- Email: [email protected]
Some proofs of data refinement
Information Processing North-Holland
SOME
Letters
PROOFS
Earlin LUTZ
24 April 1990
34 (1990) 179-185
OF DATA REFINEMENT
*
Cornell University, Ithaca, NY 14850, USA Communicated by E.C.R. Hehner Received 22 November 1989 Revised 22 December 1989
Three examples of data refinement-replacement of an abstract program fragment and its variables by a more concrete fragment and variables-are presented. Correctness conditions for each refinement are derived using the proof rules of Prins/Gries, Morris/Morgan/Gardiner, and Chen/Udding. The proof methods are then compared.
Keywords:
Data refinement,
program
correctness
Programs that are written using abstract data structures must be replaced by more concrete versions that use realizable data structures. Prins and Gries [4], Morris, Morgan, and Gardiner [2,3], and Chen and Udding [l] have proposed statements of when this replacement or transformation process is formally correct. Chen and Udding proposed that the three forms are equivalent. This paper presents three examples of program transformation. For each example, a correctness proof is carried out with each of the three methods. The side-by-side proofs can then be compared on subjective grounds such as ease of use. The examples are chosen to show how the refinement conditions deal with several problems: resource bounds in the concrete form, concrete values that represent many abstract values, and nondeterministic execution.
1. Statements of proof obligations This section states the formal proof obligations as defined by Morris/Morgan/Gardiner, Prins/Gries, and Chen/Udding. The context of these is that an abstract data structure is being implemented by a concrete structure and associated operations. The concrete version may have resource bounds or other limitations that prevent it from working in some cases where the abstract program appeared correct. The proof obligations systematically isolate these additional conditions. Each of the three proof obligations is a (somewhat complicated) predicate over the abstract and concrete statements, variables, postconditions, and wp operators. When applied to a particular statement, the complex proof obligations can (hopefully) be simplified to the point where only a condition over the data structures remains. In all formulas, Sa denotes an abstract statement, SC a concrete statement, Ra a predicate containing no concrete variables, and Rc a predicate containing no abstract variables. Z denotes the coupling invariant, a predicate that may contain abstract, shared, and concrete variables. * Supported
by a grant
0020-0190/90/$3.50
from the Unisys
Corporation
and by the NSF and DARPA
Q 1990 - Elsevier Science Publishers
B.V. (North-Holland)
under
grant
ASC-88-00465.
179
Volume 34, Number 4
INFORMATION
PROCESSING
Morris/Morgan/Gardiner. The Morris/Morgan/Gardiner statement Sa by a concrete statement SC is (3a::
ZA WP(SU, Ra))
- wp(Sc,
(3a::
LETTERS
condition
24 April 1990
for replacement
of an abstract
z A Ru))
where the quantification is over values of the abstract and shared variables a. The antecedant requires that the initial values of concrete variables couple to some set of abstract values for which the abstract statement will succeed. The consequent requires that the concrete statement establish new concrete values that also couple to an acceptable abstract state. Prins/Gries. If the abstract and concrete statements do not assign to shared variables, the Prins/Gries refinement condition is IA wp(Su, true) -
wp(Sc, 7wp(Su,
-I)).
The antecedant demands that the invariant hold initially and that the abstract statement be certain to terminate. The consequent requires that the concrete statement mimic the abstract one by not departing from the invariant. If the pattern and replacement both assign to some shared variable, the shared variables must be renamed in one of the statements. Equality of the two copies of the shared variables is then imposed both before and after the statement executions by the formula
Chen/Udding. [Z-
The refinement condition proposed by Chen and Udding is (Ru=Rc)]
-
[IA
wp(Su,
Ru)
=a wp(sc,
Rc)]
where Ru contains no concrete variables and Rc contains no abstract variables; common variables may appear in both. The antecedant is implicitly quantified over all states of program variables. 1.1. A note on use of invariants
in the formulas
A completely mechanical application of these formulas would call for writing down the full formula with the invariant appropriate to the data structures at hand. In the Prins/Gries and Chen/Udding forms, the highest level connective is an implication whose left side does not involve the statements. If this part happens to be false, i.e., we execute the statements from an already incorrect initial state, the overall implication becomes trivially true. Therefore, the effective proof obligation is only to show that the formula holds when the invariant and whatever it implies in the antecedant are true. The Morris/Morgan/Gardiner form does not offer a simplification that can be applied so uniformly. We have chosen to write out the entire expression in those proofs.
