI[L] of the statement g o t o L in an environment ~, is a state transformation that doesn't describe the evaluation of goto L only, but also of the rest of the program to be evaluated once goto L has been executed. But then the same must be true for an arbitrary statement A as well. In the operational semantics care was taken of this, because the text of the rest of the program to be evaluated remained available (see clauses 4-6 in

394 A. de Bruin

the definition of c~mp). Here we will use an abstraction of this idea resem- bling the approach of the go Io statement. Instead of keeping track of a text defining a state transformation, we supply this transformation as an extra argument of Y . Such a transformation q5 is called a continuation, and it is meant to describe the effect of evaluation of the "rest of the program", textually following the statement being defined. Summarizing: if ~b specifies how evaluation of the program proceeds once the right-hand end of A has been reached, and if 7 specifies for every label L how evaluation of the program proceeds once we have reached L, then we want Y[[A]]7~b to specify the evaluation of the program starting from the left-hand end of A.

This approach also solves the problem how to define the meaning of (A1;Az) in terms of the meanings of A a and A 2. The meaning JV[[(A 1 ; A 2 ) ] ] 7 ~

of (A1;A2) in environment 7 with continuation ~b, will be equal to the meaning of A1 in environment 7, but now with a new continuation qY. For if evaluation of A 1 terminates normally (i.e. not through execution of a g o t o statement), then afterwards the statement A z has to be evalulated. Thus the continuation ~b' must be equal to the meaning of A 2 in environment 7 with continuation ~b.

The exact definition of JV will use some new domains which will be defined n o w :

a) M = ( X ~ Z ) with typical elements q~,~b, is the domain of the continuations. We use the convention that continuations appearing as an argument of JV will be enclosed in curly brackets if that improves readability.

b) F=(Sfv~, - - ->M) with typical element 7, is the domain of the environments. We define a variant ?{ r o f an environment the same way as we did in the case of states: (7{~/L})[[E]]=7[[L]] if E#~L, and ~b if E - L . We also use a simultaneous version: (?{r O[L]]=TI[L] if L ~ L i for i= 1 . . . . ,n, and q~i if L =-L i (when we use such a construct, all L i will be different).

Definition (W). The semantic function W with functionality

JV': 5Pg~zg-* F---~ M---~ M

is defined inductively by

Jf f [x:=s]] 7~ba=~ • if a = • ( ~b (tr {~e'[[s]] a/x}), otherwise,

; a2)]174 =XlA3 7{XIrA2] 74} a, • if a = •

Jff[ i f b then A 1 else A 2 fill 7~ba=~ ~n-A1]] 7qSa, if a + • and ~rnb]l a = tt

~I[A2]l 7~ba, if a * 3_ and ~#/'[b]] a = f f , Wl[goto L ]I 7 c]~ a = y l[ L1] a.

The claim on the functionality of Jff in the above definition must be justified. It is though easy to show that VA~AagJ V ~ F V~b~M: ~ / ' I [ A ] 7 ~ M .

The following lemma holds:

Lemma 4.1. For all A ~ &a[eg, and all 7 ~ F we have

2(q~a, ... , ~b,+ a)" JV'[[A]] (7{dpjL,}~= 1) (b,+ ~ [ M "+a --* M].

Proof Straightforward by induction on the structure of A. []


We now turn to the definition of the meaning of programs. The semantic function J l : ~,~7--~ F ~ M will be used for this purpose.

A program S-[-Li : Ai]7= 1 can be considered as a combination of a statement A I ; . . . ; A " and a definition of the labels L~ , . . . ,L , . The state ~l[[[L~:AJT=l]]70- is meant to be the final state reached by evaluation of A a ; . . . ;A, starting in initial state 0-, where the labels L~ are defined by S (for i = 1,... , n) and all other labels by 7.

Definition (J4). ~ l [[[L i : All7= i]] 7 = W[[A1 ;.. . ;A.]] (7 {4)i/Li}n= 1) {20". 0-}, where

<4)1 . . . . ,4)n) =/2 [2 <l/tl . . . . , ~tn)" <,./V'[[Ai]] (7 {~Ij/Lj}7= 1) ~/i+1 )n= 13,

where q/,+I =20-- a.

Remarks. a) There is an assumption in the above definition that has to be justified. We have to show that the operator of which <4)1,..., 4),> should be the least fixed point is a continuous one, i .e . a member of [ M " ~ M " ] . In that case this least fixed point exists. The fact that this transformation is continuous can be proved using Lemma 4.1.

b) The function 4)~ can intuitively be seen as the state transformation defined by evaluation of A~; . . . ;A, where the labels are defined by S and 7. This might be clarified as follows. By fpp we have

4), = JV[[A.]] (7 {4)jt,}~= ~) {20--0-} and

4),-1 = JV[[A,_ a]] (7 {4)jLi}~= 1) 4)n

= ~v[[a,_ 1~ (7 {4)i/Li}~= a) {'A/'[[A.]] (7 {4)i/Li}~= 1) {20--0-} }

= JVI[A,_ 1 ; A,]] (Y {4)//Li}~= ,) {2 0-. 0-}.

Repeating this argument we get

4)i=JV'[[Ai; . . .;A.]](7{4)j/Lj}~=O{2a.a } ( i=1 . . . . ,n).

Moreover, these 4)i are precisely the values which we would expect to be associated with the labels L~.

For later reference we state the following definitions and results.

Lemma 4.2. Let S=-[Li:Ai]7=I E~r , let 7 6 F and let 4)i be derived from S and 7 as in the definition o ra l . Also, let 4)I k) and 7 tk) be defined inductively by:

4)1~ �9 _1_ for i=1 . . . . ,n )(k) , ,+, =2a-0- for k=0, 1,...

7(k)=y{4)Jk)/Lj}~=l for k=0, 1 .. . .

4) lk + l ) -- JV[f Ai]] ?(k) cb (k) for i= 1, . , n i - - r i + l " �9

4 . 2 . 1 . 4)i = [-J 4)I k) (i = 1 . . . . , n) . k

Proof This is a straightforward consequence of facts 5 and 6c from the theoretical remarks in the beginning of this section. []

3 9 6 A . d e B r u i n

4.2.2 ~b i = X[[AI; ... ;A.]I (? {q~j/Lj}~= ,) {2a. a}.

Proof. See remark b) above. []

4.2.3. (olk)F-.A/'[fAi; ...;A,]]V (k-i) {2a .a} (l<i__<n, k = l , 2 . . . . ).

Proof. Induction on k. The basic step (k= 1) can be proved using the fact that 5~b. JVn-A]l 7~b is monotonic and that

W[[ A s .. . A,]I 3' ~ = ,A/'[[ A,]] 7 {.W'[[ A, + ~ ;... ; A,[] y c~ }.

The induction step is proved as follows:

(~(k) __ A / " [ ] 'A ]1 ~,(k - 1 ) ,,A(k - 1 ) i - - g ' t l - ~ i a l / W i + I

= X [[Ai]] 7 (k - 1) { X [[A i + 1]] , , (k- 2) ~(k - 2)/. --/" .ih ~' W i + 2 J - - ' , l r ]"

Now we use Lemma 4.1, and the fact that continuity implies monotonicity to show that X[[A~+l]IT(k-E)cPlk+-22)VjVI[A~+I]] ,'(k-1)'h(k-1)~ ~'~+2 and thus, using 4.1 again:

__ .f A / ' [ ] ' A "[] ,,,(k-- l ) , ~ ( k - 1)'[ ( ~ ) [ - J l / ' i a i ' ~ T ( k - 1 ) t ~ , I I Z ' i + l - U / ' " U i + 2 J

= jt /-[[ A i ; A i +1]] ~ , ( k - 1) r / ' " V I + 2 �9

Repeating the argument we get

~Ik)[--.A/'~.(... (Ai;Ai+l); ...); A,)[] 7(k-1){~,a �9 a}

=~Ar[[ Ai; Ai + 1;... ;An'[] ~(k - - 1) { /~0"" 0"},

where the last identity is easy to prove from the definition of ~ []

We will close this section by taking another look at the meaning of statements A. We saw that the function JVI[A]] essentially yields a continuation as a result. This result depends on a number of continuations, which are supplied to XI[A]] either directly as an argument (the 4) in JVI[A]]7~b) or implicitly through 7, as meaning of the labels occurring in A. In the literature [13] a method called continuation removal is described to dispose of the ~b in the above formula, yielding a more direct approach: the meaning of a statement is a state transformation instead of a continuation transformation. This has only been done for statements A which didn't contain g o t o statements as substatements.

We now take one further step: we show how to deal with goto-substatements. We will define a function ~r giving the meaning of a statement A as a (total) function from Z o to Z o ~ (Z o x ~,e~z~,), such that

~r cr = a'

means that evaluation of A terminates normally in state a ' (i.e. not as the result of an execution of a g o t o statement), and

~[]A]] a = (a ' , L )

means that evaluation of A terminates by execution of a substatement g o t o L in state a'.

G o t o Statements: Semantics and Deduction Systems 397

Put another way, a statement A containing golo-substatements can be viewed as a statement with one entry point (where evaluation of A starts), but with several exit points, namely the normal exit point (the right-hand end of the statement) and the special exit points (viz. the substatements f loto L). We call an exit point determined by a substatement goto L an L-exit point. The function d then specifies for every initial state a the kind of exit point which will be reached and the final state in which this exit point will be reached. This is a formalization of the considerations in [3].

The function d , applied to a statement A and an initial state a, thus yields a final state a' which is the result of evaluation of A, and not of evaluation of A followed by some continuation (as was the case in sff[[A~Tc~a). Since in the deduction systems to be discussed later we deal with formulae {p} A {q}, where q is a predicate on the final state at the normal exit point, we can expect that the function d will be more useful than sV (see Sect. 6).

We now give the definition of d .

Definition (~r The function ~/ with functionality d : 5Pgc~g--->Zo-->XoU(Zo x ~ , ~ ) is inductively defined by

dlrx." =s~ a = a {~[s l l a/x}

=~d[[Az]](dJ[[A1]] a), if d[ [At~ a~X o ~r A2)]] a (d~-A1]] a, otherwise

~d[A1]] a, if r a=t t d[[ i f b then A 1 else A 2 fi]] o'=/d[]_A2]]~ . - =

i f ~ [ [ b ] (7, a=ff ~ [ g o t o L] a = @, L).

We have the following lemma on the relation between ~ ' and ~..

Lemma 4.3. 1 ~ ~r <~> VT~F VqS~M: ~A/'[[A]lTdpa=dpa '

2 ~ ~[[A]] a=(a ' , L) <:~ V 7 e r Vq~eM: W[[A~ 7~ba = 7[ILl] a'.

Proof The ~-par t s of 1 ~ and 2 ~ are straightforward by structural induction. The ~-par t s can be proven by contradiction. For instance, proving 2 ~ " ~ " , suppose VTeF V~beM: Wl[A~TCba=y[[L]]a', and sJ[[A]]a4:(a',L). Then we have two possibilities.

The first one is s~C[[A]] a=(a" , /2) (where a'4=a" or L~-/2) and thus, using 2 ~ " ~ " , V T e F V ~ b e M : o/V[A~Tc/~a=7[E]]a". Now choose 7 such that 7JILl] a ' + 7[/2]] a" and we have a contradiction.

