On proving the correctness of data type implementations

In order to prove the correctness (or consistency) of an implementation of a data type with respect to the data type's specifications, the minimal amount of information that needs to be provided consists of: (i) a specification of the type being implemented; (ii) a specification of the representation type; and (iii) a specification of an implementation. This paper develops a method for proving the correctness of data type implementations that requires only this minimal amount of information to be specified in order for a proof to be attempted; this is in contrast to several of the existing methods which need additional information augmenting (i)-(iii) to be specified in order to be applicable. The ensuing generality of the proposed method makes it more amenable to automation. Examples of applications of the proof method are presented, all of which have been automated.

By - P .A . Subrahmanyam Department of Computer Science University of Utah Salt Lake City, Utah On Proving the C o rrectness of Data Type I m p l ementations UUCS - 80-101 On P roving the Correctness of Data Type Implementations - P.A.Subrahmanyam Department of Computer Science U n iv ersity of Utah Salt Lake C it y , Utah 84112 September 1979 ABSTRACT In order to prove the correctness (o r c onsistency) of an implementation of a data type with respect to the data t y p e 's s p e c i f i c a t i o n s , the minimal amount of information that needs to be provided c o n sists o f : ( i ) a s p e c i f i c a t i o n of the type being implemented; ( i i ) a s p e c i f i c a t i o n of the rep resen tatio n type; and ( i i i ) a s p e c i f i c a t i o n of an implementation. This paper develops a method for proving the correctness of data type implementations that requires oniy this minimal amount of information to be s p e c ifie d in order for a proof to be attempted; this is in contrast to several of the e x is t in g methods which need ad d itio n a l information augmenting ( i ) - ( i i i ) to be s p e c i f i e d in order to be a p p l i c a b l e . The ensuing g e n e r a lit y of the proposed method makes it more amenable to automation. Examples of a p p lic a tio n s of the proof method are p re se n te d , a ll of which have been automated. This work was supported in part by an IBM Fellow ship Table of Contents 1. In tro d u c tio n 1 1 . 1 . Summary of the Paper 2 2 . P relim inary D e f i n i t i o n s ... 2 2 . 1 . Some N o t a tio n a l ab b rev iatio n s 5 2 . 2 . Equivalence under e xtra c tio n operatio ns 5 2 . 3 . D e fin in g an implementation 6 2 . 4 . Kernel Functions ' 9 3 . On proving the c orrectness of an implementation f£ 11 A. Il l u s t r a t i o n s of the Proof Method 13 4 . 1 . Proof of an Implementation of a Stack 13 5? Some comparisons with other proof methods 17 - Appendices I . Proof of Theorem 7 ' 19 I I . Proof of Theorem 8 . 2 2 I I I . D e f i n i t io n s of the types Array and In teger . 26 I V . The Proof of a Queue Implementation . ' 27 ‘ v' L is t of Figu res Figure 2-1: Stack D e f i n i t i o n 3 Figure 2-2: Word A lg ebra generated by FStack ■ 4 Figure 2-3: An Implementation o~c a Stack using an Indexed Array 10 Figure 5-1: F igu re I l l u s t r a t i n g Lemma 11 - 23 Figu re 5-2: D e f i n i t i o n of the type In te g er . . 26 Figure 5-3: D e f i n i t i o n of the type Array « .... • 26 Figu re 5-4: D e f i n i t i o n of the type Queue ' 27 Figure 5-5: An Implementation of the type Queue 27 1 ON PROVING THE CORRECTNESS OF DATA TYPE IMPLEMENTATIONS 1. Introduction Programming involves represen ting the a b s t r a c t io n s of the obiects and operations relevant to a given problem domain using "p r im i t i v e " obj ects and operations that are presumed to be already a v a i l a b l e ; u lt im a t e ly , such prim itiv e s are those provided by the a v a ila b le hardware. Various programming methodologies advocate ways of achieving "g o o d " . o rg a n iza tio n s of layers of such r e p r e s e n t a t io n s , in attempting to provide e f f e c t i v e means of coping with the complexity of programs. The importance of data ab stra c t io n s in achieving elegant o rg a n iz a tio n s was cogently argued for by Hoare in [ 1 ] , and their use h a s , by now, been amply demonstrated. ' Hoare also proposed a method for proving the correctness of implementations of data ab s tr a c t io n s in [ 7 ] . Due to a p r o life r a t io n of languages incorporating v a r ia t io n s of the no tio n of abstract data types (f o r example, [8] and [ 1 4 ] ) , techniques for proving the correctness of implementations of abstract types have since gained in importance [ 1 5 ] , Two of the most widely used techniques are those due to Hoare [ 7 ] , and Guttag et al [ 5 ] . In this paper, we present a new proof method that is more general than the e x i s t i n g methods; the nature of this g e n e r a lity makes our method more amenable to automation. In p a r t ic u la r , the method proposed has the important advantage of normally req u irin g only the minimal amount of information that is necessary in order to enable a proof of the correctness (or c onsistency ) of an implementation of a data type with respect to its s p e c i f i c a t i o n s . This is in contrast to most of the e x is t in g proof methods, in c lu d in g those of [7] and [5 ], wherein it is u s u a lly necessary to augment the s p e c i f i c a t i o n s of ( i) the data type b e in g implemented, ( i i ) the r e p resen tatio n ty p e , and ( i i i ) the implementation, with a d d itio n a l information in order to carry out the p r o o fs . We relegate d e t a i l s of further comparisons to section 5 . - 2 1 . 1 . Summary of the Paper , W e 'b r i e f l y review some b asic d e f i n i t i o n s re la t in g to abstract data types in Section 2 . We adopt the v ie w that the inherent structure of an abstract data type is c h a ra c t e rize d by i t s "e x t e r n a l l y observable b e h a v io r " - such behavior is re fle c t e d by fu n ctio n s that return elements of "known" types ( i . e . types o th er than the one being d e fin e d ) . A notion of equivalence of instances of a type under ex tra c tio n is developed to make p recise this e x t e r n a lly observable b e h a v i o r . An implementation of one data type (the Type of In te re st T O I) in terms of another (the Target Type TT) is d e fin ed as a map between the fu n c t io n s and the obi ects of the two types that preserves the observable b eh avio r of the T O I. We show (Theorem 7) that th is d e f i n i t i o n c o in c id e s with the more conventional d e f i n i t i o n of an implementation as a sur! e c tiv e homomorphism from the e q u iv a le n c e c la sse s of the re p re sen ta tio n (t a r g e t ) type to the eq u iv ale n c e c la s