- Email: [email protected]
Models of sets of sequences and the proof of the correctness of programs
U.S.S.R. Comput. Maths. Math. Phys. Vol. 20, No. 5, pp. 258-262 Printed in Great Britain
oo4i-5553/80/050258-05607.50/o 0 198 1. Pergamon Press Ltd.
MODELS OF SETS OF SEQUENCES AND THE PROOF OF THE CORRECTNESS OF PROGRAMS* S. A. ABRAMOV
Moscow (Received 7 February 1980)
A CLASS of programs is described, the proof of certain of whose properties (“correctness”) by the
Fokker-Planck method requires the construction of relations between the variables constructed no less complicated than the programs themselves. Examples are given of relations which are invariants of cycles, but this cannot be proved by direct application of Hoare’s method. 1. Our discussion will concern a method of proving the correctness of programs due to Floyd [ 11. This method consists of assigning to the points of the program considered relations between
the values of the variables. The consistency of the relations and in the final analysis their truth, wilI be established by means of the operator semantics defined by Hoare [2] (each operator is regarded as a transformer of relations). The question discussed in this paper is what kind of operations are necessary for the description of relations. The advantages of the Floyd-Hoare method are usually demonstrated by the example of a binary algorithm for calculating an. The final relation z = an and the intermediate relation xYr = an; thus the intermediate relation is written as the finite superposition of the operations (arithmetic - multiplication and raising to a power, and logical - equality), used in the program and in the final relation. It appears that the set of operations used in the program and in recording the given final relation (and also the operations v, A, =J, =, 1; the possibility of their use will be kept in mind without reservation), may be considerably lacking for recording the intermediate relations. They may also require operations which are essentially determined by the path of transformation of the program considered. In any event the necessary relation (logical function) may be constructed (in comparison with the operations used in the program and in recording the final relations) in a way no less complicated than the original program itself. Moreover, it is possible to give examples of relations which are satisfied for all passages through the points of the program corresponding to them, but this cannot be established by direct application of Hoare’s method: for the application of this method it is necessary first to replace the relation by some stronger relation. 2. The reasoning by which we succeed in constructing the corresponding examples is as follows. Let two finite integral sequences al, . . . , a, (decreasing) and bl , . . . , b, (increasing) be formed by some rule enabling it to be established that a,,Lb,, (n._ >t._,)=(n
%I. vjkhisl. Mar. mat. Fiz., 20,5, 1347-1350,
(1) - __1>1)12j for i-0.
1980.
258
I.....
)2--c).
Short communications
259
(Instead of Z any transitive relation can be taken. The assumption of the integrality of the elements of rhe sequences is made only for simplicity.) Let the rule for the formation of the finite sequences be described by the recurrence relations ak=q (a*_ ,) , bk= 11’(bk_ I) with some initial values 01 =A, bl = B. Below we will consider that the value of B is fixed, and the value ofA can be an arbitrary integer not less than B. It is assumed that in the sequence al, a2, . . . for any permissible initial value an element is encountered with the value B. Let the number ;r of elements of the sequence be defined as the least n such that a, = B. We consider the program ,<:=_A,
while
b:=B;
c >B
do
begin u:=v(a);
(2) b:=$(b)end
It is obvious that after its completion we will have A > b. However, renouncing the use of variables with subscripts, we lose the possibility of directly constructing an inductive proof of this, starting from (I). If by the operations Q, $, >, > the set of operations permissible for recording relations is exhausted, it is impossible in fairly common cases to write down before the symbol end the invariant relation, which together with a = B would ensure that A > b. 3. There is a quite trivial example of operations cp,$ and a number B, defining sequences which satisfy (1): q(a) = a- 1, rC,(b) = b + 1, B = 0. More meaningful examples are known from the practice of the analysis of computational algorithms. The analysis of some binary algorithms, giving as an estimate of the number of steps a quantity of order logzA, where A is the dimension of the problem, assume the consideration as q(a) and il,(b) respectively, of the integral part of half a and of twice b; in this case B = 1. Lame’s theorem for Euclid’s algorithm is formulated thus: let Euclid’s algorithm be applied to the natural al, a2 : it is required to find n remainders: ak is the remainder (ak -2, at _ 1): k=3,4 ,..., nt2,a,+l + 0, at1+2 = 0; then a2 > u,, , where c+ris the Fibonacci number with the corresponding subscript. This is proved by the scheme (1) with the use as the sequence bl , . . . , of the Fibonacci numbers ~2, . . . , u,,+l, . . . For a complete correspondence with the b,,... program (2) we have here to regard as the values of A, B, a, b ordered pairs of numbers, putting (~1,~2)>(~1,~2)ifandonlyifv, >w1,1~2 >, ~2. It is necessary to change somewhat the condition standing after while, which makes the treatment unwieldy, and therefore this example will not be discussed in detail below. We will call the infinite sequence bl. . . , b,,, . . , bl = B, bk = $ (bk_,), a model of the set of finite sequences al,. . , a,, whose method of construction is described above. Each such sequence is determined by the number A. We will present one more example of a model of a set of finite sequences. For any natural ~~“1. pm“” be the expansion of a in a product of prime factorsandpl<...