The other possibility is d[[A]]a=a". Then we have (1 ~ " ~ " ) V T e F V ~ b 6 M : A/'[A]] ?c~a=c~a", and we reach a contradiction by choosing 7 and ~b such that 7[L]]a':~(~a". []

5. Operational and Denotational Semantics are Equivalent

Our aim in this section is to prove the following

Theorem 5.1. Let S = [Li'Ai]~= 1 be a program. I f S is normal (i.e. all labels in S are declared) then

V 7 e r : c9[[S]1 = ~ ' [S ] ] 7.

Proof We first prove (_9 IS] [-dr 7, using the following

398 A. de Bruin

Lemma 5.2. Let S =-[Li:Ai]~= 1 ~ r '~ ~ F, and let c~i be derived from S and 7 as in the definition of J/r Let A ~oc#z'~z' and let all labels occurring in A and S be declared in S. Then

VeeZ: Ir ...(*)

Proof of the Lemma. Because all labels are declared in S, it is impossible that cd~/~[[(S,A)]] a be undefined. If a = _L, or if a~: i and rd~mfi[[(S,A)]] aeZ ~, then the left-hand side of (*) is equal to _1_, and the inequality holds. So let us assume that a + _J_ and cdo~/~[[(S,A)] a s s +. We prove (.) using induction on the length of the computation sequence cdo~/~[[ (S ,A)]I c~ (in fact, assuming that this computation sequence is finite, we can prove equality in (.)). We distinguish several cases, depending on the structure of A. We shall abbreviate 7{(oi/Li}'/= a toT.

a) A - x : = s . Then the left-hand side of (*) is equal to a{~//'[[s]] a/x}, and so is the right-hand side.

b) A - - i f b then A 1 e l s e A 2 fi. Assume ~[[b]]a=tt (the other case can be proved analogously). Then ~ c ( c ~ p [[(S, A)]] a) = x ((a)nc~ocn~ [[(S, Aa)~ a). Now the length of ~o~/ ,[[(S, A1)]]a is clearly one less than the length of c 6 ~ / , [[(S, A)]] a, so we can apply the induction hypothesis, yielding

~c(Comp [[(S, A)]] a)= tr (c6o~fi [[(S, A,)]] a)

F-,jV" n'A1]] ?{2a-or} a = WI[A]] ?{2a" a} a.

c) A - g o r e L. Because all labels in A are defined in S, we have L---L s for some j. Thus

K,(Ct~wcfi [(ELi : Ai]n= 1, A)] ] a)

= ~c((a) n c ~ f i I[(S, Aj; ... ;~1,)]1 a) (ind. hyp.)

_ JV[[Aft... ;a,]] ?{2a. a} a (4.2.2)

-- ~ia-- 7[Lj] a

= J ~ [ [ g o t o Lj] 7{2a. a} a.

d) A=-(x:=s;A').

~(cgom/~[(S,A)]] a)= x ( ~ o ~ [[(S, A')]] (a{~[[s]] a/x})) (ind.)

V- W[[Aq] ?{2a. a} (a {~/'[[s]] a/x}) (def. W)

=W[x: =s] ~{W[fA'-n ~{~a. a}} a = ~V[[(x'. = s; A')]I 7{2 a. a} a.

e) A-((A~;Az);A' )

Ic(cd~/r [[(S,A)]] a)=Ic(cga~ H(S,(A~; (A2; A')))]] a) (ind.)

V- ~V [[(A 1 ; (A2 ; A'))]] Y{2 a. a} a

= JV []((A, ;A2); A')]] y{2a-a} a.


f) A - ( i f b then A t e l s e A 2 fi; A'). We suppose, without loss of generality, that ~lU[fb]] a = tt. Then

~c(ego#afi [[(S, A)]] a )= ~c(ego#afi [[(S, A 1 ; A')]] a)

f-JV'[[A 1 ;A']] 9-{2a. a} a

= W[[A1]] ?{W[[A'] g{2a-a}} a

(ind. hyp.)

(def. X )

(def. W)

=W[[ i f b then A 1 else A 2 fi] ~{W[[A'] ~{2a. a}} a =W[[ i f b then A 1 else A 2 fi; A')]] ~{2a. a} a.

g) A - ( g o t o L;A').

~c(eg~fi[[(S,A)]la)=~c(cgo#afi[[(S, g o t o L)~a) (ind. hyp.)

U_Wl[goto L]] 7{2a. a} a (def. W)

= W l [ g o t o L]] ?{W[A'~ ~{2a. a}} a (def. W)

= W[[(goto L;A')~ y{2a. a} a.

This ends the proof of Lemma 5.2. []

We now use the lemma to prove (9~s]U_./ll[fS]]v in the following way. Choose y e F and a e Z. By definition of (9 we have

(9 [[S]] a = ~c (ego#aft [[(S, A, ;. . . ; A,)]] a).

Now all labels in S are declared and thus the same holds for A I ; . . . ;A , . The lemma then gives us

lc(ego~fi [[(S, A 1 ;. . . ; A,)]] a)t-,/V" [[A x ;. . . ;a.]] (7 {dPi/Li}'~= 1) {2a-a} a,

where the ~b i are obtained from S and 7 as in the definition of J / . But, for those ~bi, the definition of J / g i v e s us

.A/" [[A 1 ; . . . ;A,]] (~ { ~o j L i } 7= 1) { ~. ~ . a} (7 = all [[ S ]] 7 (r

which gives us the desired result. For the proof of J/[[S]] 2E(9[[S]], we again use a lemma:

Lemma 5.3. Let S-[L~:A~]7=le~,o # be normal. Let yel" and k e N . Let c~, dpl k) and y(k) be derived from S and 7 as in lemma 4.2. Then, for all A e 5~g,~g such that all labels in A are declared in S, and for all (re,F,, we have

~ A ~ ~(~) { ~ . ~} ~E_ ~ (eg~,,~ ~ <S, A)~ G) ...(+)

Proof of the Lemma. We use induction on the entity (k, c[[A]]) with lexicog- raphic ordering -<. We don't take c[[A] to be the obvious complexity of A. This wouldn't work because of the form of the definition of ego#a#. For instance, in rule 5 the statement (A"; (A'"; A')) occurring in the right-hand side of the rule would be as complex, according to the usual complexity measure, as ((A"; A'"); A') in the left-hand side.

400 A. de Bruin

We define cl[A]l inductively by: cl[x:=s]] =cl[goto L]] = 1; c[[AI;A2] =2cI[AI]I +cI[A2]; cl[it b then A~ else A 2 fill =cl[A~ll +cl[A21l.

a) /1 -= x: = s. Then

W[[x: = s] y(k) {4 a. a} a = K(c~v~fi [[<S, A 1 >3 a) = a { ~//-[]-s]] a/x}.

b) A---if b then A~ else /12 fi. Without loss of generality, we assume ~lF[[b]la=tt. Then the left-hand side of (+ ) equals JVI[A1]]7(R){2a. a}a, and the right-hand side equals ~:(~o.m#[[(S,/11>]la ). Now, because (k, cl[Ax] ) ~,(k, cl[A]]>, the desired result follows from the induction hypothesis.

c) A - go to L. From the assumptions of the lemma, we infer that L - L~ for some i. Now:

JV[[goto Li]] y(k) {2a . a} a = (?(k))[[Li~ a = C/)Ik)a

___Jff[[Ai; ... ; An] 7(k-1){2a �9 a} a. (4.2.3)

Also ( k - 1, c[[Ai; ... ; A.]]> -< (k, c[[goto Li]]>, so we can apply the induction hypothesis

Wn-Ai; ... ; A.1] ~ - 1 ) { 2 a �9 a} a

f - r c ( c ~ f i [<S, A,;. . . ; A,>]] a) (def. ~r

= x ( ~ m # 0"(S, goto Li>]] a).

d) A=(x:=s;A' ) .

dV'[(x:=s; A')]] 7(k){2a - a} a

= W[A']] 7(*){2a �9 a} (a {r a/x}) (cl[A']l ~, cl[x: =s; A']]) I - - K ( c ~ # I[<S, A')]] (a {Yf[[s]] a/x})) = ~(~e~,~ I<s, (x:=s; A')>]] a).

e) A- ( (A1; A2); A' ). We have dV[[((A1; A2); A')]]=jV[[(A1; (A2; A'))]] and c~(A1;(A2; A'))]] <(c[[((A1;A2); A')~. The induction hypothesis thus yields

dff[[(A1 ; (A2; A'))]] y(k){2a �9 a} a

___ ~ c ( ~ f l [[(S, (A 1 ; (A2; A'))>]] a)

= K ( ~ # Ir<s, ((A~; Ag; A')>]] a).

f) A - ( i f b then Ai else A 2 fi; A'). Without loss of generality, we assume that #r[[b]] a=tt . We then have

~II-A]] 7(k){2a " a} a = d g ' ~ A 1 ; A']I 7 (k) { 2 a . a} a (ind. hyp.)

____ K (c6~z~fi [[<S, A 1 ; A'>]] a )= w ( ~ # [[(S, A>]] a).

g) A - ( f l o t o L; A').

dV [[(0oto L; A')]] ~(k) {2 a . a} a = W [[0oto L]] 7 (k) {4 a . a} a (ind. hyp.)

___ tc(cd~# [<S, goto L>]] a )= K(~,,~p [[(S, goto L; A'>]] a).

This concludes the proof of Lemma 5.3. []

G o t o Statements : Semantics and Deduct ion Systems 401

We now are able to prove Jr [[S] 7___ (.9 I[S]].

~'[[S]] 7 = zV'[A 1 ; ... ;A.]] (7{dPi/Li}~= 1){/~O" �9 O'}

= X [ A 1 ; ... ;a,]l (7{kl dPlk)/L,}']= 1){2a-a} (Lemma 4.1) k

= [_J ( JV"[[A1, . . . ;An]] (y{c/)Ik)/L,}7= 1){/~O" �9 O'}). k

Now, taking A=-A1; ...; A, , the assumptions of Lemma 5.3 are satisfied. Thus we can conclude

Vk E N: ,/V[[A 1 ;. . . ; A,]] (7 {~Ik)/Li}'~= 1){2a. a} V- ~c o cgo~/z I[(S, a 1 ; . . . ; A,)]],

and thus

[_.] X [[A 1 ;. . . ; A.]]({d,)Ik)/Li}7= 1) {2a. a} ___ K o (go~fi I[(S, A 1 ; . . . ; A,)]]. k

But also, by definition of (.9:

tr o cgz~fl [[(S, A~ ; . . . ; A.)]] = (_9 [IS]],

which completes the proof. []

Note that Theorem 5.1 is independent of the interpretation of the primitive relation and function symbols chosen, in the sense that the theorem holds for all underlying interpretations J .

6. Deduction System: First Variant

In [10] Hoare proposed to attach meanings to programs by means of a proof system which can be used to derive properties of programs. These properties are described by (partial) correctness formulae, essentially having the form {p} S{q}. Such a construct has informally the following meaning: if evaluation of S terminates, starting from an initial state in which p (the precondition) holds, then in the final state q (the postcondition) holds.

We start with a discussion of these conditions p, which in the sequel will be called assertions. The class of all assertions is ~r with typical elements p, q. We define:

p : : = t r u e l p l v P2l 7plre l (s l , . . . ,s .... )l ... [re,(sl . . . . ,s .... )13x[P].

We define false, Pl APz, Pl ~P2 and if b then Pl else P2 fi as in Sect. 2. The assertions are meant to describe predicates on states. The semantic

function giving the meaning of assertions is #-- and has functionality

~-: d o ~ - - - , S,o---, {f f , tt}.