s e s of the Type of In t e r e s t . However, it is this d i f f e r e n c e in p e rsp ectiv e that a ffo r d s in sig h t into the added g e n e r a lit y of our proof method. . Section 3 o u t lin e s the th e o re t ic a l b a s is underlying the proof method. We f i r s t observe that a stra ig h tfo rw a rd induc tio n proof based d ir e c t ly on the developments in Section 2 is not fe a s i b l e in p r a c t i c e ; an a lt e rn a t iv e proof stra tegy is then developed and shown to be c o r r e c t . In Section 4 we i l l u s t r a t e an a p p lic a t io n of the proof method; we have chosen to f i r s t i l l u s t r a t e the proof of a implementation of a Stack in order to h ig h lig h t some of the important d if f e r e n c e s between the present method and p re v io u sly proposed proof s t r a t e g ie s (th e se are elaborated in section 5 . ) Other examples attempted in c lu d e proofs of implementations of a Queue, a SymbolTable, and a T e x tE d ito r . A ll of these proofs have been automated. 2 . P reliminary D e f i n i t i o n s D e f i n i t i o n 1: An a b stra c t data type can be regarded as a many sorted a lg e b r a , c o n s is tin g of a set X of s o r t s , a set F of function symbols, and a set of equations r e la t in g terms generated by F and c o ntaining fre e v a r i a b l e s . Each f in F has an asso ciated a r it y that is an element ( x i x2 • , x n ' x n+l^ x We a l so write f : ( x j , * 2 » * * . x n ) -> x n+i ( f ° r an example, see fig u re 2-1 on page 3 ) . 3 D e f i n i t i o n 2 : Let V * <V j , . . . , . . . > , where is a set of v a r ia b le s of sort x ^ . The word algeb ra W[F,V] generated by F and V c o n sists of the union of the sets w£n ^ [ F ,V ] , n = 0 , 1 , 2 . . .d e fin e d as f o l l o w s : 1. a l l v a r ia b le s of sort x are in [F,V] 2 . a l l constants of sort x , (that is f : () -> x) are in W ^0 )[F ,V ] 3. i f f : X j , x 2 » . . . » X k _ > , x * then f ( t j , . . , t j c) is in w£n^[F ,V ] i f for each i , t . is in W^n-^ [ F , V ] , and at least one t,- is not in W£n-2 ) [ F ,V ] . 1 i Figure 2-2 i l l u s t r a t e s the word algebra generated by fu n ctio n s defin ed on a S t a c k . Type Stac k(Item ) . Syntax NEWSTACK: () -> Stack . PUSH: (.Stack, Item) -> Stack POP: (S ta c k ) -> Stack TOP: (S tac k ) -> Item U {UNDEFINED) ISEMPTY: (S ta c k ) -> Boolean Semantics for all s in Stack, x in Item, POP(NEWSTACK; = NEWSTACK P O P ( P U S H ( s ,x ) ) = s TOP(NEWSTACK) = UNDEFINED T OP(PU SH( s , x )) - x IS EMPTY(NEWSTACK) - true IS E M P T Y (P U S H (s ,x )) - fa ls e End Stack F igure 2-1: STACK D E F IN IT IO N 1 For the purposes of t h is paper, we ignore the t e c h n i c a l i t i e s a r is in g out of the presence of parameterized types and fun ction s return ing "e r r o r " values (se e [1 3 , 4 ] ) . However, the r e a d e r 's in t u i t i o n w i l l not lead him astray in his comprehension of this paper. 4 - the set of sorts X, X - {S t a c k , Item, B o o le a n ), the sorts themseives being Stack, Item, Boolean; - the set of fu n c tio n symbols F^ta c ^ * (NEWSTACK, PUSH, POP, TOP, ISEMPTY, T O P ), with associated., a r i t i e s as shown in fig u re 2-1, pBoolean . {FA LSE, T R U E ), e t c . ; - the set or terras in the word algebra generated by th is set of ■ __ fun ctio n s c o n sists of . ^ S t a c k ^ ^ C ' ( x , y , . . . ) ] . * {NEWSTACK, PUSH(NEWSTACK,x) , ' PU SH(N EW ST A CK ,y ), • • • 1 PU SH(PU SH (N EW S TA C K ,x),x) , PUSH(PUSH(NEWSTACK,y) ,y) , PUSH(PUSH(NEWSTACK,x) ,y) , PUSH(PUSH (NEW STA C K ,y ),x) , POP(NEWSTACK), POP (PUSH(NEWSTA C K ,x)) , . . . ) etc . ; WItem [F StaC k' <x.y.--.>1 * (T O P (N EW S T A C K ), . TOP(PU SH (NEW STA CK ,x)) , • « M • • • $ TOP(POP(NEWSTACK)) , . . . ) e t c . ; The data type Stack can be viewed as c onsisting of - the equations are those shown in figu re 2-1. Figure 2-2: Word algebra generated by F ^t a c ^ 5 denotes the set of fu n ctio n s de fin ed on the data type T ; V j denotes the (c o u n t a b le ) set of v a r ia b l e s of type T. To improve r e a d a b i l i t y , we often a b b re v ia te W^.[F U F^,V] to W^[F] (that i s , the fun ction s F^ d e fin ed on the "know n" or " g l o b a l " types G are o m it t e d ). When F * F ^ , i . e . , F i s the e n t ir e set of fun ction s defin ed on type T , we further abbre viate W^.[F^] to W^. -2.2. Equivalence under e x t ra c tio n operations . - T The runctions F d efin ed on an abstract data type T can be c atego rized into Base . constructors ( B C ^ ) , which spawn new in sta n c es of the type ( e . g . - - T NEWSTACK) , Constructors (C ) , which form new instances of the type from T e x i s t i n g ones ( e . g . PUSH, P O P ), and extra c tio n fun ction s or extractors (E ) , which return members of other "known" types ( e . g . TOP, IS EM P T Y ). We adopt the view poin t that any obi ect representing ar in sta n c e of a type is completely c h ara cterize d by it s "e x t e r n a l l y o bse rvable" p r o p e r t ie s ; such p ro p e rtie s are ju s t those that are obtained as r e su lts of a p p lic a t io n s of e x t r a c t io n fun ction s d e fin ed on the type. This is made p re cise in the notion of e x t ra c tio n equivalence of insta nc es of the type [1 2 , 1 0 ]. ' In fo rm a lly , two terms t^ and t 2 are said to be e x t ra c tio n equivalent i f every sequence of fu n ction a p p lic a t io n s that terminates with the a p p lic a tio n of an e xtra c tio n fun ction y ie l d s the same (or "e q u i v a l e n t ") re su lts on the two terms. As an example, two insta nc es of the type Stack (s a y , s^ and s 2 ) are ex t ra c tio n equivalent i f f the a p p lic a t io n s T O P (s j) and T 0 P ( S 2 ) , T 0 P ( P 0 P ( s j ) ) and T 0 P ( P 0 P ( s 2 ) ) .......... T 0 P (P U S H (s 1 , x L) ) and T 0P (P U SH (s2 , X j ) ) , . . . , IS EM P T Y (s1) and ISEMPTY (s2 ) , ISEMPTYCP0P ( S j )) and ISEMPTY(POP( s 2 ) ) , . . . , IS EM P T Y (PU S H (s1 , x 1 )) and ISEMP TY (PUSH(s2 , x 1) ) ............ y ie ld the same re su lts p a i r w i s e . We now form alize the notion of e x t ra c tio n e q u iv a le n c e . For any term t , we denote by t [ v | t '] the term obtained from t by replacin g each occurrence of v in t by the term t ' . (For this to be well d e f in e d , it is necessary that the sorts of t ' and v be the. same.) We denote by t[v in V^. It '] the term obtained 2 . 1 . Some Notational ab b re v ia tio n s 6 by s u b s t it u t in g t' for a i i o c c u rre n c e s, in t , of v a r ia b le s that are contained in V- Let t be a term in the word algebra W [F,V] where j» in G is d if f e r e n t O O from T ; f u r t h e r , le t t contain (one or more) occurrences of v a r ia b l e s of sort O T . Let t ' and t " be obtained by s u b s titu tin g tj and t 2 r e sp e c t iv e ly for a l l occurrences of v a r ia b le s of sort T in t . Thus t ' ■ t [v in V-Jt,] and t" - g g l T 1 1J t g [v in V^. 