2. A precondition that cannot be stated in abstract terns Suppose members of a set A are represented by entries in a (limited size) array c[O..n - 11, with an integer nc indicating how many array positions are in use. The coupling invariant restrains nc to the array limits and gives a (functional) definition of the represented set: O
nc)
where A,( c, nc) denotes ( u i: 0 < i < nc:
{ c. i }).
Volume
34, Number
INFORMATION
4
PROCESSING
LETTERS
24 April 1990
We wish to implement insertion in the set by adding an element to the array, without a test for duplication. That is, we will refine the (abstract) statement A:=AU{a} to the concrete form c, nc := (c; nc: a),
nc + 1
The simplified forms of the refinement conditions should tell US about the resource bound imposed by this implementation. Morris/Morgan/Gardiner
proof. The simplification
of the Morris/Morgan/Gardiner
(3,4:: O
Ru)~~~~,,~:~~,~~+~
{carry out text substitution} (St::
OQnc
-(fk4::
=
Ru))
{expand each wp (including the domain condition for assignment to the array element) from definitions for assignment} (34:: O
=
form is:
nc+l)ARa)
{apply one point rule twice and omit one of the repeated conjuncts 0 < nc + 1 < n } 0 G nc G n A Ru&r,nCj u co) - 0 G nc + 1 G n A Ru&CC;nc: o),nc+~)
=
{set equality A,( c, nc) u {a}
= A,(( c; nc : a), nc + 1))
O~~~~~ARU~~(,,,),~.)~O~~~+~~~ARU~~(~,~~),(,) =
{predicatecalculus}
O
{predicate
calculus}
O
form, we assume that the invariant 0 < nc < n A A = A,(c,
nc)
wp(c, nc := (c; nc: a), nc + 1, ,wp(A:=A u {a}, ,(O G nc < n A A = A,(c, nc)))) 181
Volume 34, Number 4
=
INFORMATION
{expand
both wps by textual
PROCESSING
substitution}
,,(O~nc+l~nAAU{a}=A,(( =
{remove
double
c; nc:a),
negation
=
and expand
nc+l))AO
A as defined
nc) u {a})=A,((c;
O
24 April 1990
LETTERS
in coupling}
nc:a),
nc+l)
{set manipulation}
O
{expand
both
nc: a), nc+l,
wps by textual
0 < nc < n A A = A,(c, =
{RQ~,(,~
-
{predicate
and further
that
Rc)
substitution}
nc) A Rai,
iu, 3 0 < nc f 1 < n A Rc;‘;.:‘~,,: uJ.,,c+l
and Rc;‘;.~‘~:~),~~+I are equal because
O
holds
Ra)
nc)r\wp(A:=Au{a},
nc:=(c;
the coupling
the substitute
values satisfy the invariant}
nc)*O
calculus}
O
3. A backwards nondeterministic
Suppose
an integer
coupling
i is represented
by a boolean
b, with the coupling
b = odd.i
The assignment i := 0 is to be replaced
by
b := false.
What extra proof obligation Morris/Morgan/Gardiner b := false is (3i::
=
=
introduce?