#--is defined inductively by: a) ~-[true] a = t t b) J - [ P 1 V P2]] a = t t if ~--I[Pl]I a = t t or ~--I[p2]] a = tt, and f f otherwise

402 A. de Bruin

c) J- l ] 7p]] a = tt if 3-[[p]] a = f f , and f f otherwise d) J-[[rei(sl, ...,Sarr,)]]a=tt if (~U[[sl]]a . . . . , U[[s,,r,]]a) � 9 i, and f f other-

wise e) 3-[[3x[p]]]a=tt if there exists an element d in our domain of interpre-

ta t ion D such that ~'-[[p]](a{d/x})= tt, and f f otherwise. No te that ~-- depends on the underlying in terpre ta t ion J , because "U does

(d)), and also through clause e) of the definition. Next some definitions and results on substi tution. We say that an occur-

rence of a variable x in an assert ion p is bound, if this occurrence is within a sub-asser t ion of the form 3x[p ' ] . An occurrence of x in an assert ion p is called free if it is not bound.

The result of subst i tut ing all (free) occurrences of x in s and p by t, will be denoted by s [t/x] and p [t/x] respectively. The definition of s [t/x] is

a) y [t/x] - t if y - x and y otherwise

b) (fu i(s 1 . . . . , Sat f,)) [t/X3 -- fu i(S 1 It~x] . . . . , Sarfi [t/X]). Using this definition p It~x] can be defined by

a) true [t/x]-true b) (p i v P2) It~x] = p I It~x] V p 2 It~X] C) (Tp) [ t / x ] =-- 7(p[ t /x] ) d) (rei(s a . . . . ,s,r,,))[t/x] =rei(s I [t/x], ..., s .... [t/x])

[3y[p] , if x=--y ]3y[p[t /x]] , if x S y and y does not occur in t

e) (3 y [p]) [t/x] = ~ 3 z [p [z/y] [t/x]] if x $ y and y occurs in t, where z | is the first var iable in ~c~, such that z $ x, t z d o e s n t occur in t, z d o e s n t occur free in p.

The following results on subst i tut ion will be useful.

L e m m a 6.1. a) I f x doesn't occur in s then Vd �9 D: U[[s]la= f/'[[s](a{d/x}) b) if x doesn't occur free in p then Yd �9 D: Y-[[p]]a=J'[[p](a{d/x}) c) ~ is [t/x]ll ~ = w Is ] (a { w ~tll ~/x}) d) ~ [[p [t/x]] a = Y ][p]] (a { f [ t ] a/x}).

Proof Stra ightforward by induction. We prove the hardest case of d), i.e. where the assert ion has the form 3y 6o]. There are three cases.

1) y - x . J-][3x[p][t /x]l la=J-[[3x[_p]]la=tt iff 3 d � 9 ~--[[p]](a{d/x})=tt. N o w Y I[P]] (a {d/x}) = Y[[p]] (a { f [t~ a/x} {d/x}), and therefore ~--[[3x 6o]]] a = tt, iff 3 d � 9 ~'--[fp]](a{~l/7[t]]a/x}{d/x})=tt, and this is true whenever 9 - [ 3 x 6o]11 (a { ~ [rt]l a/x})= tt.

2) y~gx and y doesn ' t occur in t. J [ [ ( 3 y [ p ] ) [ t / x ] ] a = Y [ [ 3 y [ p [ t / x ] ] ] a = t t iff 3d �9 D: ~-~[p[t /x]](a{d/y})=tt (ind.hyp.) iff 3d �9 D: Y-[rp]l(a{d/y} {fT[tl](a{d/y})/x})=tt (a)) iff 3d �9 D: J'[[p]l(a{3cr[ft]a/x} {d /y})=t t iff J-[[3y[p]]](a{f/7[t] a /x} )=t t .

3) y S x and y occurs in t. Y- l[3y[p][ t /x]]]a=J[[3z[p[z /y][ t /x]] l]a=(. t#) where z $ x, z doesn ' t occur in t, z doesn ' t occur free in p.

N o w ( # ) = t t iff 3d �9 D: ~-~p[z/y] [t/x]l](~r{d/z})=tt (ind.hyp.) iff 3d �9 D: J- liP]] (a {d/z} {///"[]t]] a'/x} {a"[[x]]/y}) = tt,


where a'=a{d/z} and a"=a'{q/'[[t]la'/x}. Now x~-z, so a"[[z~ =d. Furthermore z doesn't occur in t, so f'[[t]]a'=~U][t]l(a{d/z})=V[[t]a. Thus we get

( # ) = t t iff 3deD: Y-[[pll(a{d/z}{~l[t]a/x}{d/y})=tt.

Because z doesn't occur in t, and y does, we have z~-y. Also we have z~-x and y~-x, so

(4~)=t t iff 3deD: Y'l[pll(o{~l[t]lo/x}{d/y}{d/z})=tt.

Because z doesn't occur free in p, we can use result b) of the lemma, to get

( ~ ) = t t iff 3d~D: 3-[[p]](a{~U][t]la/x}{d/y})=tt iff 3-[[3y[p]](o{~U[[t]]a/x})=tt. []

Having defined assertions and substitution, we now proceed to describe how these notions are to be used in correctness formulae. A typical axiom of our proof system will be the assignment axiom, roughly of the form

{p[s/x]}x,=s{p}.

This axiom can be justified by the following considerations. The statement x:=s transforms an initial state a to a final state a'=a{~K{[s]o/x}. Now suppose p[s/x] is true in o, that is, Y-lp[s/x]lla=tt, or (Lemma 6.1d) ~--[[p]](a{~[[slla/x})=tt. But a{~U[[s]a/x} is equal to the final state a', so we have that p is true in a', which is what we wanted.

A rule of inference in the system will be the rule of composition, stated informally

from {pl}Al{P2} and {p2}A2{P3} infer {pl}A1; A2{p3 }.

The justification of this rule goes somewhat like this. Say we start evaluating A1; A 2 in state a where p~ is true. Now, after evaluation of A1, we have reached an intermediate state a ' where (due to {pl}A~ {P2}) the assertion P2 holds. Evaluating A 2 in state a' delivers a final state a" where P3 holds, for {P2} A2 {P3} is true. Thus we have the desired result.

Another rule of inference is the rule of consequence:

from pl~P2, p3=p4 and {pz}A{p3} infer {p~}A{p4},

which is obviously valid. The fact that we allow g o t o statements in our language complicates things.

The problem becomes apparent if we take another look at the rule of composition. For instance, if the first statement A~ in A-A~;A 2 is identical to goto L, then the justification of the rule as given above doesn't apply anymore. After evaluation of A~, the next statement to be executed is not A2, as was assumed there. Complications are caused by the fact that a statement A can have more than one exit point, namely the normal exit point and the special L- exit points (cf. the discussion after Lemma 4.2).

We can maintain the rule of composition though, if we formulate the meaning of the formula {pl}A{p2} somewhat differently, namely as follows: if A is

404 A. de Bruin

evaluated beginning in a state where p~ holds, and evaluation of A terminates at the normal exit point of A, in state a', then P2 holds in a'.

Now according to this informal validity definition the formula

{p} goto L { q } ... ( # )

would be valid for every assertion p and q, for evaluation of goto L always terminates by "jumping away". However this brings up new problems. For example, the formula

{true} LI: x." = 1; goto L2; L2: x: = X {X = 0 }

would now be derivable, by the following steps

1. {true} L l : x : = l { x = l } 2. { x = l } g o t o L z { x = 0 } 3. {x = 0} L2." x: = x {x = 0} 4. {true} LI: x: = 1 ; g o t o L 2 ; L2: x: = X {X = 0}

(assignment) (#) (assignment) (composition).

But clearly, after evaluation of L l : x : = 1; g o t o L2; L2: x : =X the postcondition x = 1 holds.

These difficulties have been solved in I-8]. The solution is in essence to put a restriction on the preconditions p allowed in (#) , and amounts to the following. Suppose we want to prove {p}S{q}, where S=-LI:A1; . . .;L,: A,. Now assume we can find a list of label invariants Pl .... ,p,. These Pi are assertions which we assume to be true every time label Li is reached during execution of S, starting in initial state satisfying p. We now refine our notion of validity once more, and define validity (with respect to the invariants p~ at L~ for i = 1, ..., n) informally as follows:

(,) The formula {p} A {q} is called valid, iff for every evaluation of A the following holds: if p holds for the initial state, then either evaluation terminates at the normal exit point of A and q holds, or evaluation terminates at an Li-exit point of A and Pi holds (for some i, 1 < i < n).

One can see that, according to (*), the formulae {p}gotoL~{q} are no longer valid for all p. Validity holds however for all preconditions p such that p =pi. In particular {p~} g o t o L~ {false} is valid (i= 1,. . . , n). Notice also that the inference rules and the assignment axiom given earlier remain valid according to (,).

Now if we can derive {Pi} Ai{pi+l} using these rules and axioms, and also the formulae {p j}gotoLj{fa l se} , then we know that {pi}Ai{pi+l} must be valid according to (*). This means the following: if we consider evaluation of Ai as a sub-statement of S = L x : A 1 ; ... ; L , : A . , starting at an initial state for which p~ holds, then we can infer from the validity of {pi}Ai{p~+l} that at the normal exit point p~+l holds, and that at every Liex i t point pj holds. In other words: when evaluation of A~ terminates because label L i has been reached then the corresponding invariant pj must hold (1 < j < n).

But from this we can infer that {p~} S{p,+~} holds. For, consider an evaluation of S with initial state satisfying Pl, and suppose that this evaluation terminates. Then this evaluation can be split up in a finite number of subsequent


evaluations of sub-statements A i, and since by the above considerations we are assured that at all "links" labelled Lj the corresponding invariant pj holds we can infer that P,+I is true when the last evaluation of sub-statement A, terminates (necessarily at the normal exit point).

The above considerations suggest the following inference rule [8]:

if we can derive {Pi} Ai{Pi+~} (i= 1 . . . . ,n) from the assumptions {p j} g o t o Lj {false} (j = 1, ..., n), then we may infer {Pl} L,:AI; . . . ;L , :An{p,+~ }.

Now the formula {true} S{x=0}, where S=L1 : x." = 1; g o t o L2; L2." x: = x (sc. the above incorrect derivation) cannot be derived anymore, but a derivation of {true} S { x = 1} can be made straightforwardly (take p, = t rue , P2 = x = 1).

The inference rule given above leads to compact proofs but, as it stands, is not so suitable for proof-theoretical considerations. Accordingly, we shall now give a more tractable variant of the proof system. In section 8 we shall give a formal justification of the above rule.

It can easily be seen that the assumptions {p j} g o t o Lj {false} 6/= 1, ..., n) are introduced in the above inference rule only because our proof system must be able to contain information on the label invariants pl which are used in the proofs. The method that we apply is to take these invariants up in the formulae occurring in the proofs. Our correctness formulae will look like

(L~ : p~ . . . . ,L , : p , I {p} A {q} >,

so the invariants p~ corresponding to L i are supplied explicitly in our formulae, instead of implicitly in the assumptions used in a proof. The informal meaning of the above formula is the one as given by (*).

After this introduction the following definitions must be clear.

Definition (Syntax of correctness formulae). The class or (list of label invariants) with typical element D is defined by

D : : = L : p l L : p , D

where it is required that if D = L 1 :p~, . . . ,L , :p , , then Li~-L i for i+-j. We write [Li: Pi]7= 1 instead of L a :Pl . . . . , L.: p,.