Q > 2 we defme q(a) thus: let
S. A. Abramov
260
4. The relation B(A, ~7,b) which has to be placed before the symbol end in (2), must satisfy the following three conditions:
2) ((U>B)AR(A. (I! b))-R(A, V(Q), q(b)),
These conditions reflect the semantics of the operator of the cycle; their use ensures the proof by induction (by Hoare’s method) of the properties of the program of interest to us. We will denote by rprand $r, where t is a non-negative integer, the r-fold superpositions of +Cand $. The following proposition appears obvious. f+oposition
The relation R(A, a, b) must not be less strong than (3) where h(a) is the least non-negative integer ? for which q’(a) = B. Remark.
If for every a > B we have $~($(b)) = Q (as was the case in all the examples considered), then (3) can be rewritten in the form (o>B,=
(cJ’.‘“‘(.4)2b).
(4)
which is the formula in the notation of (I) for the condition a, _ 1 > bi+l . Therefore, to prove the property of interest to us we cannot restrict ourselves by anything weaker than (1) The examples considered in the preceding section show that finite superpositions of the operations p, $, >, > may be insufficient for checking (3) (4): with them we can check only or (cIzz~)=((c~(.~;>~), where k is a fued conditions of the type ~~72~)= (.j aqk(b)) non-negative integer. To define and compute the functions T’.!“J(A), q;.‘a)(b) it is natural to use the cycles occurring in the program (2); this also concerns the relations (logical functions) (3), (4). In this sense it can be said that the relation required is not less complex in construction than the original program. Of course the formula for the relation R (A, a, b) may not explicitly include the function X(a) and h @)-fold superpositions of cpand $. But, in order to avoid them it is necessary to have recourse to other functions (operations), not less simple than $ A(a)(b): the evaluation of these functions in terms of q and $ requires a cycle, just as for IJ h(a)(b) and for the whole of the original program (2); R(A, a, b) may assume a very simple form, if some functions essentially more complex in construction than $JA-(Q) (b) are introduced; these functions may even not be expressed by a cycle in terms of p, +, >? >.
