de Bakker, J. Mathematical Theory of Program Correctness. Prentice-Hall, 1980.  Home/Search   Document Not in Database   Summary   Related Articles   Check

.... Cousot and Cousot [18] and others [8] have been applied by Scott to program semantics [69] have been used by Cocke and Schwartz [13] Kildall [44] Tenenbaum [77] and others [36, 42, 16, 67, 43, 74] to specify and implement global program analysis problems, are important to program verification [16, 17, 20, 23], arise in complexity theory [79, 39, 40, 33, 35, 59] and are used to support high level program transformations [2, 29, 7, 49, 62, 53, 56, 11, 54, 70, 60, 81, 51] We are further encouraged by the following facts: Any set generated by inductive definitions can also be defined as the least ....

de Bakker, J. Mathematical Theory of Program Correctness. Prentice-Hall, 1980.

....the correct results being output and (2) will the program terminate. Succinct mathematical theories to express the properties of traditional systems and assess whether they meet these two criteria have been developed, e.g. denotational semantics [Stoy77] axiomatic semantics [Hoare69] Djkstra76] de Bakker80] and operational semantics [Pagan81] A wealth of semantic models for more complex modern systems have been developed; some of the most interesting models are labelled transition systems [Keller76] extended finite state machines [Danthine82] and petri nets [Reisig85] Associated with these new ....

de Bakker, J.W., "Mathematical Theory of Program Correctness", Prentice-Hall International, London, 1980.

....Z. Modal mu calculus was originally proposed by Kozen [42] and also see Pratt [60] but not for its use here 16 . Its roots lie with more general program logics employing extremal fixed points, developed by Park, De Bakker and De Roever, especially when formulated as relational calculi [8, 9, 56]. Kozen developed this logic as a natural extension of propositional dynamic logic. Larsen proposed that Hennessy Milner logic with fixed points is useful for describing properties of processes [44] Previously Clarke and Emerson used extremal fixed points on top of a temporal logic for expressing ....

De Bakker, J. (1980). Mathematical Theory of Program Correctness, PrenticeHall.

....the relative emphasis on the semantics. Axiomatic semantics is emphasized most because many computer science students learn to enjoy program proving due to its affinity with writing and analyzing programs. Further, familiarity with program proving is presupposed by one of the best advanced texts [de Bakker] Operational semantics, developed in the style of [Cook] as simplified by [de Bakker] is second in order of emphasis. Students find the operational semantics natural, and it provides an introduction to some basic concepts also found in denotational semantics. Moreover, the operational semantics ....

....many computer science students learn to enjoy program proving due to its affinity with writing and analyzing programs. Further, familiarity with program proving is presupposed by one of the best advanced texts [de Bakker] Operational semantics, developed in the style of [Cook] as simplified by [de Bakker] is second in order of emphasis. Students find the operational semantics natural, and it provides an introduction to some basic concepts also found in denotational semantics. Moreover, the operational semantics can be used to vindicate the axiomatic semantics and, in general, provides a unifying ....

[Article contains additional citation context not shown here]

de Bakker, J., Mathematical Theory of Program Correctness, Prentice Hall, 1980.

....2. 4 A compositional semantics An operational semantics for while programs is usually followed by a compositional semantics (also called denotational) which is typically obtained as a least fixed point of a monotone or continuous operator on a complete lattice or complete partial order (cf. dB80] Here we show that such a compositional semantics can be directly obtained from the automaton (P rog #,#) or, equivalently, from the operational semantics O. As a consequence, the equivalence of both semantics will be immediate by coinduction. Recalling that for any partial function a : # # ....

J.W. de Bakker. Mathematical theory of program correctness. Prentice-Hall International, 1980.

....is written using some specification languages. The verification is to prove that the model of the real system satisfies the specification. The foundation of verification backtracks to Floyd and Hoare s work [Flo67, Hoa69] on sequential programs. Now they are known as Hoare s logic [Hoa69, Apt81, dB80] A sequential program is usually regarded as a mathematical func3 tion over memory states. Given a function, we can always deduce the final state from the start state. The memory is subservient to the program. The story is completely different if other agents, e.g. programs or environments, may ....