112 ] • (Note that- the terms t ' and t" obtained by th is process represen t a i l p o ssib le p airs of terms obtained by applying sequences of fu n c t io n s ending in an e x t ra c tio n fu n ctio n to tj and t 2 c i . the example in the p revio us p a ra g ra p h .) n D e f i n i t i o n 3 : tj and to are said to be ex tra c tio n equivalent in T i f and only i f t ' and t are (e x t r a c t io n ) equivalent in g . Thus, t i =t ^2 i f and only i f • ' e it h e r ( i ) tj - t 2 , • or ( i i ) (fo r all g in G ) ( f o r a l l tg in W [ F ,V ] ) ( t g [v in " g cg^v in ' • ' where G is the union of a l l "known types" that are returned by e x t r a c t io n fu n ctio n s de fin ed on T. To avoid ambiguity, the * sign has been labeled to apply over the type domain of its arguments. Two important o b se rv atio n s immediately fo llow as a r e s u lt of this d e f i n i t i o n : 1. When G is the empty s e t , e x t ra c tio n equivalence becomes id e n t ic a l to syn tactic e q u iv a le n c e . 2. Syntactic equivalence implies e x t ra c tio n e q u iv a le n c e . Thus, tj = t 2 => tj = T t 2 . ' 3 . ■ ,‘i» 0' r- : 2 . 3 . D e fin in g an implementation In fo rm a lly , an implementation of one data type, the type of in te re st T O I, in terms of a n o th e r, the target type TT, is a map from the fun ction s and the obj ects of TOI to those of TT which preserves-the "o b s e r v a b le b e h a v io r" of the type of i n t e r e s t . That i s , whenever e x tra c tio n fun ction s are applied to o b je c ts of T O I, y ie ld in g in sta n c es of known t y p e s, the corresponding computation in the implementation domain should y ie ld id e n t ic a l r e s u l t s . This is the import of the D e f i n i t i o n 6 below. 7 On Che other hand, the conventional c h a r a c t e r iza tio n of a "c o r r e c t " implementation embodies the requirements that ( i) every in sta n c e of TOI is represented by some in s t a n c e (s ) of the re p resen tatio n type, and that ( i i ) the implementations of the fu n ctio n s defined on TOI "w o rk p r o p e r l y ." Formally, the e x is t e n c e of a surj e c tiv e map from the equivalence c lasses in the r e p re sen ta t io n type TT to the equivalence c la sse s in the type of in te r e s t TOI ensures that every instance of TOI is represented by at least one in sta n c e of TT. F u rth er, i f th is map is a homomorphism, it ensures that the fun ction s "w o rk p roperly" (see [ 1 3 ] ) . The e x is t in g proof methodologies are based p r im a rily on this d e f i n i t i o n (se e Section 5 ) . In c o n t r a s t , the proof method that we w ill o u t lin e in sectio n 3 is based on the d e f i n i t i o n of correct implementation as developed in D e f i n i t io n 6 . We show in Theorem 7 that the above notions of a correct implementation are formally e q u iv a le n t . However, as mentioned in Section 1, the g e n e r a lit y of the proof method d elin ea te d h e r e in stems from the d i f f e r e n c e in our p e r s p e c t iv e . ' We can d e fin e an implementation map with greater p r e c is io n in terms o f . a (r e s t r i c t e d ) d eriv o r [ 1 3 ] ; th is is done in D e f i n i t i o n 4 b elow . However, we f i r s t need to introduce the notion of a term being viewed as a derived o p e ra t o r: in fo rm a lly , a term " P 0 P ( P U S H ( s ,x ) ) " can be viewed as an operator (s a y POP-PUSH) with a r it y POP-PUSH: Stac k , Item -> Stac k, that maps the arguments ( s , x ) to the Stack " P 0 P ( P U S H ( s ,x ) ) . " POP-PUSH is called a derived o peratio n ( " d e r i v e d " • from the terra " P 0 P ( P U S H ( s ,x ) ) , " where s and x are v a r i a b l e s ) . When we e x p l i c i t l y want to in d ic a t e the fu n c t io n derived from a term t , we shall denote it d - ( t ) . .D e f i n i t i o n 4 : A de riv o r d consists of the following pair of maps (a ) a map d fl from ( { T O I } U G) to ({T T } U G ) ; we sh a ll be concerned only with the case where dfl maps TOI ~to TT and is the id e n tit y operator on a ll of the g l o b a l ,s o r t s g in G. That i s , da ( T 0 I ) * T T , and (f o r a l l g in G) [da (g) - g] (T h is merely embodies the fact that we compute with TT-obj ects in piace of TOI-objects and that everything else is unchanged.) 8 TOT (b) a map 0 from F 1 L to that preserves a r i t y : i f f : x j . . . x n->x ( f in F ^ ® * ) , then d - ( 0 [ f ] ) , (a term in W ^ ) when viewed as a "d e r iv e d o p e ra t o r" must have a r it y d- ( 9 [f] ) : d a ( x ^ ) . . *da ( x n ) -> da ( x ) . By v i r t u e of the s im p l if i c a t i o n in ( a ) , t h is a r i t y is simply x ^ , . . . x n->x with any occurrences of TOI being replaced by TT. H e n c e fo rth , we simply w rite 9 ( f ) for d - 9 ( f ) . The map 9 which is of in t e r e s t to us acts as the " i d e n t i t y " for functions f in F ^ . T hus, the -non-trivial part of 0 is the one that transforms the fun ction s defin ed on the type of in t e r e s t to terms in the target type. This map w i l l henceforth be r e fe rre d to as the implementation map (o r simply the implementation 9 ) , and in e s s e n c e , d e fin e s an implementation of the type TOI in teras of the type TT. D e f i n i t i o n 5 : The d-derived algebTa dTT d e fin ed by a derivor d is an algebra with functions <d-9(f) | f in FT 0 1 } that i s , the fu n ctio n corresponding to f is the term 0 ( f ) viewed as a derived f u n c t io n . The eq u atio n s of dTT are i d e n t ic a l to those of TT. Example I f we consider the implementation of a Stack in terms of an Indexed Array (s e e Figure 2- 3 ), the maps comprising the derivor a r e : d a (S tac k ) « Indexed A rra y , d a (Ttem) = Item , d a (Boolean) = Boo lean. Tne type Indexed Array is a tuple c o n sistin g of an Array and an in t e g e r ; the map. 0 is d e t a ile d in fig u r e 2-3. It is straightforw ard to extend the domain of 0 from F ^ ^ to U F^,V] , X in {T O I} U G : v a r ia b l e s of sort TOI are mapped to v a r i a b l e s of sort TT, w h ile v a r ia b l e s (and fun ctio n s) of a l l other sorts remain unchanged. Then, i f t - f ( t . t ) , we de fin e I., ft(t) = 0 ( f T d l ) ( 9 ( t j , . . , e ( t n ) ) . D e f i n i t i o n 6 : A map 0 d e fin e s a correct implementation of TOI in terms of TT i f . • (f o r a l l g in G ) ( f o r a ll tg in Wg [FT 0 1 ) [ 9 ( tg> = g tg ] . Theorem 7 shows that this in te r p r e ta t io n of an implementation c o in c id e s with one d e f in in g a sur^ e c tiv e homomorphism from the e xtra c tio n e q uivalenc e c la s s e s of dTT to the e xt ra c tio n eq u iv ale n c e c lasses of T O I. 1 ' Theorem 7 : An implementation' map 0 such that 9 (fo r a l l g in G ) ( f o r a ll tg in W ^ F 