Short communications
261
The complexity of construction of the relation R(A, a, b) is due to the fact that some nontrivial property of the program (4 > b) is described by very simple means. The description of the property z = CP of the program for the calculation of 0” mentioned required the Introduction of the operation of raising to a power which is complicated to construct. The use of this operation in the description of an intermediate relation enables the latter to be simplified: XYZ= a”. 5. We consider the details relating to the examples of section 3. For the first, trivial example h(a) = 1 and the relation R(A, a. b) for non-negative a, a, b cannot be less strong than A > a + b. the operation of addition used in the expression ,z t b, represents precisely the a-fold superposition of the function G(b) = b + 1. In other words, the addition of non-negative integers is also defined by means of rp, I/J,>, > by a cycle similar to the cycle of program (2). Introducing relations similar to A > a + b, it is necessary to base oneself on some reliable definitions of operations of the type P + b. Of course the definition of the operations by a cycle of program (2) being investigated is not suitable. This is similar to the fact that in the proof of the finiteness of the number of stages of some cyclic process by indicating a non-negative integervalued function, it is impossible to use a function defined by the number of preceding stages of the cyclic process. In the binary algorithm the relation R(a, A, b) must be not less strong than .4>2[1”8:01b. Here the relation A > ab will be suitable; it is easy to see that it satisfies conditions l), 2) 3) of section 4; the operation of multiplication ab when compared with the operation of doubling and taking the integral part of half is more complicated to construct than Z[lOgz jib. In these two examples, to construct relations R(A, a, b) of simple form, we used the fact that i;i(b) is a contraction of the known arithmetic operations of addition and multiplication: in this contraction one operant is fixed. In the last example the value of X(a) for u > 2 will be the number of different prime factors of the number Q, A( 1) = 0. Therefore, R (A, ~1,b) must be not less strong than A a bs,s: . . .Si[Z, where sl, ~2, . . . are consecutive prime numbers, sr immediately following the greatest prime factor of b. The need arises to write in the manner of the two preceding examples, before the symbol end the apparently simpler inequality A > ab, but this replacement of the inequality is invalid. For this see the following section. 6. It is’s question of the relations which are satisfied for all passages through corresponding points of the program (which are invariants of cycles) and in the final analysis permit the necessary final relation to be derived, but whose truth is not established by direct use of the semantic definitions of the operators. We will discuss program (2) and we will consider cp,I,L,B to be the same as in the example of processing the prime factors of a number. The relation A > ab actually holds for every passage through a point of the program fared by us: b contains just as many prime factors as A/u, but the factors of the number b are the initial elements of the sequence of prime numbers. However, here condition 2) of section 4 is not satisfied for the relation A > ab.’ let A = 5, a = b = 2, then A > nb holds (that is 5 > 2.2), but A > p(o) I$(b) does not hold (that is 5 < 1.6).
L. V. Baskakosa
262
We return to the binary algorithm. After the satisfaction the inequality
of the program (2) as well as A > b
A < 2b will hold, but for all passages through out point the values of the variables
A, a and b satisfy the inequality
A < 2ab, which is a consequence
of the stronger relation
However, it is not true that (d 2.2.2.2. llogzAl=[log~
a]+[Iog:
b]+2.
If, for
(A-G!Ia/21~3-b).
Translated by J. Berry.
REFERENCES
I. FLOYD. R. Assigning meanings to programs. Proc. Symposium
Appl. Math., Amer. Math. Sot.,
19, 19-32,
1967. 2. HOARE, C. An axiomatic basis for cornpurer programming. Communs ACM, 12,576-583,
L’.S.S.R. Compur.
Maths.
Math.
Pl7.n. vol.
20, No. 5. pp. 262-266
Printed m Great Britain
A RECOGNITION
ALGORITHM
1969
0041-5553/80/050262-05$07.50/O 0 198 1. Pergamon Press Ltd.
WITH THRESHOLD
PARAMETERS*
L. V. BASKAKOVA Moscow
A MODEL of recognition algorithms, including both calculation of estimates algorithms and “Kora” type algorithms, is presented. The family described is parametric, that is, every algorithm is uniquely encoded by a collection of numerical parameters, by the indication of a system of base sets and a selection rule depending The well-known
on the object S. recognition
algorithm model of calculation-of-estimates
type [l-3]
is based
on a comparison of the object to be recognized S = (al, . . . , a,) with the objects S1, . . , Sm, 1,2,. . . , m, for which the information vectors are either known (a problem Si = (ail, . . . ,aj,),i= with intersecting classes), or are given as a training table Tnrnl. The fundamental part of such recognition algorithms is the selection of the base subsets of the set of features {I. 2.. . . , n) and the comparison of S with Si on each base subset r?={i,, . . . , ik). In the calculation-ofestimates model the base subsets are fixed and are independent of the object S to be recognized. In “Kora” type algorithms also the possible collection However, below in the recognition selection essentially depending recognized.
of base subsets is futed in advance.
process only “representative”
subsets are included,
the
not only on the training material, but also on the object S to be
*Zh. v3;chisl. Mat. mat. Fiz.. 20, 5. 1350-I
353. 1980.
oo4i-5553/80/050258-05607.50/o 0 198 1. Pergamon Press Ltd.