proof. The Morris/Morgan/Gardiner
b = odd.i A wp(i:= * wp(b := false, (3i::
0, Ra)) b = odd.i
A Ra))
{ wp for assignment} (Eli:: b = odd.i A Rub) 3 (Eli:: b = odd.i {bnotfreein Ku} (Eli:: b = odd.i
182
does this replacement
A Rub) *
(3i::
A Ra)ialse
false = odd.i A Ra)
proof obligation
for replacing
i := 0 by
Volume
34, Number
=
4
INFORMATION
PROCESSING
LETTERS
24 April 1990
{i not free in Ra after substitution} (3i::
=
A Rab 2 (Eli:: false = odd.i A Ra)
b = odd.i)
((3i::
b = odd.i)
is true}
Rab - (Eli:: false = odd.i A Ra) -c=
{instantiate
with i = 0}
Rab * false = odd.0 A Rab = Prins/Gries
true proof. The Prins/Gries wp(b := false, -,wp(i
=
{expand
inner
:= 0, ,(b
wp by textual
wp(b := false, ,,(b =
form for replacing
{cancel double
i := 0 by b := false is
= 0dd.i))) replacement
(b = odd.i)‘,}
= odd.O)) negation}
wp (b := false, b = odd.O) =
{expand
wp )
false = odd.0 =
true
Chen/Udding proof. For the Chen/Udding form, we assume that Ra and Rc are predicates that are equal (i.e., both true or both false) whenever the concrete and abstract variables satisfy the coupling. Then we must show b = odd.i A wp(i := 0, Ra) - wp(b := false, Rc) =
{expand
both wps by textual
substitution}
b = odd.i A Rah 2 Rc,b,,, =
{ Rab = Rcialse because
the substitute
values satisfy the invariant)
b = odd.i =
{coupling
assumed
true}
true
4. A more deterministic chooser Suppose we have used a nondeterministic selection operation choose( a,A) to select a member from set A. It is to be replaced by a (more deterministic) selection choose( a, B), where B c A. For instance, a choice from the two element set B = { A.min, A.max} might be substituted. Since there are no represented variables, the proof obligation is really only the procedural refinement condition wp(choose(a,
A),
Ra) =j wp(choose(a,
B),
Ra). 183
INFORMATION
Volume 34, Number 4
PROCESSING
LETTERS
24 April 1990
We would like to see how easily each of the proof rules simplifies to the pure procedural refinement condition. It is equally acceptable for a data refinement proof to terminate either by (a) reaching a nonreducible formula or (b) reaching the procedural refinement condition. Morris/Morgan/Gardiner proof. With a trivial invariant true and no abstract variables, there is no need for the quantification in the full Morris/Morgan/Gardiner form, and the reduction to procedural refinement is simply true A wp(choose(a, =
A), Ra) * wp(choose(a,
B), true A Ra)
{predicate calculus) wp(choose(u,
A), Ru) -
wp(choose(u,
B), Ru)
Prins/Gries proof. Because the two statements both assign to a common variable a, the Prins/Gries proof obligation requires that a renaming be applied. We will modify the replacement choose( a, B) to choo.se(b, B). The postcondition in the proof obligation then requires that b = a: wp(choose(b, =
{apply wp(choose(b, B 28
=
B), 7wp(choose(u,
uEB:
A), -,(u = a)))
,(A#flA(if’u:
uE:A:
T(u=u))))
(carry negation inside quantifier}
{A
uEB:
#,tJ,
B#fl
(Vu: UEB: =
to outer wp}
{similar expansion of inner wp }
B#flA(h: =
= a)))
B), Ru) = (B #:O A (VU: u E B: Rui))
A (Vu: u E B: ,wp(choose(u,
B#flA(tlu: =
A), ,(b
(A
=@V(~U:
uEA:
u=u)))
assumed}
(3~: IAEA: u=u))
{B G A assumed} true
Chen/Udding proof. Assume the coupling true holds and implies Ru = Rc. The Chen/Udding obligation reduces in one step to the procedural form: (true A wp(choose(u, =
{apply
A), Ru)) -
wp(choose(u,
proof
II), Rc)
Ru = Rc }
wp(choo.se(u,
A), Ru) =+ wp(choose(u,
B), Ru)
5. Discussion and conclusions We have manipulated two cases of data refinement and one of procedural refinement by three formulations of data refinement. The various proof methods reach the same final predicates by differing paths. On the other hand, the results are not strictly equivalent, for the first two Morris/Morgan/Gardiner proofs and the first Chen/Udding proof only show that refinement follows from the final form, while the Prins/Gries form gives strict equality. 184
Volume
34, Number
4
INFORMATION
PROCESSING
LETTERS
24 April 1990