We say (L:p) occurs in D (notation: (L:p) in D) iff L - L j , p=-p7 and D = [Li: Pi]7= 1 for some j (1 =<j =< n).

The class cg~** (correctness formulae) with typical element f is defined by

f:." = p I<O; {p} A {q}>l {P} S {q}.

We write (O] {p} a{q}> instead of (O; {p} A{q}>.

Definition (proof system #f). The axioms of ~r are given by the following schemes:

(A1)

(A2)

(A3)

<DI {p[s/x]} x:=s(p}> (DI {p} goto L {false}>, where D = ELi: Pd~'= 1, L =-- L j, p -- pj for some j (1 < j < n).

P, where p is a valid assertion (i.e. Va ~ 2:0: Y-[p] a=tt).

406 A. de Bruin

The rules of inference have the form

L ~ " ' ' ' L

f ,+ l

("from f l . . . . , and f , , infer f ,+l") and are given by the following schemes:

(R1) Pl~Pz'P3~P4' (D[{p2}A{p3}) <D[(PI} A {P4} >

(R2) Pl=P2'P3=P4' {p2}S{P3} {Pl } S {P4}

(D[ {Pl} A {Pz} ), < O[ {P2} A' {P3}) (P.3) (DI{pl} A; A'{P3}>

(DI {p/x b} A {q} > (V[ {p/x -lb} A' {q} ) (n4) (D[ {p} if b then A else A' fi {q}>

(R5) (DI{Pl}A~{Pz}>'""(D[{p'}A"{p"+I} where D-[L~:pJT=I. {Pl} [Li: Ai]7=z {P,+ 1}

Definition (normal pair, normal correctness formula, normal fragment of o~f). A pair (D, A) is called normal if all labels in A occur in D.

A correctness formula f is called normal if either f is an assertion, or f=-(D[{p} A{q}) and (D, A) is a normal pair, or f - { p } S{q} and S is a normal program (i.e. all labels in S are declared).

The normal fragment of the proof system jig, denoted by ~FN, is the system restricted to normal formulae only.

Definition (formal proof). Let f e q f ~ . A sequence f l . . . . ,f~ with fi s ~ o ~ (i = 1, ..., n) is called a formal proof of f in o~ if

a) f - f , b) for all f~ with 1 < i < n the following holds:

either 1) f~ is (an instance of) an axiom or 2) there exist f /z ,-" , f~k E egos, with 1 <ij<i for 1 <j<k,

such that

f / l ' "" ' ' f ik

f,

is (an instance of) a rule of inference.

We say that f is provable, notation ~-f, if there exists a formal proof of f.

The system defined above is dependent on the interpretation J of the primitive relation and function symbols, because the axioms of (A3) are determined by J-, which function depends on J . We include all true assertions as axioms because we don't want to pay attention to deduction systems for the assertions only. We want to focus on the rules which can be used to prove properties of statements and programs. Also, in the proof of completeness of


our system ("every valid formula is provable") we don't want to be hindered by deduction systems for the assertions which are possibly incomplete.

We now turn to the question of validity of correctness formulae (again with respect to an interpretation d). We use the notation # f to denote that f is valid. An informal definition of the concept has been given in the remarks preceding the definition of the deduction system. We will now formalize the ideas developed there. By now it must be clear that in the validity definition the semantic function ~ ' will be much easier in use than the function JV (see the remarks preceding the definition of d at the end of Chap. 4).

Definition (Validity). Validity of a correctness formula f notation ~ f , is defined by

a) ~ p i f fVa~Zo: J-[[p]]a=tt b) ~ (D]{p}A{q}) iff

V a e Z'o: J[[p]] a=t t [(3 a '6Zo: d[[A'Ha=a' AY[[q]]a'=tt)v ] (3 a' ~ Z o 3 (L:p') in D: diAl] a=(a ' ,L ) A J-[[p']] a'=tt)

c) ~ {p}S(q} i ffV76F Va, a'~Z'o: [(3-[[p]]a=ttAa'=~[[S]]Ta) ~ J-[[q]]a' = tt].

In words this amounts to the following. An assertion p is valid if it is true in all (defined) states. A formula {p} S{q} is valid, if evaluation of S with initial state a satisfying p, either doesn't terminate or terminates in final state a' for which q holds. The most complicated case is f---(DI {p} A{q}). This f is valid if for every state a satisfying p the following holds: if evaluation of A terminates normally in a' then we want q to be true in a'; if evaluation terminates by a jump to some L in state a', we want this L to be an L i in D---[L~:p~]7 = 1, and the corresponding assertion pj must be true in a'.

7. Soundness and Completeness of

We next like to show that the deduction system is sound (" ~-f =~ ~ f " ) , and complete ( " ~ f ~ ~-f"). Now the definition of provability as well as that of validity shows that both notions are dependent on the interpretation d chosen. In this section we will prove that F-f =~ ~ f holds for all correctness formulae. The converse is not true in general. Following Cook [9] we have to put a restriction on the interpretations allowed: only those interpretations are taken into account which make the class doo~ expressive with respect to the language ~ o ~ . Only if d o ~ is expressive we can be assured that it is possible to find suitable label invariants Pl . . . . . p, ~ d o ~ for every program S-- [L~ : Ag]7= 1. The completeness theorem to be proved will then be that under every interpretation J such that doo~ is expressive with respect to ~ we have that ~ f =~ t - f for every normal correctness formula f.

408 A. de Bruin

Definition (validity of rules of inference). A rule of inference

L .. . . . L

f,+a

is called valid i f ( ~ f l , . . . , ~ f , ) => ~ f , + l . Note that validity of an inference rule again depends on the underlying

interpretation J just like the validity of a correctness formula.

Lemma 7.1. Every axiom and every rule of inference in 9ff is valid.

Proof. (A1) We have to prove ~ (D[ {p[s/x]}x==s{p}). We have d[[x,=s]] a = a {~[[s]] a/x} for all a e 2: o. Furthermore Y-[p [s/x]] a = tt implies J-liP]] (a{C/'[[s]] a /x})=t t by Lemma 6.1d. Thus we have that for all ae27 o with ~'-[[p[s/x]]] a = t t there is a a', namely a{~/'[[s]] a/x}, such that d[[x==s]] a=a' and ~'-[[p] a ' = tt.

(A2) We have to prove ~ (DI{pj} g o t o Lj {false}) for D-[Li:pi]~=l. Choose a ~ Z o such that ~--[[pj]]a=tt. We have s~[[go toL j ]a=(a , Lj). Thus there is a a', namely a itself and a pair (L:p") in D, namely (Lj:pj), such that ,.~[[goto Lj~ a = ( a ' , L ) and ~-~p"]] a'=tt .

(A3) Evident.

(R1) Suppose ~ P l=P2 , ~ P3~P4 and ~ (DI{p2}A{p3}). We want to prove (Dl{pl}A{p4}) . Choose a a G I o , and assume Y[p: ] ]a=t t . From pl=pz

we infer ~--[[P2]] a=tt . The fact that ~ (D[ {P2} A {P3} holds yields

either qa'G2;o: ~[[A]]a=a'A~--[[Pa]a'=tt. But in this case we can use p3~p,~ to infer 3 a '~ Zo: ~r a=a' A f f ' [ p ~ a '=t t ... (*)

or 3a'GIo: 3(L :p" ) in D: dl[A]]a=(a' ,L>AJ-[[p"]]a'=tt ...(**)

But now we have proved J-l[p:]]a=tt =r (*)v(**), and we conclude that (DI {p:} A {P4}> holds.

(R 2) Analogously.

(R3) Suppose N(DI{p:}A{p2} > and N(DI{p2}A'{p3} >. We have to prove ~ ( D l { p l } A ; A ' { p 3 } >. Choose a aG2~ o such that 3-[[pa]]a=tt. From

(D[ {p:} A {P2}) we infer that

either (~r a=a' A ~-[[p2]] a'=tt) for some a'~2; 0 ... (1)

or (d[ [A] a = ( a ' , L ) / x ~--[[p"]] a'=tt) for some a'eZo, (L:p") in D ...(2)

ad (1). ~ (D[{p2 } A'{p3} ) and J-[[P2]] a '=t t for some a'GZ o give us:

either (sd[[A']]a'=a"AJ[[p3]]a"=tt) for some a " ~ I o. From ~ A ] ] a = a ' and ~ [ [ A ' ] ] a ' = a " we infer ~[[A;A '] a=a". Furthermore we have ~- [p3 ]] a" = tt,

or (~r A~-[p"]]a"=tt) for some a " G I o and some pair (L:p") in D. But then ~[[A]]a=a' and ~[[A']]a '=(a" ,L) give us ~r A']] a = ( a " , L ) and we have also ~-[[p"]] a"=tt .

ad (2). From ~r ~r = (a' , L ) we have ~r A']] a = (a', L). Furthermore we have have ~--[[p"]] a'=tt .


The conclusion is that for every choice of a the conditions imposed by the definition of ~ (DI {Pl} A; A' {P3}) are satisfied.

(R 4) can be proved analogously using results like

( d [ [ A ~ a = a ' ^ ~ f f [ [ b ] l a = t t ) ~ all[if b then A e l s e A ' fi]] a=a ' .

(R5) Suppose ~ ( D l { p i } A i { p i + l } ) ( i= l , . . . ,n ) , where D=[Li:pl]'~=l. We have to prove ~ {P l} [Li:Ai]~= ; {P,+ 1}, or equivalently

V y G F V O', O" ~ Z0 [(9"-[[pl ] a = t t A , /~[[[L i : Ai]~'= 1]] 7a=a ' ) =~ ~'-[P,+I]] a'=tt]�9

So, choose 7 e F, and let ~bl, ,_lob (k) and y~) be derived from [Li:A~]7= 1 and 7 as in Lemma 4.2. We now prove the following lemma.

Lemma. Vk~]N [Va, a '~Z: (~--[[pi]]a=tt^a'=qblk)a) =*. 3-[[p,+a]]a'=tt , for i =1 . . . . . n + l ] .

Proof (induction on k). Basis (k=0). This is easy, because (i) qSl~ �9 l for i = 1, . . ,n and therefore there is no a'E X 0 such that a'=qSl~ (it) a,(i) = 2 a . a, �9 ' ~ n + l

but then the assumption reduces to ~'-[[P,+I] a = t t ^ a' =(2a . a ) a = a , and thus the conclusion J- lip, + 1] tr' = t t holds.

Induction Step. Choose an i ( l < i < n ; the case i = n + l is again trivial) and choose a , a ' 6 Z o such that J-l[piq]a=tt and a'=cplk+l)a. N o w ~Ik+l)o- = JV'[[Aft] 7 tk) ~bl k) a. From ~ (DJ {Pi} Ai {Pi + 1}) we know that

either d[[A~]]a=a" and Y-[[p~+l]]a"=tt, for some a " E S o. But then we have a'--,6(k+X)---'~(k)la" (using 4.3.1~ Induction hypothesis, and - - ' r i t ) - - t / J i +

Y-n-p~+l]] a " = t t yield J-[P,+I]] a'=tt ,

or ~r and 3-[pj]]G"=tt, for some a " e Z o and some j (l=<j<n). Now o"=d) (k+l) #V'[[Ai]]v(k)~(k) q~j a -~i a = ~ , r i + l a = y ( k ) [ [ L f l ] 6 , , = (k) ,,

(using (4.3.2~ Induction hypothesis and ~--[[pi]] a" = tt yield J-liP, + 1]] ~' = tt.