MODELS OF SETS OF SEQUENCES AND THE PROOF OF THE CORRECTNESS OF PROGRAMS* S. A. ABRAMOV
Moscow (Received 7 February 1980)
A CLASS of programs is described, the proof of certain of whose properties (“correctness”) by the
Fokker-Planck method requires the construction of relations between the variables constructed no less complicated than the programs themselves. Examples are given of relations which are invariants of cycles, but this cannot be proved by direct application of Hoare’s method. 1. Our discussion will concern a method of proving the correctness of programs due to Floyd [ 11. This method consists of assigning to the points of the program considered relations between
the values of the variables. The consistency of the relations and in the final analysis their truth, wilI be established by means of the operator semantics defined by Hoare [2] (each operator is regarded as a transformer of relations). The question discussed in this paper is what kind of operations are necessary for the description of relations. The advantages of the Floyd-Hoare method are usually demonstrated by the example of a binary algorithm for calculating an. The final relation z = an and the intermediate relation xYr = an; thus the intermediate relation is written as the finite superposition of the operations (arithmetic - multiplication and raising to a power, and logical - equality), used in the program and in the final relation. It appears that the set of operations used in the program and in recording the given final relation (and also the operations v, A, =J, =, 1; the possibility of their use will be kept in mind without reservation), may be considerably lacking for recording the intermediate relations. They may also require operations which are essentially determined by the path of transformation of the program considered. In any event the necessary relation (logical function) may be constructed (in comparison with the operations used in the program and in recording the final relations) in a way no less complicated than the original program itself. Moreover, it is possible to give examples of relations which are satisfied for all passages through the points of the program corresponding to them, but this cannot be established by direct application of Hoare’s method: for the application of this method it is necessary first to replace the relation by some stronger relation. 2. The reasoning by which we succeed in constructing the corresponding examples is as follows. Let two finite integral sequences al, . . . , a, (decreasing) and bl , . . . , b, (increasing) be formed by some rule enabling it to be established that a,,Lb,, (n._ >t._,)=(n
%I. vjkhisl. Mar. mat. Fiz., 20,5, 1347-1350,
(1) - __1>1)12j for i-0.
1980.
258
I.....
)2--c).
Short communications
259
(Instead of Z any transitive relation can be taken. The assumption of the integrality of the elements of rhe sequences is made only for simplicity.) Let the rule for the formation of the finite sequences be described by the recurrence relations ak=q (a*_ ,) , bk= 11’(bk_ I) with some initial values 01 =A, bl = B. Below we will consider that the value of B is fixed, and the value ofA can be an arbitrary integer not less than B. It is assumed that in the sequence al, a2, . . . for any permissible initial value an element is encountered with the value B. Let the number ;r of elements of the sequence be defined as the least n such that a, = B. We consider the program ,<:=_A,
while
b:=B;
c >B
do
begin u:=v(a);
(2) b:=$(b)end
It is obvious that after its completion we will have A > b. However, renouncing the use of variables with subscripts, we lose the possibility of directly constructing an inductive proof of this, starting from (I). If by the operations Q, $, >, > the set of operations permissible for recording relations is exhausted, it is impossible in fairly common cases to write down before the symbol end the invariant relation, which together with a = B would ensure that A > b. 3. There is a quite trivial example of operations cp,$ and a number B, defining sequences which satisfy (1): q(a) = a- 1, rC,(b) = b + 1, B = 0. More meaningful examples are known from the practice of the analysis of computational algorithms. The analysis of some binary algorithms, giving as an estimate of the number of steps a quantity of order logzA, where A is the dimension of the problem, assume the consideration as q(a) and il,(b) respectively, of the integral part of half a and of twice b; in this case B = 1. Lame’s theorem for Euclid’s algorithm is formulated thus: let Euclid’s algorithm be applied to the natural al, a2 : it is required to find n remainders: ak is the remainder (ak -2, at _ 1): k=3,4 ,..., nt2,a,+l + 0, at1+2 = 0; then a2 > u,, , where c+ris the Fibonacci number with the corresponding subscript. This is proved by the scheme (1) with the use as the sequence bl , . . . , of the Fibonacci numbers ~2, . . . , u,,+l, . . . For a complete correspondence with the b,,... program (2) we have here to regard as the values of A, B, a, b ordered pairs of numbers, putting (~1,~2)>(~1,~2)ifandonlyifv, >w1,1~2 >, ~2. It is necessary to change somewhat the condition standing after while, which makes the treatment unwieldy, and therefore this example will not be discussed in detail below. We will call the infinite sequence bl. . . , b,,, . . , bl = B, bk = $ (bk_,), a model of the set of finite sequences al,. . , a,, whose method of construction is described above. Each such sequence is determined by the number A. We will present one more example of a model of a set of finite sequences. For any natural ~~“1. pm“” be the expansion of a in a product of prime factorsandpl<...