101]) = tg] ( I ) implies the e x iste n c e of a surj e c tiv e homomorphism 8 ' : WdTT/ E* -> WT0I / ET where (r e s p e c t iv e ly W^q j / E ^ * ,) denotes the e x tra c tio n eq u iv alen c e c la sse s induced by the runctions E ^ (r e s p e c t iv e ly E ^ ® * ) . P r o o f: See Appendix I . ‘2_»A. Kernel Functions The f i r s t phase of c o nstructin g the formal s p e c i f i c a t i o n s for a problem invo lv es s p e c ify in g an appro priate syntax that embodies the v i s i b l e "s y n t a c t ic i n t e r f a c e " requirements of the problem, i . e . enumerating a set of fu n ctio n s F asso ciated with appropriate a r i t i e s . The second phase of the s p e c ir ic a t io n process involves s p e c ify in g the semantics of the fu n ctio n s in F . In this la t e r p h ase , i t is convenient to f i r s t t e n t a t iv e ly i d e n t i f y a minimal set of base constructors and constructors that serve to generate a ll re p resen tativ e in sta n c es of the ty pe, such as {NEWSTACK, PUSH) for a Stack; we w ill r e fe r to such a set of fun ction s as a kernel set and denote it K ^. I f the semantics of the remaining fu n ctio n s can be completely s p e c ifie d by d e fin in g their ac tion only on the insta nc es of the type generated by the postulated kernel s e t , then - T the i n i t i a l i d e n t i f i c a t i o n or K f u l f i l l s the formal requirements of a set of kernel fun ctio n s [ 1 1 ) . T " More fo rm ally , a set of kernel fun ction s K is c h a r a c t e r ize d by the fact T that every term in Wj[F ] is eq uivalent (under the set of d e fin in g equations) T T to at iea st one term in W^[K ] . In v a r i a b l y , such a set K is id e n t ic a l to a sy n ta c tic ve rsio n of a kernel s e t , defin ed to be the union of the fun ction s that appear in the arguments on the l e f t hand sid es of the d e fin in g equations of the non-kernel f u n c t io n s ; an algorithm to id e n t if y such a set can be found 2 „ Or c o u r s e , this phase or constructing formal s p e c i f i c a t i o n s may undergo several it e r a t io n s be fo re a fi n a l set of s p e c i f i c a t i o n s is settled upon, since the i n i t i a l (and i n t e r m e d i a t e ). s p e c i f i c a t i o n s may provide an "u n s a t i s f a c t o r y " in t e r fa c e for the u s e r . 10 The map 0 d e fin in g an implementation of a Stack using an Indexed Array is defin ed below . Let 0 (s ) « < a ,i> . 0 (NEWSTACK) = <NEWARRAY, ZER0> 0 ( P U S H ( s ,x ) ) - < A S S IG N (a , S U C C ( i ) ,x ) , SUCC(i)> 0 ( P O P ( s ) ) * < a , PR ED(i)> 0 ( T O P ( s ) ) - D A T A (a ,i ) 0 (IS E M P T Y (s )) - [i = ZERO] i is an In teg er In d e x , SUCC(i) is the Successor of the integer i (■ i + 1 ) , P R E D (i) is the Predecessor of the integer i (with the semantics for monus) . Appendix I I I d e t a i l s the d e f i n i t i o n s of the types Array and In t e g e r . F igu re 2-3: THE IMPLEMENTATION OF A STACK USING AN INDEXED ARRAY 11 in [ 1 2 ] . ^ In other words, the equations that d e fin e the semantics of non-kernel fun ction s r e fe r e x p l i c i t l y only to terms generated by sy n tac tic k ern el fu n c t io n s ; h e n c e fo r t h , we s h a ll use to denote the syntactic kernel set obtained from a given s p e c i f i c a t i o n of the type T. We now proceed to ela b o ra te on the relevance of th is observation to the proof method. 3 . On proving the correctness of an implementation R ec all from D e f i n i t io n 6 that a proof of the correctness o f an implementation s p e c ifie d by a map 0 involves showing that the following holds (f o r a l l g in G )(r o r a l l tR in Wg [FT 0 I l) t? - 0 ( t ) . -- (P) Now, every such term t is e it h e r of the form e ( v j , . . . , v n ) (fo r some TOT e x t r a c t io n runction e in E i U i , where e : X j , . . . , Xn -> X, and v i in Vx ,) e . g . T O P (s) , or is obtained by i n s t a n t i a t i n g the v a r ia b l e s in e ( v ^ , . . . ,v Q) e . g . TOP (NEWSTACK), TOP (POP ( s ' ) ) , e t c . Thus, i f we consider the set of (u n in s t a n t ia t e d ) terms S of the form e ( v j , . . . , v n ) and prove that e ( v j , . . . , v ) ■ 0 ( e ( v j , . . . ,v )) for every such term in S, then we shall have proved that. 0 d e fin e s a correct implementation. However, it may not be p o s s ib le to carry through a l l .of the required proofs d i r e c t l y , because of the la c k of the ap p ro pria te forms of the d e fin in g e q u atio n s. For example, there i s no d e f in in g equation of the form TOP(s) * . . . , that is' normally s p e c ifie d for a s t a c k . As a consequence, in order to use the d e fin in g equations of TOI and TT in proving e q u iv a le n c e s , it may be required to in s ta n tia te the v a r ia b l e s in e ( v j , . . . , v n ) with some s p e c i f i c terms. For example, i f the v a r ia b l e s in T O P (s) is in s t a n t ia t e d to eithe r NEWSTACK or P U S H ( s ' , x ) , it becomes p o s s ib le to use the d e fin in g equations of TOP. It i s ,""however, imperative to guarantee 3 ■ The no tio n of a syn tactic kernel set is introduced only to circumvent the p a t h o lo g ic a l u n d e c i d a b i l i t i e s that can a r is e in computing a "sem a n tic " v ersio n of the kernel s e t . - 12 that the g e n e r a lit y of the overall proof procedure is not compromised by any such (s e t of) s p e c i a l i z a t i o n s ) . The most obvious way to ensure th is • g e n e r a l i t y is to use inductio n on the syn tac tic structure of the terms in the word algebra generated by F ^. For example, th is would require c onsidering the terms TOP(NEWSTACK), T O P (P U S H (s ,x )) , T O P ( P O P ( s ) ) , e t c . U n fo r tu n a te ly , even the s p e c i a l i z a t io n s ensuing from such a set of .in s t a n t ia t e d terms may not be adequate to enable a completion of the required p r o o f s . This w i l l be the case i f the type is not fr e e ly generated by the c o n s t r u c t o r s , i . e . , i f the set of non-kernel constructors ( is non-empty. T hus, in the case of the type Stac k, POP is a non-kernel c o n s t r u c t o r , and there is no e x p l i c i t equation of the form T O P (P O P (s)) ■ . . . N o n e t h e le s s , it is p o ssible to develop a proof procedure that uses in d u c tio n only on the terms generated by a set of kernel f u n c t io n s , by re c o g n izin g (p r o v in g ) the e xtra c tio n e q u iv ale n c e of c e rtain terms in the derived a l g e b r a . Proofs of ex tra c tio n equivalence of terms in the derived a ig e b ra must in turn rely p rim a rily on an inductio n on the structure of terms in but t h is o ften turns out to be f e a s i b l e in p r a c t ic e . The r e s u lt in g proof procedure is quite g e n e ra l; what is of greater re le v an ce, however, is that it is more amenable to automation. Concluding this prologue, we now o u t lin e the proof procedure in greater d e t a i l . We denote by " ^TT e x tra c tio n e q uivalenc e in the derived algebra dTT. Theorem 8 : Let R denote the set of d e f in in g equations of T O I. For each d e f in in g equation t^ - t2 in R, where t j , t 2 are not in W^.gj, i f t^ = t 2 *> 9 ( t j ) " dTT c2) - (A) and i f ' (f o r a l l g in G) (fo r a ll tg in Wg [KT01 U ET 0T ] ) tg -g6 ( t g ) - (B) then 0 d e fin e s a correct implementation. P r o o f: See Appendix I I . - It is c r u c ia l to note that the equation (B ) above considers on ly Wg U ET01 and not Wg [FT 0 T ] .] 