J.W. de Bakker. The Mathematical Theory of Program Correctness. Prentice-Hall, 1980.

....3.1 Beyond Correctness In sequential programming, researchers studying semantic issues have focused most of their attention on program correctness , which can be modeled as a function relating inputs to outputs. A correct sequential program should also terminate for all inputs. See [AA78, dB80, Apt81, Apt84, Jon92] for comprehensive coverage of proof techniques for sequential programs. Program efficiency (space and time) has also received tremendous attention (see the ACM SDCR Theory of Computation working group report at http: geisel.csl.uiuc.edu loui complete.html) For concurrent ....

J. de Bakker. Mathematical Theory of Program Correctness. Prentice Hall International, Englewood Cliffs, NJ, 1980.

....of a guard has to be interpreted as an atomic action. In [dBK90] it has been shown how CP can be seen as an instantiation of a language L. The language L enables us to study the semantic issues involved at a more abstract level. The main ingredient is the extension of boolean guards. Already in [dB80] it is argued that boolean expressions should be seen as a special case of statements: that is, if a boolean expression b evaluates to true it is equivalent to a skip statement and if it evaluates to false it is equivalent to an abortstatement. In CSP [Hoa85] there is a distinction made between ....

J.W. de Bakker. Mathematical Theory of Program Correctness. Prentice Hall, 1980.

.... as follows: i = 0; m = 0; 3) m a[i] m J a[i] a[i] m) i J i 1) n The presence of existential quanti cation inside the programming language has allowed us to internalize the well known correctness assertion for assignment statements that originates with Floyd [7] see also De Bakker [4] and Exercise 3.6 of [3] f g x : t f9y( x=y] x = t[x=y] g: The beauty of programming with DFOL reveals itself when we consider the close relation with standard FOL given by the following translation procedures: P t 1 t n ; P t 1 t n . ....

J.W. de Bakker. Mathematical Theory of Program Correctness. Prentice Hall, London, 1980.

....constructs from the programming language, like assignment, if then else and composition, see Section 3. In particular, while loops have received much attention in Hoare logic, because they involve a judicious and often non trivial choice of a loop invariant. For more information, see e.g. [6, 14, 2, 11, 3]. There is what we would like to call a classical body of Hoare logic, which applies to standard constructs from an idealised imperative programming language. This forms a well developed part of the theory of Hoare logic. It is couched in general terms, and not aimed at a particular programming ....

....(sequential, non object oriented) part of Java. Hoare logics for reasoning about concurrent programs may be found in [3] and for reasoning about object oriented programs in [8, 1] There is also more remotely related work on Hoare logic with jumps , see [10, 5] or also Chapter 10 by De Bruin in [6]) but in those logics it is not always possible to reason about intermediate, abnormal states. And in [27] a programming logic for Java is described, which, in its current state, does not cover forms of abrupt termination the focus point of this work. 3 This paper is organised as follows. ....

J.W. de Bakker. Mathematical Theory of Program Correctness. Prentice Hall, 1980.

....will not discuss its type theoretic semantics here, and refer the interested reader to [HJ00a] instead. 3. 1 Statements and expressions In classical program semantics the assumption is that statements either terminate normally, resulting in a successor state, or do not terminate at all, see e.g. Bak80, Chapter 3] or [Rey98, Section 2.2] In the latter case one also says that the statement hangs, typically because of a non terminating loop. Hence, statements may be understood as partial functions from states to states. Writing Self as a type variable for the state space, statements can be seen ....

....sentences, involving constructs from the programming language, like assignment, if then else and composition. In particular, while) loops have received much attention in Hoare logic, because they involve a judicious and often non trivial choice of a loop invariant. For more information, see e.g. Bak80,Gri81,Apt81,Gor88,AO97] There is a so called classical body of Hoare logic, which applies to standard constructs from an idealised imperative programming language. This forms a well developed part of the theory of Hoare logic. It is based on sentences of the form fPgS fQg, for partial ....

J.W. de Bakker. Mathematical Theory of Program Correctness. Prentice Hall, 1980.