Q > 2 we defme q(a) thus: let
S. A. Abramov
260
4. The relation B(A, ~7,b) which has to be placed before the symbol end in (2), must satisfy the following three conditions:
2) ((U>B)AR(A. (I! b))-R(A, V(Q), q(b)),
These conditions reflect the semantics of the operator of the cycle; their use ensures the proof by induction (by Hoare’s method) of the properties of the program of interest to us. We will denote by rprand $r, where t is a non-negative integer, the r-fold superpositions of +Cand $. The following proposition appears obvious. f+oposition
The relation R(A, a, b) must not be less strong than (3) where h(a) is the least non-negative integer ? for which q’(a) = B. Remark.
If for every a > B we have $~($(b)) = Q (as was the case in all the examples considered), then (3) can be rewritten in the form (o>B,=
(cJ’.‘“‘(.4)2b).
(4)
which is the formula in the notation of (I) for the condition a, _ 1 > bi+l . Therefore, to prove the property of interest to us we cannot restrict ourselves by anything weaker than (1) The examples considered in the preceding section show that finite superpositions of the operations p, $, >, > may be insufficient for checking (3) (4): with them we can check only or (cIzz~)=((c~(.~;>~), where k is a fued conditions of the type ~~72~)= (.j aqk(b)) non-negative integer. To define and compute the functions T’.!“J(A), q;.‘a)(b) it is natural to use the cycles occurring in the program (2); this also concerns the relations (logical functions) (3), (4). In this sense it can be said that the relation required is not less complex in construction than the original program. Of course the formula for the relation R (A, a, b) may not explicitly include the function X(a) and h @)-fold superpositions of cpand $. But, in order to avoid them it is necessary to have recourse to other functions (operations), not less simple than $ A(a)(b): the evaluation of these functions in terms of q and $ requires a cycle, just as for IJ h(a)(b) and for the whole of the original program (2); R(A, a, b) may assume a very simple form, if some functions essentially more complex in construction than $JA-(Q) (b) are introduced; these functions may even not be expressed by a cycle in terms of p, +, >? >.