This proves the lemma. []

Now, returning to the proof of ~{Pl} [L~: A~]~'=~ {p,+~}, we have by definition that JI[[L~: AJ~'= 1]] Y=W[[A1; ... ; A,]](y{cpJL,}~= 0{2a . a} =q~l by Lemma 4.2.2. And q51 = [__l ~b] *), by Lemma 4.2.1.

k

Choose a , a ' ~ Z o such that ~-[[pa]]a=tt and a'=CPla. Then (because q51a =[_.](qS]*)a)) there is a /~ such that a'=(o]~)a, and the lemma gives us

k

~--[[P,+ 1] a'=tt . This proves ~ {p~}[L~:AJT=l{p,+l}, which was the last clause in the

proof of 7.1. []

Theorem 7.2. The proof system ~ is sound, i.e. for every interpretation J and every correctness formula f we have ~ f ~ ~ f

Proof Induction on the length of the proof off , using Lemma 7.1�9 []

We now turn our attention to the question of completeness of the proof system, i.e., ~ f =~ ~ f If f is an assertion p, then we can simply use axiom scheme (A3), so there is no problem here.

410 A.deBruin

The next possibility is f - ( D l { p } A { q } ) . Suppose this f is valid. Now we have to construct a formal proof of this formula. This will be done using the concept of weakest precondition: we will show that for all D ~JmvE, A ~5~ga, g and p ~ d ~ (such that ( D , A ) is normal), we can construct a qedoo~ which is the weakest formula that makes (Dl{q} A{p}) valid (by "weakest" we mean true in as many states as possible). This is part of Lemma 7.4.

In the same lemma we show that for this assertion q the formula (Dl{q}A{p}) is provable. Once we have reached this result, the rest is easy. We use the property that, if q expresses the weakest precondition of A with respect to p and D, and if ~ (DI{p '}A{p}) for some p'edoo~, then we have

p'=q (otherwise the precondition q wouldn't be the weakest one). Thus in this case we can derive (D[ {p'} A{p}) using (R1).

Definition (weakest precondition). Let Ae6egag, p ~ d ~ , D ~J~vf . We say that q expresses the weakest precondition of A with respect to postcondition p and invariant list D iff

VOESo: ~--[q]] o = t t

Zo: ,, =t l) v ] L(g a' e Zo 9(L : p ) inD: Edl[A]l a= (a ,L ) /x J[p']] a'=tt])J.

We write p ~- wp [[A, p, D]] to express this.

Lemma 7.3. Let A e ~ l ~ ( , p, qedocae, D ~ J ~ f . I f q"~wp[[A,p,D]], then

a) ~ (DI {q} A {p}) (i.e., q is a precondition)

b) V p ' e d o o , : [ # (D[{p'}A{p}) ~ ~ p '~q] (q is the weakest).

Proof. Immediate from the definitions. []

Lemma 7.4. For all AeSPla~, p~aJ~,a/~, D e J ~ # l s u c h that ( D , A ) is normal, we can find qeaffoo~ for which q"wp[[A,p,D]]. Moreover for this q we also have F- <Dl{q}A{p}) in 3~ N.

Proof. By induction on the structure of A. We distinguish four cases.

1 ~ A - x : = s . Choose p e ~ r and D~aC~vl. Then p [ s / x ] " wpl[x:=s, p, D]]. For, choose a 6 S o. We have to show

J-l[pEs/x]]] a=t t r (3 a' ~ Z o [(affl[x :=s]] a=a') A 3-l[p]] a '=t t ] )v

(3a '~ S o ~(L : p") in D [(aft[All a = (a', L)) A ~--[[p"]l a'= tt]).

Now ~[[x: =s] a= a {"F'[[s]] a/x} ~ So, so the above equivalence comes down to

J- lip Is~x]]] a = tt r 3 a' ~ Z o [ (~ ' [Ix: = s]] a = a') A J-U-p]] a ' = tt] ~-[[p]] (tr { 3r a/x} ) = tt,

and this is 6.2d. Furthermore, we have ~- <D[ {p[s/x]} x :=s{p}) by (A1).

2 ~ A=A1;A2 . Choose p~a~r and D ~ J ~ I such that ( D , A ) is normal. By induction there is a q '~aJoo~ with q'",wp [[A2,P,D]] and I- (DI {q'} A2{p})


in JfN. Again by induction we have q ~ d o o n such that q~-wp[[Al,q';D]] and ~- (D[{q} Al {q'}> in ~N.

First, we will show that for this q we have q~-wp[A,;A2,p,D]]. Choose a a e S o. We have to prove

#-[q]] a = t t <~. (3 a' e So[d[[A1; A2]] a=a ' A #-[[p]] a'=tt]) v (S a' ~ 2 0 5 (L :p') in D [ d [ [ A , ; A2]] a = (a ' , L ) ^ #-I[p']] a' = t t]).

We distinguish two cases:

a) d l [ A t ] a=a". We then have d[[A, ;A2Jla=dl[Aa]]a" by definition of d . Using these facts the above equivalence reduces to

#-[q]] a = t t <~. (3 a' ~Xo[dl[A2]] a"=a ' A3-[[p']] a'=tt])V (S a '~ X o S (L :p') in D [ d ~'A2"~ o-" = (0", L ) A J[[p']] a' = t t]) ,

and by q'"~wp[[A2,p,D]] this is equivalent to #-[[q]]a=tt<~.#-[[q']]#'=tt. Now we have by q~wp[[Al,q',D]]

J[q]] a = tt ~ (S a'~ Z 0 [dl[A1]] a = a' A J[[q']] a' = tt]) v (3a' ~ Z 0 3(L:p') in D[~[[A1] a = ( a ' , L ) A #-l[p'] a'=tt]).

Substituting a" for d[A~]] a (that is the assumption) the right-hand side of the equivalence reduces to #-[[q']] a"= tt, and we are ready.

b) d[[A1]] a = ( a " , E ' ) . We then also have that d[A1;A2]] a = ( a " , E ' ) and the definition of q~-wp[[A 1 ; A2,P,D]] reduces to

#-l[q] a= t t r 3p" e~r [(E' :p") in D m~--[p"] a"=tt].

But this equivalence is immediate from q~-wpl[Al,q',D]] and ~r =(a",E'>. So, we have proved that q~-wp[[A1;A2,p,D~.

The proof that (D[{q}AI;A2{p}> can be derived in 3r is easy by the assumptions on q and q' (using rule (R 3) of composition), and the fact that the pair (D, A1;A2> is normal (which means that (D]{pl}Al{p2}> and (D[ {P2} A2 {P3}> are normal formulae).

3 ~ A - i f b then A 1 else Z 2 fi. Choose pedoo.n and D ~ J ~ v ( , such that <D,A> is normal. By induction we ave q~,q2edoo~ such that

qa~-wp[[A~,p,D]] and ~(D[{q~}A,{p}> in ~N

q2~-wp[A2,p,D]] and ~- (D[{q2}A2{p}> in 4 .

We will show that for q-- i f b t h e n ql e l s e q2 fi we have

a) q"~wp[[if b t h e n A~ e l s e A 2 fi, p,D]l

b) (D l {q} if b t h e n A 1 e l s e A 2 fi {p}> in 3r N.

a) Choose a a ~ X o. Without loss of generality #/'l[b~ a = tt. Then

#- [ i f b then ql else q2 fill f f = t t <=> #-[[q;]l a=tt .

412 A. de Bruin

Also d[[if b then A x e l s e A 2 fi]la=d[[A1]]a. Now q l ~ - w p [ [ A l , p , D ] is equivalent to

9--[[q 1]l a = tt <:~ (3 a' ~ X o [ ~ [ A 1]] a = g' A Y[[p]] a' = tt]) v

( 3 a ' e Z o 3 (L:p') in D [d[[A1]] a = ( a ' , L ) A ~-[[p']] 0"=tt]).

Combining these results, we get

~--[[if b t h e n ql e l s e q2 fi]] a = t t

(3 a '~ Z 0 [ d [ [ i f b t h e n A 1 e l s e A 2 fi]] a = a' A J'[[p]] a ' = t t ] ) v

( ~ p ' ~ Z o 3 ( L : p ' ) in D[d[[if b t h e n A 1 e l s e A 2 f i ~ a = ( a ' , L ) / x ~ - - [ [ p ' ] ] g ' = t t ] )

and this is the result we were aiming at.

b) We have qAb--(if b then ql else q2 fi)Ab, and thus ~ qAb~ql. Also, using (A3) and (R1), and I-(D[ {ql} A {p}) (in ~ ) we get ~- (D[ {q/x b} A 1 {p}) in ~f~N. Analogously ~ (D[ {q/x -] b} AE{p} ) in ~ . So, by inference rule (R4): I- ( D [ { q } if b then A 1 e lseA 2 fi {p} ) in ~ s .

4 ~ A - g o t o L. Choose p ~ J o ~ and D e J ~ * * f , such that ( D , A ) is normal. This means that we have a q~r such that (L:q) in D. We prove q ~ - w p [ [ g o t o L,p,D]]. We have to prove

J-[[q]] a = tt <* (3 a' ~ Z o [~/[[goto L]] a = a' /x 9-[p]] a ' = tt] v

( 3 a ' ~ Z o 3(E:p') in D[M[[goto L]] a = ( a ' , E ) A~J[[p']]6 ' =tt]).

Because ~/[[goto L]l a = ( a ,L )~ ,r 0 • ~ v ~ , , the equivalence reduces to

J-[[q]] a = t t ~ 3p' ~ r [(L:p') in D A~-[[p']] a = t t ] .

Now we have (L: q) in D and thus the right-hand side is equivalent to J'[[ q ]] a = tt.

Furthermore, in order to show that I-(D[{q} goto L { p } ) in ~ , we have by (A2) I--(D[{q}gotoL{false}) and by (A3) ~-false~p. So we can use (R 1) to derive I- (D[ {q} g o t o L { p } ) in ~s .

This completes the proof of Lemma 7.4. []

Observe that in this lemma it is not merely proved that there exists a formula q expressing the weakest precondition for any A, p and D, such that ( D , A ) is normal The proof also provides a purely syntactical method to derive such a formula. This shows that for every A, p and D with the above restriction, we can construct an assertion q expressing the weakest precondition. Thus this q is independent of the interpretation J of the primitive relation and function symbols.

Note also that there are many assertions expressing the weakest precondition of A with respect to p and D. For instance, if q~-wp[[A,p,D]l then the same holds for q/x true (to give a trivial example).

We now state and prove the completeness result for correctness formulae having the form (D[ {p} A{q}).


Lemma 7.5. For all A r ~99g~, p, q 6 d ~ and D 6J~v~such that (D,A> is normal we have

~ <D[{p}A{q}> ~ ~-<D[{p}A{q}> in ~ .

Proof. Choose A,p,q and D such that the assumptions are true. Suppose also (Dl{p}A{q}). Now by Lemma 7.4 there is a p'~-wp[[A,q,D]] for which

~- (Dl{p'}A{q}) in o~ffN. By Lemma 7.3 and ~ (DI{p}A{q}) we have Wp~p' . So, using (A3) and (R1) we get t- (DI{p}A{q}) in d f N. []

Note that up till now no claims have been made on the interpretation 3 . The only additional condition was that (D ,A) should be normal. It can be seen that this is necessary from the fact that

(L:pl {true} if true then x." =0 else goto E fi { x = 0 } )

holds, even if L~E. However, there is no way to derive this correctness formula in ~ .