....; s k : V 0 . The last step of the proof consists in encoding the sequence of integers s 0 ; s 1 ; s k by a Godel predicate. The property W is then denoted by 8k : 8s : V 00 , which is our final predicate V . Interested readers can find more details of this proof technique in [2] or an introduction in [14] Thank to these lemmas, we now can give the proof of Proposition 3. Proof The proof is by induction on the structure of S. The case of assignment is directly given by Lemma 3. The case of sequencing is simply treated by observing that wlp(S;T ; hW; Ci) wlp(S; wlp(T; ....

J. De Bakker. Mathematical Theory of Program Correctness. Prentice-Hall, 1981.

....of first order formulas combines a number of ideas put forward in the area of semantics of imperative programming languages and the field of logic programming. First, for an atomic formula A, when A is ground, its meaning coincides with the meaning of a Boolean expression given in de Bakker [dB80, page 270] In turn, the meaning of the conjunction and of the disjunction follows [dB80, page 270] in the sense that the conjunction corresponds to the sequential composition operation ; and the disjunction corresponds to the don t know nondeterministic choice, denoted there by [ Next, the ....

....of imperative programming languages and the field of logic programming. First, for an atomic formula A, when A is ground, its meaning coincides with the meaning of a Boolean expression given in de Bakker [dB80, page 270] In turn, the meaning of the conjunction and of the disjunction follows [dB80, page 270] in the sense that the conjunction corresponds to the sequential composition operation ; and the disjunction corresponds to the don t know nondeterministic choice, denoted there by [ Next, the meaning of the negation is inspired by its treatment in logic programming. To be more ....

[Article contains additional citation context not shown here]

J. W. de Bakker. Mathematical Theory of Program Correctness. PrenticeHall International, Englewood Cliffs, N.J., 1980.

....n, r (n) H (p fi (n) p 0 ) r (n) H (p) fi (n) r (n) H (p 0 ) for all p; p 0 2 P n . 5.5 The denotational model Having defined semantical counterparts to all syntactic operators, we are ready to define the denotational semantics. This definition is the standard one, compare [dB80]. First of all, let Gamma : PV ar P be the set of environments or meanings of procedure variables. Definition 5.14 We define D : L Gamma P by induction on the structure of s as follows: ffl D(fl) a) fjajg; ffl D(fl) ffi) fjffijg; 20 ffl D(fl) s 1 ; s 2 ) D(fl) s 1 ) fi D(fl) s 2 ....

J.W. de Bakker. Mathematical Theory of Program Correctness. Prentice-Hall International, Englewood-Cliffs, NJ, 1980.

....coalgebras) and not a semantics of traces. Regarding the semantics that we shall be using, we recall that in classical program semantics and Hoare logic the assumption is that statements will either terminate normally, resulting in a successor state, or will not terminate at all, see e.g. Bak80, Chapter 3] or [Rey98, Section 2.2] In the latter case one also says that the statement hangs, typically because of a non terminating loop. Hence, statements may be understood as partial functions from states to states. Writing Self for the state space, we can see statements as state ....

....constructs from the programming language, like assignment, if then else and composition (see Figure 1 below) In particular, while loops have received much attention in Hoare logic, because they involve a judicious and often non trivial choice of a loop invariant. For more information, see e.g. Bak80,Gri81,Apt81,Gor88,AO97] There is what we would like to call a classical body of Hoare logic, which applies to standard constructs from an idealised imperative programming language. This forms a well developed part of the theory of Hoare logic. It is couched in general terms, and not aimed at a ....

[Article contains additional citation context not shown here]

J.W. de Bakker. Mathematical Theory of Program Correctness. Prentice Hall, 1980.

....induction. Unfortunately, this method is not applicable to corecursive programs, because in general such programs do not have an argument over which induction can be performed. Historically, the basic proof method for corecursive programs has been Scott and de Bakker s fixpoint induction [7], which arises from the standard denotational semantics of functional programs. Applying fixpoint induction is rather tedious, but for the special case of corecursive programs that produce lists, one can use Bird and Wadler s take lemma [4] or the simpler approximation lemma [3] More recently, ....