The methods are all fairly confusing to work with at first. The Morris/Morgan/Gardiner method requires both a quantifier and reasoning about “all possible” postconditions. The Prins/Gries method has a nested application of wp and a double negation. The Chen/Udding method reasons about two unspecified postconditions. Length and complexity of proofs is hard to measure fairly. In the first two examples the Prins/Gries proofs are both short and easy to arrive at. The explanations for expanding wp and removing double negation are entirely mechanical. The Chen/Udding proofs are also short and involve little symbol manipulation. The step at which Ra and Rc are argued to be equal after substitution is, at least initially, surprising. This is the crux of the proofs; the preceding steps are aiming at precisely this point at which the two postconditions can be declared equal, allowing the equation to collapse. The Morris/Morgan/Gardiner proofs appear somewhat longer in the first two examples, partly because they do not benefit from the ability to systematically move an antecedant into a simply stated assumption. If used regularly, one would want to be quite familiar with the special rules for functional couplings and particular statements as derived in the papers by Morris, Morgan, and Gardiner [3,2], rather than applying the original form. In the final example, the Morris/Morgan/Gardiner and Chen/Udding methods simplified immediately to the procedural refinement condition. The nested structure of the Prins/Gries form prevents such immediate reduction to the left-to-right procedural form.
Acknowledgment This paper was aided by discussions with David Gries and the Polya research group at Cornell University. Carroll Morgan, and Wei Chen, and the anonymous referees provided useful comments on an earlier version.
References [l] W. Chen and J.T. Udding, Towards a calculus of data refinement, in: Mathematics of Program Construction, Lecture Notes in Computer Science 375 (Springer, Berlin, 1989). [2] C. Morgan and P.H.B. Gardiner, Data refinement by calculation, Acta Inform., to appear.
[3] J.M. Morris, Laws of data refinement, Acta Inform. 26 (4) (1989). [4] J. Prim and D. Gries, A new notion of encapsulation, in: Proc. Symposium on Language Issues in Programming Enuironments, SIGPLAN (1985).
185
SOME
Letters
PROOFS
Earlin LUTZ
24 April 1990
34 (1990) 179-185
OF DATA REFINEMENT
*
Cornell University, Ithaca, NY 14850, USA Communicated by E.C.R. Hehner Received 22 November 1989 Revised 22 December 1989
Three examples of data refinement-replacement of an abstract program fragment and its variables by a more concrete fragment and variables-are presented. Correctness conditions for each refinement are derived using the proof rules of Prins/Gries, Morris/Morgan/Gardiner, and Chen/Udding. The proof methods are then compared.
Keywords:
Data refinement,
program
correctness
Programs that are written using abstract data structures must be replaced by more concrete versions that use realizable data structures. Prins and Gries [4], Morris, Morgan, and Gardiner [2,3], and Chen and Udding [l] have proposed statements of when this replacement or transformation process is formally correct. Chen and Udding proposed that the three forms are equivalent. This paper presents three examples of program transformation. For each example, a correctness proof is carried out with each of the three methods. The side-by-side proofs can then be compared on subjective grounds such as ease of use. The examples are chosen to show how the refinement conditions deal with several problems: resource bounds in the concrete form, concrete values that represent many abstract values, and nondeterministic execution.
1. Statements of proof obligations This section states the formal proof obligations as defined by Morris/Morgan/Gardiner, Prins/Gries, and Chen/Udding. The context of these is that an abstract data structure is being implemented by a concrete structure and associated operations. The concrete version may have resource bounds or other limitations that prevent it from working in some cases where the abstract program appeared correct. The proof obligations systematically isolate these additional conditions. Each of the three proof obligations is a (somewhat complicated) predicate over the abstract and concrete statements, variables, postconditions, and wp operators. When applied to a particular statement, the complex proof obligations can (hopefully) be simplified to the point where only a condition over the data structures remains. In all formulas, Sa denotes an abstract statement, SC a concrete statement, Ra a predicate containing no concrete variables, and Rc a predicate containing no abstract variables. Z denotes the coupling invariant, a predicate that may contain abstract, shared, and concrete variables. * Supported
by a grant
0020-0190/90/$3.50
from the Unisys
Corporation
and by the NSF and DARPA
Q 1990 - Elsevier Science Publishers
B.V. (North-Holland)
under
grant
ASC-88-00465.