We now turn our attention to the discussion of completeness with respect to correctness formulae of the form {p}S{q}. If we want to formally prove such a formula, we have to find suitable label invariants for all labels declared in S. It is at this point that we have to put the restriction on d which we mentioned in the introduction of this chapter.

The question arises whether in our case such a restriction is necessary. Wand [18] proved that such a restriction is needed for programs without g o t o statements, but containing while statements. He constructed an interpretation d and a correctness formula which was valid under or but not derivable, because there was no assertion available which could express a suitable invariant. His counterexample can be transferred to our language in such a way that the same arguments he uses can be applied in our situation. Therefore we must make a restriction on d .

Before we can give an exact definition of this restriction (expressiveness), we have to make a few preparations.

Lemma 7.6. Let S - [ L i :Ai]n= 1 ~r and 7~F. Let go i be derived from S and 7 as in the definition of Jg. I f S is normal, then all ~i are independent of 7.

Proof. The following holds: Let Ae~9~ and {Lx, . . . ,L,} be the set of all labels occurring in A. Let ~ b , ~ l , . . . , ~ , ~ M and 7~F. Then Jff[[A]](?{~i/Li}~=l)C ~ is independent of 7. This fact can be proved by induction on the structure of A.

From this result we can infer that the operator

is independent of 7, and thus the same must be true of <~b~ . . . . ,q~>, being the least fixed point g 4) of ~. []

Definition (transformations derived from S). Let S be a normal program. Then the ~b i defined as in Lemma 7.6, are called the transformations derived from S.

414 A. de Bruin

Definition (weakest precondition of a transformation from M). Let 4 e M , p c~r We say that q expresses the weakest precondition of c~ with respect to p iff V a ~ 2; 0 : [~-'[[q]] a = tt r (c~ a 4= l ~ J'[[p~ (cb a) = tt)].

Definition (expressiveness). Let J be an interpretation of the primitive relation and function symbols. We say that doo~ is expressive relative to ~ r and J , iff for all assertions p and for all normal programs S the following holds: there are assertions Pl . . . . ,p, such that Pi expresses the weakest precondition of ~bi with respect to p, where q5 i are the transformations derived from S (i = 1,..., n).

If the primitive relation and function symbols of our language ~*~7 are such that doo~ is a language for Peano arithmetic, and if ~ is the standard interpretation of this language in the natural numbers then, using recursion theory, we can show that the transformations ~bi derived from a normal program S are partial recursive functions in the free variables of S. A result of recursion theory is that for every partial recursive function ~b: IN k---~ ~k, there is a formula p in d~o~ with free variables x 1 .... ,Xk, Yl . . . . ,YR, which expresses this function, i.e. ~ P(g~ , ' " ,~ , f l t , ' " , f l k ) iff qS(~ 1 . . . . . ek) is defined and equal to ( f l l , ' " , f l k ) (where ~i, fii are numerals denoting the natural numbers c~i, [33. From this we can infer that doo~ is expressive relative to ~ r and the standard interpretation Jo.

Now we have enough tools to state the main lemma needed to prove completeness for formulae of the form {p} S{q}. In essence this theorem states that the p~ from the definition of expressiveness are the label invariants which we are looking for.

Lemma 7.7. Let J be an interpretation such that doo~ is expressive relative to ~ and J . Let S-[Li:Ai]n=lE~i~r be normal. Let p6~r and let c~i be the transformations derived from S (i= 1 . . . . . n). Let Pi be the assertions expressing the weakest preconditions of (a i with respect to p (i= 1, ...,n), and let P ,+I -P . Then

I=: ([Li :pi]n= 11{Pj} Aj{Pj+I}) for j = l , . . . ,n .

Proof Choose j(1 <j<n) and aeX o such that 3-[[p~]]a=tt. There are two cases:

a) ~'[[A)I a = a' e X o. According to the definition of ~ (DI {pj} Aj{pj+ 1}), in this case we have to prove that ~-[p~+~]] a'=tt . Now by the assumption on p~ and by definition of weakest precondition we have ~-[[pj]] a = tt ~ (c/)sa 4: l ~-[[p]]((o~a)=tt). Also, ~)jO'~-~)j+lt7 t (by 4.3.1 ~ ~r and qS~a =~4~[[A~]](V{d)dL~}7=Od)j+la). Combining these results, we get ~--[[p~]]a=tt r162 ((ai+~cr'+-• => ~-[fp]](dai+~cr')=tt). But the right-hand side of this equivalence is (by definition of weakest precondition, and by the assumption on P~+ 1) equivalent to ~-[[p~+ ~]]p' =tt.

b) ~r c r = ( a ' , L ) ~ Z o • ~ a , . From the fact that S is normal, we infer that L must be some L k ( l < k < n ) . We have to prove (by definition of

(D[ {p} A{q})) that :-[[Pk~ a'=tt . Again we have: ~-[[pfl]~r=tt r ((o~tr4:_l_ ~ ~-[[p]](c/)/r)=tt), and now we have ~/r=~bka'

by 4.3.2 ~ (analogously to a)). Combining the results, we get


J-[[pj]] a=t t r162 (C~ka' # l =~ g-~p]] (qbka')=tt)

"r 3-[[pk]a'=tt. []

We now can collect our results in the completeness theorem 7.8.

Theorem 7.8. The deduction system ~ is complete in the sense of Cook, i.e., for every interpretation J such that d~o~ is expressive relative to ~ and J , and for every normal correctness formula f, we have ~ f =~ ~- f in ~ .

Proof a) I f f = p ~ d o o ~ , then ~ p ~ ~- p by (A3)

b) I f f = ( D I {p} A{q}) then we can apply Lemma 7.5.

c) f = {p} S{q}. Say S = [Li:Ai]7=l. Let q5 i be the transformations derived from S. By Lemma 7.7 there are assertions pj, expressing the weakest preconditions of qSj with respect to q such that

( [Li: Pi]~= t I {P j} Aj {pj + 1 } )

for j = 1 . . . . , n, where p,+ 1 --P. Note that these correctness formulae are normal by the fact that {p}S{q}

and thus S is normal. Lemma 7.5 then gives us

I--- ([Li:Pi]~=tl{Pj}Aj{pj+l}) in

for j = 1 .. . . ,n. Now we can apply rule (R5) to get

{pl}S{p,+~} in ~vf N.

Now p,+l-=q. Moreover ~ p ~ p ~ . For, assume ~ for some a ~ Z o. Then, by ~ {p} S {q}, we have V ?EF V tr'~ So: a ' = J//[[S]] ?a ~ 9"-~q]] a' = tt. But Jg[[S]]va=4)la (Lemma 4.2.2). Thus: a'=gala~S, o =~ g-~q]]a'=tt. But this is equivalent to ~--[[p~] a= tt, using the definition of weakest precondition.

We had I--{pl}S{q}. Also ~ p ~ p ~ , and thus ~ p ~ p ~ by (A3). Finally, using (R2), we conclude ~- {p} S{q} in o~ u. []

8. Deduction System: Second Variant

The validity definition of Sect. 6 makes explicit use of the label invariants Pi, which therefore had to be provided by the formulae of the deduction system. The purpose of this chapter is to show that it is possible to define validity in such a way that the label invariants are not explicitly needed. We will, using continuation semantics, associate a truth value with a formula {p} A {q}. This truth value will be dependent on the meaning of the labels occurring within A, i.e. the value depends on the environment 7- Consequently, we will establish a semantical function fr such that for every A, p and q we have ~[[{p}A{q}]: F ~ {ff, tt}.

This leads to a definition of validity which turns out to be equivalent to the one of Sect. 6 in the following sense: ([Li:pl]~=l [ {p}A{q}> is valid according to the definition in Sect. 6, if and only if {p} A {q} is valid (using function ~) in

416 A. de B r u i n

every environment ~ for which all formulae {pi}gotoL i{false} are valid (i = 1,..., n). Or more formally,

( [Li : P/J7= 1 J {P} A {q})

"~ V 7~ F [ / ~ (fr goto L i {false}]] 7 =tt) ~ c~[[{p} A {q}]] 7= t t ] . L i= 1 J

Using this new approach we can define validity for the system as given in [-8]. But, before we do that, we change this system somewhat. The system in [8] is presented as a natural deduction system, which means that the notion "proof from assumptions" is used. A line in a formal proof can be a formula which is introduced as an assumption. The system also has an inference rule in which assumptions are discharged, namely

{p'} goto L {false} ~- {p} A, {p'} {p'} goto L {false} ~- {p'} A 2 {q}

{p} A 1 ; L: A 2 {q}

which discharges the assumption {p'} goto L {false}, needed in the derivation of {p} Al{p' } and {p'}Az{q}. Thus, every derived formula f in the system of [8] will have a finite set A of assumptions attached by it, namely those assumptions which were used to derive f

We transform this natural deduction system into a sequent calculus having formulae of the form

A ~ {p} A {q},

where A is meant to be the finite set of assumptions associated with the derivation of {p}A{q}. The advantage of this system over the natural deduction system is that validity of a formula can be defined more directly, now that every formula incorporates the relevant assumptions.

We now define the deduction system

Definition (atomic correctness formula, correctness formula). An atomic correctness formula is a formula of the form {p}A{q}. The class of all atomic correctness formulae will be denoted by d r o p , and has g as a typical element.

A correctness formula is either an assertion, or a formula of the form A~{p}A{q}, or a formula of the form A~{p}S{q}, where A (the set of assumptions) is a finite set of atomic correctness formulae. The class of all correctness formulae will be denoted by egos,, and has f as a typical element.

The correctness formulae ~b~ {p} A{q} and q ~ {p} S{q} will be abbre- viated to {p} A {q} and {p} S {q} respectively.

Definition (deduction system J/t~ The axioms are

(A1) A~{p[s/x]}x:=s{p}

(A2) A ~ g , whereg~A

(A 3) p,

where p is a valid assertion (i.e. V aEX0: ~--[[p]] a=tt).

G o t o Statements: Semantics and Deduction Systems

The rules of inference are

(R1) p l ~ p z , p 3 ~ P 4 , A--*{p2}A{p3}

A ~ {Pl} A{p4}

(R2) pl~pg,p3=P4, A---,{p2}S{p3}

A-~ {Pl} S{p4}

(R3) A--,{pl}A{pz},A--- ,{pz}A'{p3}

A--+ {pl} A; A'{p a}

(R 4) A --+ {p/x b} A {q}, A --+ {p/x -1 b} A' {q}

417

(R 5)

A --, {p} if b then A else A' fi {q}

a ~ a'--+ {Pl} A1 {P2}, "", A u A'---+ {Pn} An {Pn+ 1}

A'--+ {Pl} [Li : Ai]~= 1 {P,,+ 1}

where A={{p~} goto L~ {fa l se} l i= l . . . . ,n}, all L~ are different, and no Lz occurs in any assumption in A' (i--1,. . . , n).

The restriction on A' in (R 5) is imposed to circumvent possibilities like the following. Suppose A={{true} goto L 1 {false}, {x=0} goto L 2 {false}} and A' is the singleton {{true} go to L 2 {false}}. Then we can derive

A u A ' - * { t r u e } x : = l ; g o t o L z {x=O} . . . ( # )

using the assumption in A', and furthermore

A u A'--, {x=O} x : = x {x=O}.