13 In order to prove tj =dxT c 2* necessarT to prove that (f o r a ll g in G) (fo r a l l tg in W^[Fd r r ]) tg [v in Vd T T | t 1r - g tg [v in Vd T T |t2 ] . T his proof may again be based upon induc tio n on the structure of the terms in the word algebra wd j j , and c o n sists of the following steps: Base case Prove " (fo r a l l g in G) (fo r a l l t in [F**^-] tg [v in vd T T |tjn - t [v in Vd T T |t 2 l Assume (as the induction hy pothesis) (f o r a l l g in G) (fo r a ll tg in [ F ^ ^ ] tg [v in Vd r r | t 11 - tg [v in vdT T l t 2 ] In d u c t io n step Prove (f o r a l l g in G) (fo r a l l t in W^n + ^ [F^^T ) tg [v in - tg [v in vd T T I t 2 l The proof of part (B) of Theorem 8 is again obtained by an inductio n on the terms of W , ^ [K101 U ET 0 1 ) . We now i l l u s t r a t e the proof method based on Theorem 8 by proving the c o rrec tn e ss of the Stack, implementation given in figu re 2-3. 4 . I l l u s t r a t i o n s of the Proof Method - 4 . 1 . Proof of an Implementation of a Stack To prove the giv en implementation 9 correct (se e fig u re 2- 3), it is n e c e ssa ry to prove that . ' TOP(s) - 9 ( T 0 P ( s ) ) for a l l s in WStack -- (S I ) and - ISEMPTY(s) =■ 9 ( I S E M P T Y ( s ) ) for a l l s in WStac k . -- (S2) We wilL d is c u s s only the proof of ( S I ) h ere . The proof of (S 2 ) is almost i d e n t ic a l.. . Proof of ( S I ) The most natural form of a proof of ( S I ) r e l i e s on ind uctio n 14 on the structure of the terms in wgtack [F^ta c k ] , but involves the following p r o o f : ( f o r a l l s in W ^ c k ) T O P ( P O P ( s ) ) - 9 ( T 0 P ( P 0 P ( s ) ) - (T-POP) Note however, that the d e f in in g equations for TOP apply only to terms of the form NEWSTACK or P U S H ( s , x ) . Thus, (T-POP) cannot be proved d i r e c t l y . In g e n e r a l , equations that involve non-kernel fun c t ion s cannot be proved d i r e c t l y by using the d e f i n i n g e q ua t ion s . Consequently, any syntactic equivalences that are implied by the d e fin in g equations for non-kernel functions (on Stack) must be proven to carry over as e x t ra c tio n equivalences in the (derived) implementation a l g e b r a . That i s , we need to show that POP(NEWSTACK) - NEWSTACK -> 0 (POP(NEWSTACK)) -dAI e(NEWSTACK) ~ ( A 1 ) and P O P ( P U S H ( s , x ) ) - s . . «> 9 ( P 0 P ( P U S H ( s , x ) ) ) -dAI 9 ( s ) . - (A2) In such a c a s e , by v i r t u e of Theorem 2 , i t is s u f f i c i e n t to show that . TOP(s) = 9 ( T 0 P ( s ) ) for a l l s in WS t a c k [Kstack] , where the kernel set for Stack is {NEWSTACK,PUSH). This in turn can be proved by induc tio n on the structure of terms in Wgt a c k [K^ta ck] , and consists of the following s te p s : Base Case Prove TOP(NEWSTACK) - 9 (TOP(NEWSTACK)) - (Bl) Assume as the induc tio n hypothesis that (f o r a ll s in w^ c k [KStackl ) T O P (s ) - 9 ( T 0 P ( s ) ) In du ct io n Step Prove for a ll s in £[KStack] )TOP(PUSH(s ,x) * 9 ( T 0 P ( P U S H ( s , x ) ) ) - (B2) We now d e t a i l some of these p ro o fs . Proof of ( A l ) _ (L H S ) * 9 (POP(NEWSTACK)) - 9 ( P O P ) ( 9 (NEWSTACK)) - ' - 9 (POP) (<NEWARRAY,ZERO>) - <NEWARRAY, PRED( ZERO)> = <NEWARRAY, Z E R O by the d e f in in g equation of PRED. RHS - 9 (NEWSTACK) - <NEWARRAY, ZERO> 15 - LHS Since syntactic equivalence implies e x t ra c t io n e q uiva le nc e , the proof of ( A l ) is complete. Proof of (A 2 ) By the d e f i n i t i o n of 0, we have, LHS - e (PO P ) ( 9 ( P U S H ( s , x ) )) = 0 (POP) ( 0 (PUSH) (<a-,i> ,x) ) = e (P O P ) ( < A S S I G N ( a , S U C C ( i ) , x ) , S U C C ( i ) > ) = < A S S I G N ( a , S U C C ( i ) , x ) , PR E D (S U C C(I))> = < A S S IG N (a , S U C C ( i ) , x ) , i > (by using P R E D ( S U C C ( i ) ) - i) RHS = 0 ( s ) = <a,i> a Th us, we need to prove that the terms < A S S IG N (a , S U C C ( i ) , x ) , i > and < a ,i> are e x t r a c t io n eq uivalent in the derived target type a l g e b r a . These terms are not s y n t a c t i c a l l y e q u i v a l e n t . Consequently, to prove the extra ction equivalence of these two terras, we again need to resort to the ba s i c d e f i n i t i o n and use induc tio n on the structure of the terras in the derived algebra where we denote by dAI the derived Array-Index a l g e b r a . Observe that w ( > ( FS‘ a c k )] = <N EWARRAY, Z ERO> w 3 K n te<FSt ack>l - • . { < A S S IG N (a , S U C C ( i ) , x ) , S U C C ( i ) > , , < a ,P R E D ( i ) > I <a ,i> in [0 ( F S t a c k)] > and that 0 ( E St ack) = { 0 ( T O P ) , 0(ISEMPTY)> A proof of (A 2) by induction th erefore consists of the following steps: Base case . 6 (TOP) (<NEWARRAY, Z E R O ) ) [< a , i> | <ASSIGN ( a , SUCC( i) , x l ) , i>] = 9 ( T 0 P ) ( <NEWARRAY, Z E R O ) [<a,i> |<a,i>] - (A2-1) In d u c t io n hypothesis Assume ( f o r a l l < a ,i> in 9 (TOP) (<a , i > ) [<a , i> | <ASSIGN ( a , SUCC( i) , x l ) , i>] = 9 ( T 0 P ) ( < a , i > ) [ < a , i > | < a , i > ] . In du ct io n step Prove (for a i l < a ,i> in 9 (T O P) ( < A S S I G N ( a , s f i ) , x ) , s ( i ) > ) [< a , i> | < A S S IG N ( a , S U C C ( i ) , x l ) ,i>] 16 - e(TOP) (<A S S I G N ( a , s ( i ) , x ) , S U C C ( i ) > | < a , i > ) - (A2-2) (for a l l < a ,i> in ^ ) 0(T O P ) ( < a , P R E D ( i ) > ) [ < a , i > | < A S S I G N ( a , S U C C ( i ) , x l ) , i > ] - 0 (TOP) (< a , P R E D ( i ) > ) [<a,i> |<a,i>] - (A2-3) In a d d i t i o n , proofs with 0(ISEMPTY) sub s t i tut e d for 0(TOP) must also be carried out . We i l l u s t r a t e only the proofs for 0 ( T O P ) , since the proof for 0 (ISE11PTY) . is s im i l a r . The proof of (A2-1) i s t r i v i a l , since both the LHS and RHS are i d e n t i c a l . Proof of (A2-2) LHS = 0 (TOP) (< A S S IG N (A S S IG N ( a , S U C C ( i ) , x ) , S U C C ( i ) > ) - D A T A ( A S S I G N ( A S S I G N ( a , S U C C ( i ) , x l ) , S U C C ( i ) , x ) , S U C C ( i ) ) ■ x (by the d e f i n i n g equations of DATA) RHS - 0(T O P ) ( < A S S I G N ( a , S U C C ( i ) , x ) , S U C C ( i )> ) - D A T A (A S S IG N ( a , S U C C ( i ) , x ) , S U C C ( i ) ) ■ x (by the d e f in in g equations of DATA) - LHS Proof of (A2-3) LHS - 0 ( T O P ) (< a , P R E D ( i ) > ) [< a , i > I< A S S IG N ( a , S U C C ( i ) , x l ) , i>] - 0 (T O P ) ( < A S S I G N ( a , S U C C ( i ) , x l ) , PR E D (i )>) = DA TA(A S S IGN( a , S U C C ( i ) , x l ) , PRED( i ) ) - ■' - D A T A (A ,P R E D ( i ) ) . RHS = D A T A ( a , P R E D ( i ) ) - LHS In conj unction with the proofs for & ( I S E M P T Y ) , this completes the proof of ( A 2 ) , and th erefore of part ( A ) . Proof of (Bl) LHS - TOP(NEWSTACK) - UNDEFINED. RHS - 0 (TOP(NEWSTACK)) - 0(T O P ) ( 0 (NEWSTACK)) = 0 (T O P ) (<NEWARRAY, Z E R O ) - DATA(NEWARRAY, ZERO) „ - UNDEFINED - LHS Proof of (B2) Let 0 ( s ) * <a ,i> - LHS - T OP(PU SH( s , x ) ) ■ x (by the d e f in in g equations for TOP) RHS = 0 (TOP(PUSH(s , x ) )) - 0 ( T O P ) ( 0 (PUSH (s , x ) )) = 0 (T O P ) ( 0 (PUSH) ( < a , i > , x ) ) = 0 (T O P ) (< A S S I G N ( a , S U C C ( i ) , x ) , SU C C(i )>) - 17 - D A T A ( A S S I G N ( a , S U C C ( i ) , x ) , SUCC(i)) = x (by the d e f in in g equations for DATA). = LHS . By Theorem 2 , the above proofs of Part (A) and (B) together imply that 0 d e f in e s a correct implementation of Stack. 5 . Some comparisons with other proof methods ‘ _ The conventional notion of a proof of the correctness of an implementation map 0 involves proving the existenc e of a surj e c t iv e homomorphism 0 ' from TT TOT onto W^q ^ / E . Most of the proof methods that have been employed thus far are based primarily on this d e f i n i t i o n of c or r e c tne s s , and fo l l o w e s s e n t i a l l y e i t h e r one of following two procedures: (1) an " a b s t r a c t i o n f u n c t io n " A: -> i s s p e c i f i e d , which serves as a postulated map 0 ' . The correctness proof then involves showing that A does indeed d e f in e a s u r j e c t i v e homomorphism. This method i s b a s i c a l l y due to Hoare [ 7 ] . The rep fun ct ion used in the ALPHARD v e r i f i c a t i o n methodology serves a similar purpose [ 1 5 ] . ( i i ) an e q u a l i t y r e l a t i o n * (c a lle d an " e q u a l i t y in t e r p r e t a t io n " in [5 ]) is sp e c i fi ed on the terms in The ex i s te nc e of the required homomorphic map 0 ' is then proved by making use of this e q u a l i t y i n t e r p r e t a t io n . This method is a s l ig h t g e n e r a l i z a t io n of ( i ) , since an abstra ction function can be used to impose an equaLity in terp retat ion on dTT, whereas the converse is not true. S p e c i f i c a l l y , the eq u a li ty in t e rp r e t a t io n induced by an abstra ction function A is : A ( t t l ) - A ( t t 2 ) => ttl = eq t t 2 . S t r i c t l y sp e a k in g , however, in order to prove the correctness of an implementation of a type of inte re st TOI in terms of a target type TT, it should only be necessary to provide the following information: 1. a s p e c i f i c a t i o n of the type being implemented T O I ; 2. a s p e c i f i c a t i o n of the representation type TT; 18 It th erefore d etrac ts from the g e n e r a l i t y of a proof method i f i t is required to augment the s p e c i f i c a t i o n s ( 1 ) -(3 ) above with some a d d i t io n a l information in order to c arry through a correctness proof. The e x i s t i n g methods, of which we have given some examples above, s u f f e r from this drawback. In both of the above proof methods, it is necessary to supply some extra information- in the form of an a b stra ct io n fun ct ion in ( i) , or an e q u a l i t y in t e r p r e t a t io n in ( i i ) . This is also true of a recent proposal of Flon and Misra [2] . In c o n t r a s t , the method we have outlined in this paper does not require any ad d i t io n a l information augmenting the s p e c i f i c a t i o n s ( l ) - ( 3 ) . To make a s p e c i f i c comparison, i f the proof techniques of [GHM78] are used, the proof of an implementation of a Stack i d e n t i c a l to the one discussed in section 4 .1 needs the following e q u a l i t y interp retat ion to be s p e c i f i e d : 0 ' ( < a , i > ) - 0 ' ( < a l , i l >) - if i * i l and ( f o r a l l k) [1 <_ k <_ i = D A T A ( a , i ) ■ D A T A ( a l , i ) ] As we indicated in section 1, the added g e n e r a l i t y of our proof procedure is quite important, sin c e it f a c i l i t a t e s automation. (For example, a l l of the proofs presented in this paper have been automated using the s im p l i f i e r that forms part of the Stanford V e r i f i e r [ 9 ] . ) Of course, it is p ossible that in the course of a p a r t i c u l a r proof, some s p e c i f i c step cannot be carried through a u toma t i c a lly , i ust as it is possible that in the course of attempting a c orrectness proof of a program u s i n g , say, Floyd-Hoare proof methods ( c f . [ 3 ] , [6] , ) it may prove to be d i f f i c u l t (or i n f e a s i b l e ) in pra c tic e to demonstrate the inva ri an ce of c e r t a in a s s e r t i o n s . However, our i n i t i a l empirical, e xp lo ra t io n s with an automated system have c e r t a in l y served to ind ic a t e that the method can be used to carry out non-trivial proofs, thereby lending c r e d i b i l i t y to its pragmatic u t i l i t y . 3. a s p e c i f i c a t i o n of t he i mpl ement at i on map 6. 19 We restate the theorem below. Theorem 7 An implementation map 0 such that ( f o r a l l g in G ) ( f o r a i l tg in Wg [FT0 1 ] ) [ 9 ( tg) « t ] ( I ) implies the e x i s t e n c e of & surj ective homomorphism . 0 ' : WdTT/ £TT -> WTQI / ET01 where ( r e s p e c t i v e l y WTQj / E ,) denotes the extraction equivalence TT TOT c la s s e s induced by the functions E (r e s p e c t iv e l y E ) . The proof of this theorem rests on lemma 9 below. Let [ t] denote the equivalence class of the term t . ' Lemma 9 : Let 0 ( t ) * t , t in W^0 ^ . De fine 9 ' : wdTT -> WT 0 I ' where 0 ' ( [ t ] ) = [ t ] . Then 9 ' is a well d e fin ed map. P r o o f . In order for 9 ' to be well d e f i n e d , it needs to be shown that (a) I f t is such that 9 ( t ) - t ( 1 ) then there must not e x i s t t ' c such that . 