179
Volume 34, Number 4
INFORMATION
PROCESSING
Morris/Morgan/Gardiner. The Morris/Morgan/Gardiner statement Sa by a concrete statement SC is (3a::
ZA WP(SU, Ra))
- wp(Sc,
(3a::
LETTERS
condition
24 April 1990
for replacement
of an abstract
z A Ru))
where the quantification is over values of the abstract and shared variables a. The antecedant requires that the initial values of concrete variables couple to some set of abstract values for which the abstract statement will succeed. The consequent requires that the concrete statement establish new concrete values that also couple to an acceptable abstract state. Prins/Gries. If the abstract and concrete statements do not assign to shared variables, the Prins/Gries refinement condition is IA wp(Su, true) -
wp(Sc, 7wp(Su,
-I)).
The antecedant demands that the invariant hold initially and that the abstract statement be certain to terminate. The consequent requires that the concrete statement mimic the abstract one by not departing from the invariant. If the pattern and replacement both assign to some shared variable, the shared variables must be renamed in one of the statements. Equality of the two copies of the shared variables is then imposed both before and after the statement executions by the formula
Chen/Udding. [Z-
The refinement condition proposed by Chen and Udding is (Ru=Rc)]
-
[IA
wp(Su,
Ru)
=a wp(sc,
Rc)]
where Ru contains no concrete variables and Rc contains no abstract variables; common variables may appear in both. The antecedant is implicitly quantified over all states of program variables. 1.1. A note on use of invariants
in the formulas
A completely mechanical application of these formulas would call for writing down the full formula with the invariant appropriate to the data structures at hand. In the Prins/Gries and Chen/Udding forms, the highest level connective is an implication whose left side does not involve the statements. If this part happens to be false, i.e., we execute the statements from an already incorrect initial state, the overall implication becomes trivially true. Therefore, the effective proof obligation is only to show that the formula holds when the invariant and whatever it implies in the antecedant are true. The Morris/Morgan/Gardiner form does not offer a simplification that can be applied so uniformly. We have chosen to write out the entire expression in those proofs.
2. A precondition that cannot be stated in abstract terns Suppose members of a set A are represented by entries in a (limited size) array c[O..n - 11, with an integer nc indicating how many array positions are in use. The coupling invariant restrains nc to the array limits and gives a (functional) definition of the represented set: O
nc)
where A,( c, nc) denotes ( u i: 0 < i < nc:
{ c. i }).
Volume
34, Number
INFORMATION
4
PROCESSING
LETTERS
24 April 1990
We wish to implement insertion in the set by adding an element to the array, without a test for duplication. That is, we will refine the (abstract) statement A:=AU{a} to the concrete form c, nc := (c; nc: a),
nc + 1
The simplified forms of the refinement conditions should tell US about the resource bound imposed by this implementation. Morris/Morgan/Gardiner
proof. The simplification
of the Morris/Morgan/Gardiner
(3,4:: O
Ru)~~~~,,~:~~,~~+~
{carry out text substitution} (St::
OQnc
-(fk4::
=
Ru))
{expand each wp (including the domain condition for assignment to the array element) from definitions for assignment} (34:: O
=
form is:
nc+l)ARa)
{apply one point rule twice and omit one of the repeated conjuncts 0 < nc + 1 < n } 0 G nc G n A Ru&r,nCj u co) - 0 G nc + 1 G n A Ru&CC;nc: o),nc+~)
=
{set equality A,( c, nc) u {a}
= A,(( c; nc : a), nc + 1))