Thus, discharging A, using "(R 5)"

A'--* {true} L 1 : x : = 1 ; goto L 2 ; L 2 : x : = x { x = 0 } . . . ( b )

and this formula is not valid (the assumption {true} g o t o L: {false} in A' is not relevant for the validity of (b), because the meaning of L 1 : x : = 1; goto L2; L 2 :x==x in any 7, given by J / , doesn't depend on the meaning 7[[Lz]] of L e anymore). Difficulties stem from the fact that the assumption in A' was used in the derivation of (#), and not discharged.

We now come to the definition of the function N which we shall need to define validity of correctness formulae. The main problem in defining the value of ~[[{p} A{q}]] in some environment 7 is that JV[A~ 7q5 is not a function that transforms states just before evaluation of A into states immediately after this evaluation, while q is an assertion describing the latter states.

We can however say something about the states at the normal exit point of A in the following indirect way. Consider the formula {p} A {q} and choose a predicate ~ (a function in S,o--,{ff, tt}) which we want to be true in every final state a'=ohq[A]lTc)a corresponding to an initial state a satisfying ~--[[pll a = tt. That is, we want

g a, a'~ So: [(~-[p~ a = tt/x a' = #Z[[A]] 740 a) => ha' = tt].

418 A. de Bruin

We will abbreviate this partial correctness condition to

{y-l[pll} X[Al l 7~ {n}.

Now, as this formula must correspond to {p}A{q}, we are looking for a relation between q, the continuation ~b chosen, and the predicate n. It is reasonable to demand that n(q5 a" )= tt for every (intermediate) state a" satisfying 3-[fq]] a " = t t (provided q~a"4: l ) . For, the continuation ~b is the state transformation describing what happens after evaluation of A has terminated at the normal exit point. So we want q, ~b and n to be related through {Y-l[q]]} ~b {n}. It turns out that this constraint on q5 and n is sufficient to lead to a satisfying validity definition.

Definition (predicates; partial correctness, semantical level). The class of predicates 11, with typical element n, is defined by 1 1 = Z o ~ { f f , tt}. For any n, n' e H and q5 G M, we define

{n} qS{n'} ~:> V a, a' ~ So: [ (na=t t A a'=(oa) => n' a'=tt].

Definition (~). The function ff with functionality fr d f o ~ - ~ F - * { f f , tt} is defined by

aj[[{p} A{q}]] 7=t t ,r VnGII Vc~GM [{y-[[q]]} q~{n} ~ {y-[[p[[} Jff[]'A]] 7q~{n}].

We extend the domain of f# to subsets A of ~r162162 as follows

~[A]] 7 = tt r V f ~ A : c~[[f]] 7 = tt.

Definition (validity). A correctness formula f is valid (written ~ f ) is

1 ~ f - p and VaGZo: y-[[p]a=tt , or

2 ~ f - A --~ {p} A {q} and V 7GF: ffl[A~ 7 = tt ~ fgl[{p} A {q}]] Y = tt, or

3 ~ f - A - - , {p} S{q} and V 7 EF: ~r 7 =tt ~ {Y-[p[} ~/[[S]I 7 {Yl[q]l}.

We now investigate whether the system as it stands now is sound and complete. It will be proven at the end of this chapter that the system is sound. However, the system is not complete. For instance, a formula like

{{p} x:=x; goto L{q})~ {p} goto L{q}

is valid but not derivable. Therefore we first prove soundness and completeness of a restriction of the system, namely the system consisting of normal correctness formulae only.

Definition (normal correctness formulae). A correctness formula f is called normal if

1 ~ f - p , or 2 ~ f - A ~ {p} A {q}, where A = {{p/} goto L i {false} l i = l, ..., n} such that

all L~ are different and that the labels in A are all Lg's, or

3 ~ f - { p } S{q}, where S is a normal program.

The system of ' , restricted to the normal formulae, is called the normal fragment of of' , and denoted by of~.


There is an obvious one to one correspondence between the normal correctness formulae as defined here and the normal correctness formulae from Sect. 6, given by the function 4), defined by

@ [lp]] --p

4~[[{{pl } goto Li {false} [i = 1 . . . . . n} ---, {p} A {q}ll = ([L/: P/J7= 11 {P} A {q})

�9 [[{p} S{q}ll = {p} S{q}.

If we compare the axioms and inference rules of Jcg with the ones of 9if' we come to the following lemma:

Lemma 8.1. For every normal correctness formula f we have

~- f ( i n 9if') <:> ~ ~[[ f]] (in Jog).

Proof. The ~ - direction is obvious. The proof of " ~ " essentially amounts to showing that o~' is conservative over 9f'/v, i.e. if a normal formula is derivable in o~' then it has a proof in J~cg}. This can be shown using the fact that every inference rule has normal premisses if its conclusion is a normal formula. []

If we can prove the same result for validity instead of deducibility then we can infer from the results in Sect. 7 that o~} is sound and complete. To achieve this, we first prove some lemmas, relating the definition of validity of f - A - , {p}A{q} with validity of ~[[ f]].

Lemma 8.2. Suppose f - {{pi} goto L i {false} [i = 1,... , n} ~ {p} A {q} is a correctness formula that is normal and valid. Then the following holds:

a) Va, a' e2;0: (d[[A]l a = a ' AY[[pl lo=t t ) ~J[[q]]a '= t t

b) V a, a' e 2:o: ( d [All cr = (0', Lz) A 3- [[pll a = tt) ~ J-[[Pill a' = tt (i = 1,.. . , n).

Proof. a) Choose a, a ' e •o such that Ylp]I a = t t and all[All a = a'. Choose 7o such that 7o[[Lill=2a. • for i = l . . . . . n. Then we can check that fql[{pz} goto L~ {false}]] 7o= t t for i= 1, . . . ,n and thus from validity of f we get fr If{p} A{q}ll 7o=tt . From the definition of fq we then have

Vg e H V~b �9 M [{~--[[q]]) 4){n) ~ {g/-[[p]]} (W [JAIl 7o4){g}].

If we choose n = f l [ q ] l and ~b = 2 0 . 0 , we can deduce from this

{Wf-pll}(W[rA]I 7o {~.0' a}){fl[q]l}.

Combining this with JV[[A]]70{20.0}0=0' (Lemma 4.3.1 ~ and J-[p]] a=tt , we get J-[[q]] a'= tt.

b) Choose a , a ' � 9 o and i (where l<_iNn) such that ~-[ [p] la=t t and sr 0=(0 ' , L~). Now, if we take 7o such that

[ o if a + • and Jl[pfll a = f f 70 [Lfl] a = ~• otherwise

420 A. de Bruin

for j = 1, ..., n, we again have that N[[{pj} g o t o Lj {false}]] 7o =tt (j= 1 . . . . . n). Arguing the same way as in the proof of a) we come to

Vn ~/-/V~b E M [{J[]q]]} qS{n} ~ {St []p]]} (jV[[A]] 7o~b) {n}].

Now we choose qS=2a- _1_ and n = 2 a . f f We then derive

{J-lip]]} (.#'[[A]] 7o {2a �9 1}){2a .f.f}.

Combining this with ~M[[A]]7o{Aa. _l_}a=7oJ[Li]]a' (Lemma 4.3.2 ~ and with J'l[p]] a = tt we have that

7o [IL/]] a'4= _L ~ ( ) , a .ff)(7o[[Li]] a')=tt.

So we must have 7o[[Li] ] a '= _1_, but this is (by definition of 7o and the fact that a' 4= _L) equivalent to Y-[[pi]] o-' = tt. []

Lemma 8.3. Suppose f - {{pi} g o t o L i {falso} I i = 1 . . . . , n} ~ {p} A {q} is a normal correctness formula. Then

~ f ,e~Va~22o: ,Y- l [p]]a=t t~[(3ai~X~ ] [(30- ~ 220 [ d []'A]] a = (a, Li) A ~-][Pi]] o" = tt])J.

Proof. " ~ " . Suppose ~ f and 3-[[p]la=tt. There are two possibilities (by definition of d )

a) d[[A]] a=a' ~ 220, and Lemma 8.2a yields ~--[[q]] 6'=t t

b) x4[[A]] a = ( a ' , L ) . Since f is normal, which means that all labels in A are an L~, we have that L is an Li for some i (l<i=<n). We then can apply Lemma 8.2b to obtain ~-[[p~]l a'= tt.

" ~ " . Choose 7 s F such that fg[[{p~} g o t o L~ {false}]] 7=t t for i = l . . . . ,n. Then we must derive fqJ[{p} A {q}]] 7= tt, or equivalently

Vn ~ H V~ ~ M [{~Y-[[q]]} ~b{n} ~ {~-[p]]} (JV'[[A]] 7~b){n}].

So choose n o and ~b 0 such that {J-[[q]]} ~bo{no} holds, and choose a such that J-[[p]]a=tt. We have to prove a"=Jlr[[A]]Tdpoa#:_l_=>noa"=tt. Again we have two possibilities:

a) d[[A]] a=a'. Then by assumption ~--[[q]] a'=tt , and by Lemma 4.3.1~ a" =JV'[[A]]7r162 From {J-[[q]]} qSo{no} we then have a"4:_l_ ~ n o a " = t t .

b) sC[[A]]a=(a',L~). By assumption J-l[pi]]a'=tt, and by Lemma 4.3.2~ a"=JV[[A]] 7qSoa= 7[ILl] ] a'. Now we use the fact that fq[[{pi} goto L i {false}]] 7 =tt, or VneH Vc/9~ME{J[[falso]]}(o{n}=*,{J'[[pl]]}(7[[Li]]){n}]. Taking n = n o and q~=2a._l_, we get {9-[[pi]]}(Tl[Li]]){no}, and from this we prove a" #: -l- ~ n o a" = t t. []

Corollary. For all normal correctness formulae f we have

f (according, to the validity definition of this chapter),~

�9 ~f]] (according to the definition of Sect. 6).

GoIo Statements: Semantics and Deduction Systems 421

Proof This is the lemma for f - A - . {p} A{q}. For all other cases for f we have that the respective validity definitions are the same. []

This corollary and the results of Sect. 7 now lead to

Theorem 8.4. The system 9r is sound and complete in the sense of Cook.

To conclude this section we show that system ogt' is sound although, as we have seen before, not complete.

Theorem 8.5. For all correctness formulae f , we have ~-f ~ ~ f

Proof The proof is analogous to the proof of 7.1. We prove here the more interesting cases, viz. validity of (A1), (R1) and (R5).

(A 1) Validity is proven if we can show that

V7 6 F Vr ~ M Vn 6 H [{~--[[p]]} qS{n} = {~--[[p[s/x]]]}(dV'[[x: =s]] 7qS){n}.

So, choose 7, q~, n and a such that {J'[[p]]}~b{rc} and Y [ [ p [ s / x ] ] a = t t hold. Lemma 6.1d then gives ~--[[p]]a'=tt, where a'=a{~U[[s]]a/x}. Now from JV[[x'.=s]] 2tha=~,ba' and {J[[p]]} ~b{7~} we have a " = Y [ [ x : = s ] ] yqSa=qSa':t:_l_ =~ rca" = tt.

(R1) Suppose ~ p a ~ p 2 , ~ p 3 ~ P 4 and ~A--~{pz}A{p3}. We then have to prove ~A ~ {Pa} A {P4}" Suppose that we have a 7 ~ F such that a3[[A]] , /=tt (if there is no such 7 then A ~ {Pl} A{P4} is vacuously valid). We then must prove ~[[{Pl} A{P4}]] 7=tt , orV~MVn~IIE{~--[[P4]]} q5 {~z} ~ {J-[[Pl]I} W[[A]I yq~{~z}]. We will prove this using the following fact:

if Va~2.0: r ca =t t~rc ' a = t t , then {rc'}~b{g} =~{rc}qS{g} . . .( .)

which can easily be verified. Now suppose {J-liP4]]} q~ {n}. From ~P3 =P4 and (.) we get {~--[[P3]]} c/){re}.