.... calculation shows that repeat x is the limit of the following chain of partial lists containing increasing numbers of x s, as expected: v x : v x : x : v x : x : x : v : The basic method for proving properties of programs defined using fix is Scott and de Bakker s fixpoint induction [7]. Suppose that f is a continuous function on a cpo and P is a predicate on the same cpo, such that whenever P holds of all the elements in a chain then it also holds of the limit (that is, P is chain complete. Then fixpoint induction can be stated as the following inference rule: P 8x: P x ) P ....

Jaco de Bakker. Mathematical Theory of Program Correctness. Prentice-Hall, 1980.

....method is not applicable to the dual case of programs that produce lists of values, because in general such programs do not have a list argument over which to perform induction. Proof methods that are applicable to such programs have recently been surveyed in [6] and include fixpoint induction [4], the take lemma [3] coinduction [7] and fusion [8] All but one of the above proof methods for programs that produce lists are not specific to the datatype of lists, but can naturally be generalised to a large class of other datatypes. The exception is the take lemma, which is formulated ....

J. de Bakker. Mathematical Theory of Program Correctness. Prentice-Hall, 1980.

....structural induction. Unfortunately, this method is not applicable to corecursive programs, because in general such programs do not have an argument over which induction can be performed. Historically, the basic proof method for corecursive programs has been Scott and de Bakker s xpoint induction [8], which arises from the standard denotational semantics of functional programs. Applying xpoint induction is rather tedious, but for the special case of corecursive programs that produce lists, one can use Bird and Wadler s take lemma [4] or the simpler approximation lemma [3] More recently, ....

.... that repeat x is the limit of the following chain of partial lists containing increasing numbers of x s, as expected: v x : v x : x : v x : x : x : v : The basic method for proving properties of programs de ned in terms of the x operator is Scott and de Bakker s xpoint induction [8]. Suppose that f is a continuous function on a cpo and P is a predicate on the same cpo, such that whenever P holds of all the elements in a chain then it also holds of the limit (that is, P is a chain complete predicate. Then the xpoint induction rule can be stated as the following inference ....

Jaco de Bakker. Mathematical Theory of Program Correctness. Prentice-Hall, 1980.

....3 Let (X i ; v i ) i = 1; n, n 1, be partial orders which have only finite chains. Then (X 1 Theta : Theta Xn ; v) has only finite chains. 22 The results are presented in this section in the form of propositions, for which proofs can be found or are analogous to those in e.g. dB80, LS87, Win93] 23 v is reflexive if, for all x 2 X, x v x; it is transitive if, for all x 1 ; x 2 ; x3 2 X, x 1 v x 3 if x 1 v x 2 and x 2 v x3 ; antisymmetric if, for all x 1 ; x 2 2 X, x1 = x 2 if x1 v x 2 and x2 v x1 . 24 In this case, if X 0 = X, l is also called the least element of the ....

....of complexity and size of proofs are not neglected but a detailed study is outside the scope of the thesis. 67 i.e. rigorous but not necessarily strictly formal. 68 See e.g. Dij76, Bat79, Bac81, Bac88, Jon90, NHWG89, MV92] Gri81, Part III] 69 See e.g. CJE83, NHWG89] 70 cf. e.g. dB80, Fra92] 21 1.4.3 Object Based Languages: extending Hoare style proof systems Specifications in the formally defined specification language (see Chapter 3) 71 are pairs (p; q; t) where p; q are formulas and t a term of L1. The intended interpretation of a given specification is such that ....

[Article contains additional citation context not shown here]

Jaco de Bakker. Mathematical Theory of Program Correctness. Prentice-Hall, 1980.

....joint work with Arnold about metric spaces and how they can be used to give semantics to recursive program schemes. Nivat s lecture notes [Niv79] are his most cited publication. Together with Jan van Leeuwen, Jaco de Bakker organized this course. At that time, De Bakker was completing his book [Bak80]. Jeff Zucker contributed an appendix to the book and assisted in preparing the final version. In the summer of 1981, De Bakker visited Zucker at Bar Ilan University. Inspired by Nivat s work, they addressed the following question: Can metric spaces be used in denotational semantics of ....