O~~~~~ARU~~(,,,),~.)~O~~~+~~~ARU~~(~,~~),(,) =
{predicatecalculus}
O
{predicate
calculus}
O
form, we assume that the invariant 0 < nc < n A A = A,(c,
nc)
wp(c, nc := (c; nc: a), nc + 1, ,wp(A:=A u {a}, ,(O G nc < n A A = A,(c, nc)))) 181
Volume 34, Number 4
=
INFORMATION
{expand
both wps by textual
PROCESSING
substitution}
,,(O~nc+l~nAAU{a}=A,(( =
{remove
double
c; nc:a),
negation
=
and expand
nc+l))AO
A as defined
nc) u {a})=A,((c;
O
24 April 1990
LETTERS
in coupling}
nc:a),
nc+l)
{set manipulation}
O
{expand
both
nc: a), nc+l,
wps by textual
0 < nc < n A A = A,(c, =
{RQ~,(,~
-
{predicate
and further
that
Rc)
substitution}
nc) A Rai,
iu, 3 0 < nc f 1 < n A Rc;‘;.:‘~,,: uJ.,,c+l
and Rc;‘;.~‘~:~),~~+I are equal because
O
holds
Ra)
nc)r\wp(A:=Au{a},
nc:=(c;
the coupling
the substitute
values satisfy the invariant}
nc)*O
calculus}
O
3. A backwards nondeterministic
Suppose
an integer
coupling
i is represented
by a boolean
b, with the coupling
b = odd.i
The assignment i := 0 is to be replaced
by
b := false.
What extra proof obligation Morris/Morgan/Gardiner b := false is (3i::
=
=
introduce?
proof. The Morris/Morgan/Gardiner
b = odd.i A wp(i:= * wp(b := false, (3i::
0, Ra)) b = odd.i
A Ra))
{ wp for assignment} (Eli:: b = odd.i A Rub) 3 (Eli:: b = odd.i {bnotfreein Ku} (Eli:: b = odd.i
182
does this replacement
A Rub) *
(3i::
A Ra)ialse
false = odd.i A Ra)
proof obligation
for replacing
i := 0 by
Volume
34, Number
=
4
INFORMATION
PROCESSING
LETTERS
24 April 1990
{i not free in Ra after substitution} (3i::
=
A Rab 2 (Eli:: false = odd.i A Ra)
b = odd.i)
((3i::
b = odd.i)
is true}
Rab - (Eli:: false = odd.i A Ra) -c=
{instantiate
with i = 0}
Rab * false = odd.0 A Rab = Prins/Gries
true proof. The Prins/Gries wp(b := false, -,wp(i
=
{expand
inner
:= 0, ,(b
wp by textual
wp(b := false, ,,(b =
form for replacing
{cancel double
i := 0 by b := false is
= 0dd.i))) replacement
(b = odd.i)‘,}
= odd.O)) negation}
wp (b := false, b = odd.O) =
{expand
wp )
false = odd.0 =
true
Chen/Udding proof. For the Chen/Udding form, we assume that Ra and Rc are predicates that are equal (i.e., both true or both false) whenever the concrete and abstract variables satisfy the coupling. Then we must show b = odd.i A wp(i := 0, Ra) - wp(b := false, Rc) =
{expand
both wps by textual
substitution}
b = odd.i A Rah 2 Rc,b,,, =
{ Rab = Rcialse because
the substitute
values satisfy the invariant)
b = odd.i =
{coupling
assumed
true}
true
4. A more deterministic chooser Suppose we have used a nondeterministic selection operation choose( a,A) to select a member from set A. It is to be replaced by a (more deterministic) selection choose( a, B), where B c A. For instance, a choice from the two element set B = { A.min, A.max} might be substituted. Since there are no represented variables, the proof obligation is really only the procedural refinement condition wp(choose(a,
A),
Ra) =j wp(choose(a,
B),
Ra). 183
INFORMATION
Volume 34, Number 4
PROCESSING
LETTERS
24 April 1990
We would like to see how easily each of the proof rules simplifies to the pure procedural refinement condition. It is equally acceptable for a data refinement proof to terminate either by (a) reaching a nonreducible formula or (b) reaching the procedural refinement condition. Morris/Morgan/Gardiner proof. With a trivial invariant true and no abstract variables, there is no need for the quantification in the full Morris/Morgan/Gardiner form, and the reduction to procedural refinement is simply true A wp(choose(a, =
A), Ra) * wp(choose(a,
B), true A Ra)
{predicate calculus) wp(choose(u,
A), Ru) -
wp(choose(u,
B), Ru)