Short communications
261
The complexity of construction of the relation R(A, a, b) is due to the fact that some nontrivial property of the program (4 > b) is described by very simple means. The description of the property z = CP of the program for the calculation of 0” mentioned required the Introduction of the operation of raising to a power which is complicated to construct. The use of this operation in the description of an intermediate relation enables the latter to be simplified: XYZ= a”. 5. We consider the details relating to the examples of section 3. For the first, trivial example h(a) = 1 and the relation R(A, a. b) for non-negative a, a, b cannot be less strong than A > a + b. the operation of addition used in the expression ,z t b, represents precisely the a-fold superposition of the function G(b) = b + 1. In other words, the addition of non-negative integers is also defined by means of rp, I/J,>, > by a cycle similar to the cycle of program (2). Introducing relations similar to A > a + b, it is necessary to base oneself on some reliable definitions of operations of the type P + b. Of course the definition of the operations by a cycle of program (2) being investigated is not suitable. This is similar to the fact that in the proof of the finiteness of the number of stages of some cyclic process by indicating a non-negative integervalued function, it is impossible to use a function defined by the number of preceding stages of the cyclic process. In the binary algorithm the relation R(a, A, b) must be not less strong than .4>2[1”8:01b. Here the relation A > ab will be suitable; it is easy to see that it satisfies conditions l), 2) 3) of section 4; the operation of multiplication ab when compared with the operation of doubling and taking the integral part of half is more complicated to construct than Z[lOgz jib. In these two examples, to construct relations R(A, a, b) of simple form, we used the fact that i;i(b) is a contraction of the known arithmetic operations of addition and multiplication: in this contraction one operant is fixed. In the last example the value of X(a) for u > 2 will be the number of different prime factors of the number Q, A( 1) = 0. Therefore, R (A, ~1,b) must be not less strong than A a bs,s: . . .Si[Z, where sl, ~2, . . . are consecutive prime numbers, sr immediately following the greatest prime factor of b. The need arises to write in the manner of the two preceding examples, before the symbol end the apparently simpler inequality A > ab, but this replacement of the inequality is invalid. For this see the following section. 6. It is’s question of the relations which are satisfied for all passages through corresponding points of the program (which are invariants of cycles) and in the final analysis permit the necessary final relation to be derived, but whose truth is not established by direct use of the semantic definitions of the operators. We will discuss program (2) and we will consider cp,I,L,B to be the same as in the example of processing the prime factors of a number. The relation A > ab actually holds for every passage through a point of the program fared by us: b contains just as many prime factors as A/u, but the factors of the number b are the initial elements of the sequence of prime numbers. However, here condition 2) of section 4 is not satisfied for the relation A > ab.’ let A = 5, a = b = 2, then A > nb holds (that is 5 > 2.2), but A > p(o) I$(b) does not hold (that is 5 < 1.6).
L. V. Baskakosa
262
We return to the binary algorithm. After the satisfaction the inequality
of the program (2) as well as A > b
A < 2b will hold, but for all passages through out point the values of the variables
A, a and b satisfy the inequality
A < 2ab, which is a consequence
of the stronger relation
However, it is not true that (d
a]+[Iog:
b]+2.
If, for
(A-G!Ia/21~3-b).
Translated by J. Berry.
REFERENCES
I. FLOYD. R. Assigning meanings to programs. Proc. Symposium
Appl. Math., Amer. Math. Sot.,
19, 19-32,
1967. 2. HOARE, C. An axiomatic basis for cornpurer programming. Communs ACM, 12,576-583,
L’.S.S.R. Compur.
Maths.
Math.
Pl7.n. vol.
20, No. 5. pp. 262-266
Printed m Great Britain
A RECOGNITION
ALGORITHM
1969
0041-5553/80/050262-05$07.50/O 0 198 1. Pergamon Press Ltd.
WITH THRESHOLD
PARAMETERS*
L. V. BASKAKOVA Moscow
A MODEL of recognition algorithms, including both calculation of estimates algorithms and “Kora” type algorithms, is presented. The family described is parametric, that is, every algorithm is uniquely encoded by a collection of numerical parameters, by the indication of a system of base sets and a selection rule depending The well-known
on the object S. recognition
algorithm model of calculation-of-estimates
type [l-3]
is based
on a comparison of the object to be recognized S = (al, . . . , a,) with the objects S1, . . , Sm, 1,2,. . . , m, for which the information vectors are either known (a problem Si = (ail, . . . ,aj,),i= with intersecting classes), or are given as a training table Tnrnl. The fundamental part of such recognition algorithms is the selection of the base subsets of the set of features {I. 2.. . . , n) and the comparison of S with Si on each base subset r?={i,, . . . , ik). In the calculation-ofestimates model the base subsets are fixed and are independent of the object S to be recognized. In “Kora” type algorithms also the possible collection However, below in the recognition selection essentially depending recognized.
of base subsets is futed in advance.
process only “representative”
subsets are included,
the
not only on the training material, but also on the object S to be
*Zh. v3;chisl. Mat. mat. Fiz.. 20, 5. 1350-I
353. 1980.