J.W. Bakker. Mathematical Theory of Program Correctness. Series in Computer Science. Prentice Hall International, London, 1980.

....CO if and only if R( 0 ) R( f(s; oe) j oe 2 AO 9oe 0 2 CO : s; oe 0 ) 2 R( g : Often divergence and runtime errors are identified in simplified semantic treatments of programming languages. This has proved very helpful in establishing a rich and useful theory of program verification [2, 7, 13] and program refinement [3, 17, 18] 2 However, this idealization does not lead to a realistic notion of correct implementation: on the one hand, the single irregular outcome must be treated as chaotic, in order to accommodate the effect of optimizations like dead code elimination, because dead ....

J. W. de Bakker. Mathematical Theory of Program Correctness. Prentice-Hall, 1980.

....effects; it is simultaneously a weakest precondition predicate tranformer and a stongest postcondition predicate transformer. To reason about hypersubstitutions therefore we need a calculus of strongest postconditions too. Strongestpostconditions are theoretically discussed in [5] but have not been used extensively in practice till now. The strongest postcondition construct has more recently been related to that of weakest precondition by Back and von Wright [3] through the notion of statement inversion. For a hypersubstitution H and a predicate Q we write [H ]Q to denote ....

J.W. de Bakker. Mathematical Theory of Program Correctness. PrenticeHall, 1980. 14

.... This relation is required to satisfy the following axioms, for f : A B, g : B C, OE 2 P S A, 2 P S B 2 and 2 P S C: OEfid AgOE (1) OEffg ; fgg = OEff ; gg : 2) The axioms (1) and (2) are typed versions of the standard Hoare logic axioms for skip and sequential composition [21]. Given C and S as above, we can define a new category C S . An object of C S is a pair (A; OE) with A 2 ob C and OE 2 P S A. A C S morphism f : A; OE) B; is a morphism f : A B in C such that OEffg . Composition and identities are inherited from C ; the axioms (1) and (2) ensure that C ....

J. W. de Bakker. Mathematical Theory of Program Correctness. Prentice Hall International, 1980.

....Specification Statements We introduce an assertion language, a programming language, and a language of correctness formulae. Our set up is rather standard, except for specification statements ; ae (introduced as generic commands f ) aeg in [6] We refer to the literature for details omitted here[2, 3]. 2.1 Assertions Our assertion language Pred 3 OE; ae is first order predicate logic over Peano arithmetic. The free variables of such an assertion stem from two disjoint sets: a finite set of program variables (Var 3 x) and a countably infinite set of logical ....

....substitution is clear from the context. Using this convention, we define S 0( Omega Gamma def = Omega and S i 1 ( Omega Gamma def = S(S i( Omega Gamma3 for i 2 N. Substitution S 1 [ S2 =X ] of program S 2 for recursion variable X in program S 1 is defined in the literature (see, e.g. [3, 2]) For later reference, we note the fixed point property: P[ X:S] I =P[ S(X:S) I . 2 2.3 Correctness Formulae We use partial correctness Hoare formulae (Hoare triples) as correctness formulae. Informally, validity of a Hoare triple fgSfaeg means that, whenever S terminates after being ....

J. de Bakker. Mathematical Theory of Program Correctness. Prentice Hall, 1980.

....of PCF by admitting only those continuous functions which preserve certain (logical) relations. Here we will transfer this idea from the purely functional language PCF to the (much) more complicated setting of an imperative (Algol like) language. In traditional models for Algol like languages [2, 3, 19], termed marked store models in [13] the critical elements are the functions which have access to an unbounded number of locations. We briefly sketch the definition of such a model in order to obtain some hints how our new model should be constructed: Let Loc be some infinite set, whose ....

Jaco de Bakker. Mathematical Theory of Program Correctness. International Series in Computer Science. Prentice Hall, 1980.

First 50 documents

Online articles have much greater impact   More about CiteSeer.IST   Add search form to your site   Submit documents   Feedback  

CiteSeer.IST - Copyright Penn State and NEC