Prins/Gries proof. Because the two statements both assign to a common variable a, the Prins/Gries proof obligation requires that a renaming be applied. We will modify the replacement choose( a, B) to choo.se(b, B). The postcondition in the proof obligation then requires that b = a: wp(choose(b, =
{apply wp(choose(b, B 28
=
B), 7wp(choose(u,
uEB:
A), -,(u = a)))
,(A#flA(if’u:
uE:A:
T(u=u))))
(carry negation inside quantifier}
{A
uEB:
#,tJ,
B#fl
(Vu: UEB: =
to outer wp}
{similar expansion of inner wp }
B#flA(h: =
= a)))
B), Ru) = (B #:O A (VU: u E B: Rui))
A (Vu: u E B: ,wp(choose(u,
B#flA(tlu: =
A), ,(b
(A
=@V(~U:
uEA:
u=u)))
assumed}
(3~: IAEA: u=u))
{B G A assumed} true
Chen/Udding proof. Assume the coupling true holds and implies Ru = Rc. The Chen/Udding obligation reduces in one step to the procedural form: (true A wp(choose(u, =
{apply
A), Ru)) -
wp(choose(u,
proof
II), Rc)
Ru = Rc }
wp(choo.se(u,
A), Ru) =+ wp(choose(u,
B), Ru)
5. Discussion and conclusions We have manipulated two cases of data refinement and one of procedural refinement by three formulations of data refinement. The various proof methods reach the same final predicates by differing paths. On the other hand, the results are not strictly equivalent, for the first two Morris/Morgan/Gardiner proofs and the first Chen/Udding proof only show that refinement follows from the final form, while the Prins/Gries form gives strict equality. 184
Volume
34, Number
4
INFORMATION
PROCESSING
LETTERS
24 April 1990
The methods are all fairly confusing to work with at first. The Morris/Morgan/Gardiner method requires both a quantifier and reasoning about “all possible” postconditions. The Prins/Gries method has a nested application of wp and a double negation. The Chen/Udding method reasons about two unspecified postconditions. Length and complexity of proofs is hard to measure fairly. In the first two examples the Prins/Gries proofs are both short and easy to arrive at. The explanations for expanding wp and removing double negation are entirely mechanical. The Chen/Udding proofs are also short and involve little symbol manipulation. The step at which Ra and Rc are argued to be equal after substitution is, at least initially, surprising. This is the crux of the proofs; the preceding steps are aiming at precisely this point at which the two postconditions can be declared equal, allowing the equation to collapse. The Morris/Morgan/Gardiner proofs appear somewhat longer in the first two examples, partly because they do not benefit from the ability to systematically move an antecedant into a simply stated assumption. If used regularly, one would want to be quite familiar with the special rules for functional couplings and particular statements as derived in the papers by Morris, Morgan, and Gardiner [3,2], rather than applying the original form. In the final example, the Morris/Morgan/Gardiner and Chen/Udding methods simplified immediately to the procedural refinement condition. The nested structure of the Prins/Gries form prevents such immediate reduction to the left-to-right procedural form.
Acknowledgment This paper was aided by discussions with David Gries and the Polya research group at Cornell University. Carroll Morgan, and Wei Chen, and the anonymous referees provided useful comments on an earlier version.
References [l] W. Chen and J.T. Udding, Towards a calculus of data refinement, in: Mathematics of Program Construction, Lecture Notes in Computer Science 375 (Springer, Berlin, 1989). [2] C. Morgan and P.H.B. Gardiner, Data refinement by calculation, Acta Inform., to appear.
[3] J.M. Morris, Laws of data refinement, Acta Inform. 26 (4) (1989). [4] J. Prim and D. Gries, A new notion of encapsulation, in: Proc. Symposium on Language Issues in Programming Enuironments, SIGPLAN (1985).
185