From this, ~A---, {p2}A{p3} and c5[[A]] 7=tt , we have {~--[[p2]]}(Jff~A]l 7qS){rc}. Then we use ~ P l =P2 and (*) again to derive {~--[[pl]]}(Jff[[A~ 7q~){rc}.

(R5) Let A = {{p~} goto L i {falsa} I i= 1,. . . , n} where all L i are different, and let A' be such that no L~ occurs in any formula in A'. Suppose furthermore that we have ~AwA'---~ {pl}Ai{Pi+l} for i=1 . . . . ,n. We have to prove

d'---* {Pl} [Li" Ai]n= 1 {Pn+ 1}" So, choose 7 such that cS[[A']]7=tt. Let q~, ~bl k) and 7 tk) ( i=1 . . . . ,n; k

=0, 1 . . . . ) be derived from 7 and [L~: AJ~=I as in Lemma 4.2. We then have to prove {~-[[Pl]]} ~b~ {~-[[p,+~]]} (take i= 1 in Lemma 4.2.2). Now if we can prove

Vk{~--[[pi]]}c/)Ik){y[[p,+~]]} ( i=1 . . . . . n + l ) . . . ( # )

then we are ready. For suppose we have a, a ' e X0 such that ~-[[Pl]] a = t t and a' = ~bl a. Then (since II t.t.(k)] at ~ - - - q~= ~,a , we have ([_]~b]k))a=ll((a~k)a), and because

k k k

is a discrete cpo there must be a/~ such that (a]k~a = a'. But then we can infer that J'[[P,+I]] a '=t t by applying ( # ) with i= 1 and k=k.

We now prove ( # ) by induction on k. The basis (k = O) is trivial, so we now perform the induction step. Choose i (1 <=i<=n, the case i = n + 1 being trivial).

422 A. de Bruin

We have to prove {J'[pi]]}Olk+l){Y[[p.+l]]} or {5-[[Pi~} (,/[/" [f Ai]] 7(k)~bi+l)(k)

{Y []-P, + 1]] }- Choose a , a " a Z 0 such that r and a"=X~A~]I ~:R)A,(R) wi+16. W e

have to show ~-[[p,+l]]a"=tt. We do this in a way that is analogous to the proof of Lemma 8.2, i.e. by choosing a suitable environment 7o. We distinguish three cases: d[[Ai] la=a' , ,;~[[Ai]] a = ( a ' , L j ) and ~r where L is not an L j.

1 ~ d[[Ai ] ]a=a ' and thus (4.3.1 ~ a . . . . . . = /v i i / i l l ]-II..(k) A.(k)y t/)i+lV--,q-i+ lrr-r/~(k) a t. So, if we prove J-[[p~+l]]a'=tt, we can use the induction hypothesis to infer that J-liP, + 1]] a" = tt.

We have ~ A ~ A ' ~ {p~}Ai{P~+l}; we also have f#[[A']] 7=t t . N o w , taking ? o = 7 { 2 a �9 _L/L~}7= 1, we can prove that (due to the fact that no Li occurs in A') f~[[A']] 70 = tt. Also, fg[[{pl} g o t o L i {false}I] 70 = tt. Thus we have fg[[A w A']] 70 = tt and thus fq[[{p~} A~{pi+ 1}]] 7o = tt. The same way as in the proof of 8.2a we now get that J-[[Pi+l]] a ' = t t from ~r a = a ' and J-[fPi]] a = t t .

2 ~ ~'[[A~]] a = (a ' , L;) and thus (4.3.2 ~ a" = j f f [LllilllrA 11 /"(k)Wi+"h(k) 1 a : 7(k)l[Lj]] a' =c~Jk)a '. So, if we can prove : -[[p;~a '=t t , then we can use the induction hypothesis to infer that : -[[p,+l]]a"=tt . Wo do this by choosing 7o =7{q~]L,}~=l, where ~t is defined by a) ( o : = a , if a:t: l and 3-[[pt] a = f f ; b) ~ t a = , l , otherwise. We again can check that N[[AuA']]7o=t t and thus fg[[{pi}Ai{p~+l}]]7o=tt. In a way, analogous to the proof of 8.2b we then can deduce from "~"[[Pl]] a = t t and ,5~[[Ai]] a : ( a ' , Lj) that Y--I[Pj]] a ' = tt.

3 ~ . suCl[Ai]]a=(a',L ) where L is not an Lj. Lemma 4.3.2 ~ yields a" , : ~ ~ .(k)~,(k) a'--y(k)[[L]I a'=TWL]I a ' (for ?(k) differs from 7 only in the argu- ----Jr II./~ill / ~ i + l --

ments L 1, . . . ,L,). Now taking 7 o = 7 { 2 a . • we have that a"=Yol]L]]a' , but also that ff[[A w A']] 70 = t t, so that ffl[{p~} A~{p~+ 1}]] 7o = t t, or equivalently V:r ~ H V (o ~ M[{J'I[Pi+ a]]} qS{~} ~ {Y--l[Pi]]} jffl[Ai]] ?oq~{zr}]. Now choose q5 = 2a . • and rc = 5"[[p,+ 1]]. We then have {~-[[pi]]} (~ff[[A~]] 7o {2a. • {~-[[p,+ 1]]}, which combined with sC[[A~]]a=(a' ,L), a"=7o[[L]] a' and :-[[p~]l a = t t yields ~--[[P,+I]] a"=t t . []

9. Related Work

First of all the work of Arbib and A!agi6 I-3] should be mentioned. They give a proof system which is quite analogous to the system in Sect. 6. A difference seems to be that their system is structured in such a way that in their correctness formulae ([Li : pJ~] {p} A{q}) the invariants corresponding to labels not occurring in A do not have to be specified. However both systems are isomorphic because a formula ( L l : p l l { p } A{q}), with L2, ..., L. not in A can be viewed as an abbreviation of ( L t : P a , . . . ,L , : P,I {P} A{q}) with arbitrary Pz , . . . ,P , . This makes sense: these formulae are either both valid or both invalid due to the fact that L 2 . . . . , L, are not in A. One can interpret the results of this paper as a justification of Arbib's and A!agib's system as well.

The direct semantics (function d ) from Sect. 4 has also been developed by workers which use the Vienna Definition Language ([11], and [7]). Their


approach is called ex i t semantics. However they have elaborated this idea to a greater extent. For instance, they define the meaning of a block S as the least fixed point of an operator built up using direct functions, like d . Furthermore they discuss the relative merits and the differences between the two approaches (exits vs. continuations), and they treat several ways to combine the two schemes. In [7] Bjorner suggests that one should choose the style which is most useful for the goals one wants to achieve. Our d- func t ion has been developed precisely with that idea in mind, and therefore this paper forms a nice illustration of Bjorners suggestion.

Then we have the papers by Nassi and Akkoynlu [14], and Kieburtz and Cherniavsky [12], where an axiomatisation of the b reak statement is discussed. Execution of such a statement causes control to be transferred outside the block in which the statement occurs. The cited papers give semantics and soundness and completeness results for these restricted gotos.

Finally I like to mention Back's work [4] on the multi-exit statement. Ideas which are related to the ones we discussed in connection with the proof system of Sect. 6 are taken as a starting point for a new programming language which covers a proof system as an intrinsic part.

Acknowledgements. I am grateful to Jaco de Bakker and one of the referees for several remarks that led to improvements. I owe much to Jeff Zucker. He read the manuscript carefully and patiently, and his stimulating remarks had a substantial influence on the final version. Furthermore I like to thank Paul Vitfinyi for his support in the final stages of this project, and Corrie Klein-Velderman for getting the manuscript in a well-typed form.

References

1. Apt, K.R.: A sound and complete Hoare-like system for a fragment of PASCAL. Report IW 97/78 (preprint), Mathematical Centre, Amsterdam, 1978

2. Apt, K.R., de Bakker, J.W.: Semantics and proof theory of PASCAL procedures. In: Proceed- ings of the 4th colloquium on automata, languages and programming. Lecture Notes in Computer Science Vol. 52, pp. 30-44, Berlin Heidelberg NewYork: Springer 1977

3. Arbib, M.A., A!agi6, S.: Proof rules for gotos. Acta Informat. 11, 139-148 (1979) 4. Back, R.J.R.: Exception handling with multi-exit statements. In: Programmiersprachen und

Programmentwicklungen, (H.-J. Hoffmann, Hrsg.). Informatik-Fachberichte Nr. 25, Berlin Heidelberg NewYork: Springer 1980

5. Bakker, J.W. de: Mathematical theory of program correctness. London: Prentice Hall 1980 6. Bakker, J.W. de: Correctness proofs for assignment statements. Report IW 55/76, Mathematical

Centre, Amsterdam 1976 7. Bjorner, D.: Experiments in block-structured go to language modelling: exits versus con-

tinuations. In: Winter school on formal specification methods. Lecture Notes in Computer Science Vol. 86 (D. Bjorner, Ed.), Berlin Heidelberg NewYork: Springer 1980

8. Clint, M., Hoare, C.A.R.: Program proving: jumps and functions. Acta Informat. 1, 214-224 (1972)

9. Cook, S.A.: Soundness and completeness of an axiom system for program verification. SIAM J. Comput. 7, 70-90 (1978)

10. Hoare, C.A.R.: An axiomatic basis for computer programming. Comm. ACM 12, 576-580, 583 (1969)

11. Jones, C.B.: Denotational semantics of goto: an exit formulation and its relation to continuations. In: The Vienna Development Method: the Meta-Language. Lecture Notes in Computer Science Vol. 61 (D. Bjorner, C.B. Jones, eds.) Berlin Heidelberg NewYork: Springer

424 A. de Bruin

12. Kieburtz, R.B., Cherniavsky, J.C.: Axioms for structural induction on programs containing block exits. In: Proceedings of the Symposium on Computer Software Engineering, Polytechnic Institute of NewYork, 1976

13. Milne, R., Strachey, C.: A theory of programming language semantics. London: Chapman and Hall, NewYork: Wiley (2 Vols) 1976

14. Nassi, I.R., Akkoyunlu, E.A.: Semantics of repeat break control structure. In: Proceedings of the 8th Princeton Conference on Information Sciences and Systems, pp. 316-321, Princeton University, Dept. of Electrical Engineering New York, 1974

15. Scott, D., Strachey, C.: Towards a mathematical semantics for computer languages. Proc. Syrup. on computers and automata, Polytechnic Institute of Brooklyn, pp. 19-46 (1971); also: Techn. Mon. PRG-6, Oxford Univ. Computing Lab.

16. Stoy, J.E.: Denotational semantics - the Scott-Strachey approach to programming language theory. Cambridge, Mass: M.I.T. Press 1977

17. Strachey, C., Wadsworth, C.: Continuations, a mathematical semantics for handling full jumps. Tech. Mon. PRG-11, Oxford Univ. Computing Lab., Programming research group (1974)

18. Wand, M.: A new incompleteness result for Hoare's system. J. Assoc. Comput. Mach. 25, 168-175 (1978)

Received July 17, 1979/March 31, 1981

Documents

Goto statements: semantics and deduction systems