6 ( t ' ) - t ( 2 ) (b) 9 ' is d e f in e d for a l l [t] in W ^ ^ / E ^ ^ . Proof of part (a) Assume that there e x i s t s a t' t such that 9 ( t ' ) = t . Then, by the d e f i n i t i o n of extraction e q u i v a l e n c e , there must e xist t in * O W [FT®*] such that _ _ t g [v in VT Q I |t] t? [v in VI 0I | t ' ] (3) I n t u i t i v e l y , th i s implies the e x i s t e n c e of a sequence of function a p p l i c a t i o n s , terminating in the application of an extraction fun ct ion , that y i e i d s i ne q uiv a i en t resuLts when applied to t and t ' . But, by the d e f i n i t i o n of 9 and co ns t r a in t ( I ) of the theorem, t g [v in Vt o j U ] -g 9 ( t g [v in VTQI |t] ) (A) and __ __ . tg [v in VT Q I |t '] -g 9 ( t g [v in VT Q I I t '] ) (5) I . Proof of Theorem 7 20 By the d e f i n i t i o n of 0 , _ _ 9 ( tg [ v in | t ]) _ g 0 ( t g ) [ v in | 0 ( t ) ] and __ __ 0 ( t g [v VT0I | t ' ] ) « g 0 ( t g ) [ v in VT T | e ( t' ) ] ( 3 ) , ( 4 ) and ( 5 ) imply _ _ - 6 ( t g ) [v in VT T |© ( t )] i*g 0 ( t g ) [v in VT T | e ( t ' ) ] . (6 ) where 0 ( t ) is in Wg [FdTT U F ^ V ^ ] . But ( 1 ) and ( 2 ) together imply 0 ( t ) 0 ( t ) and consequently, we have (fo r a l l g in G) ( f o r a l l t in_ W [FdTT U FG , V j T ] ) ^ tgtv in VTf l 0 ( t ) l -g tg [v in VT T | 0 ( t ' ) ] (7) which contradicts ( 6 ) . Hence the assumption that there e x i s t s a t' ^TO I t and such that 0 ( t ' ) = t cannot be true. End of P r o o f . Proof of Part (b_) . By vi r tu e of d e f i n i t i o n 4 , the only terms in dTT are those that images under 0 of some term in W^q ^ . There must therefore e x i s t at least one term t in W^.q j [F^®* U F^] which the pre-image of t under 0 . That i s , 0 ' is defined for every term t in dTT. Tnis completes the proof of the Lemma. . End of P r o o f . Proof of the theorem ' Consider the map 0 ' defined in lemma 9 . In order to prove the theorem, it needs to be shown that * (A) 0 ' is onto wt o i / E t o i , (B) 0 ' is a homomorphism. Proof of Part (A) To prove that 0 ' is onto, we have to show that for every [t] in W .J .Q J /E ^ ^ , there is a term in W^j j / E ^ ^ that maps onto [ t ] . S i n c e , for every term t in W^.qj, 0 ( t ) is in W ^ x * by d e f i n i t i o n of 0 ' , we must have, _ _ „ 0 ( I 0 ( t ) ] ) =,poi . The proof of part (A) follows immediately. - End of P r o o f . Proof of Part (B) We need to show that . 0 ' ( [ f ( t / ) ] ) * T0I e ' ( [ f ' ] ) ( e ( U ' ] ) ) ( 8 ) where f ' is a fun c t ion in dTT, and _t' represents a tuple of terms. Let f ' , t/ be such that ' ' - e ( f ' ) =TT f ' . and __ 0 (1 ' ) ^ t ' . (Because of the reasons given in the proof of part (b) of the lemma, such a pair f ' , t/ must e x i s t . ) By d e f i n i t i o n of 0',__we have, 0 ( I f ]) =to i ^ ^ and ; - : ‘ ‘ y v 0 ( [_t ] ) = tqi [_t' 1 T h u s , e ' ( [ f ' i ) ( e ' ( U ' ] ) ) -t o i [ i ' l l ' ) ] (9 ) Ag ain , by d e f i n i t i o n of 0 , 0 ( f ' ( t / ) ) =TT 9 ( f ' ) ( 8 ( t ' ) ) * TT r ' U ' ) Thus, by d e f i n i t i o n of 0 ' , . 0 ' ( [ r ' ( t / ) ] ) = TOi t f ' U ' ) ] ( 1 0 ) Together, ( 9 ) and ( 1 0 ) imply that 0 ' s a t i s f i e s the homomorphism condition ( 8 ) , thus proving the theorem. ' • "* End of P r o o f . • 21 22 We restate the theorem below. Theorem 8 : Let R denote the set of d e f in in g equations of T OI. For each d e f i n i n g equation t^ - t£ in R, where t j , t£ are not in wjoi* tj " t£ 0 ( t j ) " ^TT 0 ( t 2 ) - (A) and if ( f o r a ll g in G> ( f o r a l l tg in Wg [KT 0 1 ]) U ET 0 1 ] ) tg - g Q ^ g ) - then & d e fin es a correct implementation. We f i r s t prove four lemmas which formalize some f a i r l y i n t u i t i v e f a c t s , and which are needed in the proof of Theorem 8 . . About the lemma 10. This lemma states that - if a term t 2 i s obtained by in s t a n t i a t i n g a term t by s ub stituting t ' for the v a r i a b l e s of sort T, where - t ' i t s e l f has been obtained by i n s t a n t i a t i n g t" by sub s t i tu t in g tj for the v a r i a b l e s of sort T, then - t 2 can also be obtained d i r e c t l y by s ub stituting t^ for v a r i a b l e s of sort T in some t ^ ; the terra t£ is a c tu a lly constructed in the proof of the lemma. Lemma 10: Consider t , tj in Wj. If t 2 * (v in V j | t ' ] and t ' = t " [ v in V j | t j ] , then there e x i s t s t^ such that t 2 * [v in VT | t j ] . P r o o f . The proof is by induc tio n on the structure of t. (a) Base Case. Let t be in W^®^. t in W^®^ => t * v or t * f , where f is in BC^. t * v => t 2 ■ t' ■ t " [v in V j l t j ] . _ Hence t£ * t " . I f t 2 * f then ££ * f . (b) Induction Step Assume that the proposition holds for a l l t in W.£n" ^ . Consider t in w£n ) . Then t must be of the form t * f ( x p . . . , xm) where f : ( X j , . . . , Xm) -> T , and x^ in W^n" ^ (and such that at least one x^ is not in I I . Proof of Theorem 8 . 23 ) • V a r i a b l e s of sort T can then occur in X j , xm. t 2 = t [v in V*p 1 1 ' ] = f ( x j [ v in VT | t ' ] , . . . , x m[v in VT | t ' ] ) = f ( x j ' [ v in VT | t j ] , . . . , x m' [v in VT 11 ]) . (by hypothesis) = f ( x j ' . , xm' ) [v in VT | t 1] Hence t^ = f ( x ^ ' , . . . , xm' ) , which completes the proof. . End of P roo f. Lemma 11 s t a t e s that the terms t-j, t^ obtained from a common term' by i n s t a n t i a t i n g v a r i a b l e s with extra ction equivalent terms are themselves e x t ra c t io n equivalent (although they might be s y n t a c t i c a l l y d i s t i n c t ) . This is i l l u s t r a t e d in Figure 5-1. Ml Figure 5-1: Figure i l l u s t r a t i n g Lemma 11 Lemma 11: Consider t j , t 2 in WT . Let t 3 = t ' [ v in VT |t1] , and t4 = 24 t' [v in 112 )- Then tj *•£ c2 " > c3 =T c4 ^w^ ere =t denotes extra ction e q u i v a l e n c e ) . P r o o f . C3 " T C4 <=> (fo r a l l g in G) (fo r a l l tg in Wg) tg [v in VT 113 ] = g tg [v in VT 114 ] . _ By lemma 10, there is some t " in W such that te [v in V-r-lto] » t _ " [ v in _ 0 6 f e 1 -3 © © VT |tj] , and tg [ v in VT 11 ^] - tg" [ v in VT 11 2_] . Since tj t 2 , it follows that t 3 c4 * . End of P roo f. Lemma 12: Consider t p t 2 in WT . Then tj^ = t 2 ■> tg [v in VT 11 ^ 1 =g tg[v in V j | t 2 ], where t g is in Wg . P r o o f : Immediate, from lemma 11, since s yn tactic equivalence implies extra c tion e q u i v a l e n c e . . End of P r o o f . Lemma 13: For a l l tg in W [ F ^ ] , there is a term t in W^ fFT I, and a term tg ' in Wg [ET ] , such that t g » t ' [v in VT |t]. P r o o f . Every term tg is of the form e( t j , . , t n) where e is in E^, e i X ^ , . . . , ) ^ -> g, and t^ is in W^£F^] . Consider the term tg ' = e ( v j , . . . , v n) , Vj_ in . Then tg ' is in Wg [ET ) , and " g Cg ^V 1 ^C1 ^ ' ^vn I cn ^ * • End of F r o o f . Proof of the Theorem. By v i r t u e of the d e f i n i t i o n of for every t in [ F ^ * ] there exists some tj in WT Q I [KT 0 1 ] , such that t « t j . By Lemma 12, it fo llows that tg [ v | t , t in WToX ] -g t g T v l t p t 1 in WT0 I [KT 0 1 ]] ( 1 ) A l s o , 9 ( t g [ v | t ] ) -g 9 ( t g ) [ 0 ( v ) | 9 ( t ) ] (2) 25 Consequently, ( 2 ) => 0 ( t g [ v | t , t in WT0I [FT 0 1 ] ] ) - 9 ( t g ) [ 0 ( v ) I & ( t ) , t in wT0 I [fT 0 1 ]] = 0 ( t g ) [9( v) | 0 ( t^ ) , t 1 in Wt o i [KT 0 1 ], t = t ( 3) ' A g a in , by vi r tu e of ( B) , we have (f o r a l l g in G) (fo r a l l t in W [KT®* U ) ^ V - 1- ' I in w t o i ^ T0 I ] ] ^ V - 1- ' 1 in WTo i [KT 0 1 ] ] ) (A) From ( 1 ) , ( 2 ) , ( 3 ) and ( 4 ) , we obtain ( f o r a ll g in G) (fo r a l l t in W [KT®* U ET®^]) rt § cg [ l J l ' 1 in ^TOI ffT 0 1 J 1 " cg M l i > I i in Wt o i [KT 0 1 ] , £ - _tj] by ( 1 ) * © ( t g M t , ! * i .1 in Wt o i [KT 0 1 ] ] ) by ( 4 ) * 0 ( t g [v|_t, t_ in Wt o i [FT0 1 ] ] ) by ( 2 ) and (3) i . e . , (for a l l g in G) (for a l l t in W [KT01 U ET 0 1 ] ) cg [ t_ in WT0I [FT 0 I n = 9 ( t g [ v | t , t in Wt o i [FT 0 1 ] ] ) ( 5 ) TO T But by lemma 13, tg can be expressed as tg ' [ v | t ' , t' in W^.q j [F ]] where t R ' is in W [E^®*] (and hence in W g [ K ^ * U E ^ ® * ] ) . Consequently, (5 ) implies that (f o r a ll g in G) (fo r a l l t in W [FT O I ] ) O © tg [v|_t, _t in W^^j-JF1 0 1 ]] - £ in W ^ t F 1 0 1 ] ] ) ( 6 ) But ( 6 ) is p r e c i s e l y the condition required for correctness of the implementation s p e c i f i e d by 0 . (Note that the key d i f f e r e n c e l i e s in the q u a n t i f i c a t i o n of the terms t -) This proves the theorem. End of P roo f. By v i r t u e of (A), we have t " t j ■> 0 ( t ) 0 ( t j ) 26 I I I . D e f i n i t i o n s of t he t ype s Array and I n t e g e r Type Integer Syntax ZERO : () -> In te g er SUCC : ( In t e g e r ) -> Integer PRED : (In t e g e r ) -> Integer ISZERO : ( I n t e g e r ) -> Boolean Semantics for a i l i in In teger I S ZER O ( ZERO( ) ) = TRUE IS ZERO( S U C C ( i ) ) = FALSE PRED( ZERO( ) ) = ZERO PRED(SUCC( i ) ) = i End Integer Figure 5-2: D e f i n i t i o n of the type Integer Type Array Generic type parameter : item Syntax NEWARRAY : () -> Array ' ASSIGN : ( A r r a y , I n t e g e r , I t e m ) -> Array DATA : ( A r r a y , Integer) -> Item U {UNDEFINED) Semantics ' . ' ' " * ; . ■' •' s DATA(NEWARRAY,! ) = UNDEFINED DATA( A S S I G N ( a , i , x ) ) = i f i=j then x else D A T A (a ,i ) end Array Fi gur e 5- 3: D e f i n i t i o n of t he type Array 27 Consider the implementation of the type Queue (see f i g u r e 5-4,) using a ta rget type c onsisting of the t r i p l e <Array, In t e g e r , Integer>. I n t u i t i v e l y , the f i r s t integer component points to the front of the Queue, while the second integer component points to the ta il of the Queue. Tne implementation map 0 for the functions on type Queue is given in fig u re 5-5. We note that B c Q u e u e = < N E W q } . . CQueue = {ADDQ, DELETEQ). EQueue = { FROn t q , ISEMPTYQ). ' IV. The Proof of a Queue Impl ement at i on Tne correctness proof co n s i s t s of two parts. (A ) The syntactic e q uivalence induced on the terms of type Queue by the d e f i n i n g equations must be shown to produce extra ction eq uivalent terms in the implementation algebra d A II under the map 0. That i s , DELETEQ(NEWQ) * NEWQ => 9 (DELETEQ (NEWQ)) -d A n 0(NEWQ) ~ ( A 1 ) D E L E T E ( A D D Q ( q ,x ) ) = i f ISEMPTYQ(q) then NEWQ . else ADDQ(DELETEQ(q),x ) => 9 ( D E L E T E Q ( A D D Q ( q , x ) ) ) -d A n 9 ( i f ISEMPTYQ(q) then NEWQ e lse A D D Q ( D E L E T E Q ( q ) , x ) ) - (A2) (B) By induction on W^, it must be proved that (f o r a i l g in G) (fo r all t in W [{NEWQ,ADDQ,ISEMPTYQ,FRONTQ} U FG ,V]) 6 ( t g ) - (B) T h is involves the following p roofs: Base Case FRONTQ(NEWQ) * 0 (FRONTQ(NEWQ)) --(FI) ISEMPTYQ(NEWQ) = ©(ISEMPTYQ(NEWQ)) --(II) In d u c t io n Step ( f o r a l l q in [ (KQueue u EQu e u e , V]) 28 Type Queue Syntax NEWQ : () -> Queue ADDQ : (Q u e u e , Item) -> Queue * „ DELETEQ : (Queue) -> Queue • FRONTQ : (Queue) -> Item ISEMPTYQ : (Queue) -> Boolean Semantics for a l l q, ql in Queue, x in Item; DELETEQ(NEWQ) - NEWQ . D E L E T E Q (A D D Q (q ,x )) - i f q - NEWQ then NEWQ else ADDQ(DELETEQ(q),x ) ISEMPTYQ(NEWQ) - TRUE IS EMP T Y Q (A D D Q (q ,x )) = FALSE FRONTQ(NEWQ) = UNDEFINED - FRONTQ( A D D Q ( q , x ) ) - if q - NEWQ . then x else FRONTQ(q) End Queue Figure 5-4: D e f i n i t i o n of the Type Queue We write 9 ( q ) * < a , l , h > 6 (NEWQ) = <NEWARRAY, ZERO, Z E R O 8 ( A D D Q ( q , x ) ) - <ASSIGN(a, SU C C ( h ) , x ) , 1 , SUCC(h)> 9 (D E L E T E Q ( q ) ) - if 1 - h then <NEWARRAY, ZERO, ZERO> else <a, SUCC(l)*, h> 0 ( FRONTQ(q)) - i f 1 - h then UNDEFINED else D A T A ( a , SUCC(l)) 9 ( I S E M P T Y Q ( q ) ) - (1-h) Fi gur e 5- 5 : An Impl ement at i on of t h e Type Queue 29 FRONTQ( A D D Q ( q , x ) ) = 6 ( FRONTQ( ADDQ( q , x ) ) ) - (F2) IS EMP TYQ(ADDQ(q ,x )) * ©(IS EMP T Y Q (A D D Q (q ,x )) ) --(12) Proof of (Al) LHS - = ©(DELETEQ(NEWQ)) = ©(DELETEQ)(©(NEWQ)) = ©(DELETEQ) (<NEWARRAY, ZERO, Z E R O ) * if ZERO * ZERO then <NEWARRAY,ZERO,ZERO eise <NEWARRAY,SUCC(ZERO),ZERO> = <NEWARRAY, ZERO, Z E R O RHS » <NEWARRAY,ZERO,‘Z E R O - LHS Since syntactic equivalence implies extra c tion e q u iv a l e n c e , this completes the proof of ( A l ) . . Proof of (A2) LHS = © (D ELET EQ(ADDQ( q , x )) = ©(DELETEQ) (< A S S IG N ( a , S U C C ( h ) , x ) , 1 , SUCC(h)>) - i f l=SUCC(h) ' then <NEWARRAY,ZERO,ZERO else < A S S I G N ( a , S U C C ( h ) , x ) , S U C C ( 1 ) , S U C C ( h ) > - <AS S IG N (a , S U C C ( h ) , x ) , S U C C ( 1 ) , S U C C ( h ) > (where we use the fact that 1 < h is true in _ any term < a , l , h > in This is proved b e l ow.) RHS = i f ISEMPTYQ(q) then ©(NEWQ) else ©(ADDQ)(©(DELETEQ ( q ) , x ) ) ' = i f l=h then <NEWARRAY, Z E R O , Z E R O " else ©(ADDQ(if l= h then <NEWARRAY,ZERO,ZERO> , else < a ,S U C C ( 1 ) , h > ) , x ) ) = i f l * h then <NEWARRAY, ZERO, Z E R O - ‘ else i f l=h then ©(ADDQ)(<NEWARRAY,ZERO,ZERO,x) else © ( A D D Q ) ( < a , S U C C ( l ) , h > , x ) = if 1-h then <NEWARRAY,ZERO,ZERO> else ©(ADDQ) (< a , S U C C ( 1 ) ,h > ,x ) = if 1-h then <NEWARRAY, ZERO, Z E R O else < A S S IG N ( a , S U C C ( h ) , x ) , S U C C ( 1 ) , S U C C ( h ) > The proof of (A2) involves a proof by in d u c t io n . Base Case ©(FRONTQ) (<NEWARRAY,ZERO,ZERO>) - ©(FRONTQ) (<NEWARRAY,ZERO,ZERO) ©(ISEMPTYQ) (<NEWARRAY, ZERO, Z E R O ) - - ©(ISEMPTYQ) (<NEWARRAY,ZERO,ZERO) 30 e(FRONTQ) (<a , 1 , h > ) [<a ,l,h>| <ASSIGN( a , S U C C ( h ) ,x l ) ,SUCC(1) ,SUCC(h)>] = 9 (F R O N T Q )(< a , 1 ,h > ) [<a , 1 ,h> | if l=h then <NEWARRAY,ZERO,ZERO> else < A S S IG N (a , S U C C ( h ) , x l ) , S U C C ( 1 ) , S U C C ( h ) > ] 9 (ISEMPTYQ) ( < a , l , h > ) [<a ,l,h>| <A S S IG N (a , S U C C ( h ) , x l ) , S U C C ( 1 ) , S U C C ( h ) > ] = 9 ( I S E M P T Y Q ) ( < a , l , h > ) [< a ,l ,h > | i f l=h then <NEWARRAY,ZERO, ZERO> else <A S S I G N ( a , S U C C ( h ) , x l ) , S U C C ( 1 ) , S U C C ( h ) > ] I n d u c t i o n h y p o t h e s i s In d u c t io n step Prove 8 (FRONTQ) ( < A S S IG N ( a , S U C C ( h ) , x ) , l , S U C C ( h ) > ) [ < a , 1 ,h > | <A S S I G N ( a , S U C C ( h ) , x l ) , SU C C(l),SUC C (h )>l - 0 (FRONTQ) ( <ASSIGN ( a , SUCC(h) ,x) , l , S U C C ( h ) > ) [ < a , l , h > | i f l * h then <NEWARRAY, ZERO, Z E R O e ls e < A S S IG N ( a , S U C C ( h ) , x l ) , S U C C ( 1 ) , S U C C ( h ) > ] and - 9 (FRONTQ) ( i f l=h then <NEWARRAY,ZERO,ZER0> . e lse < a ,S U C C (l ) ,h )>) [<a , 1 ,h > |< A S S IG N ( a , S U C C ( h ) , x l ) , SUCC(l) ,SUCC(h)>] - 9 (FR ON T Q )(i f 1-h then <NEWARRAY, ZERO, Z E R O e lse < a , S U C C ( 1 ) ,h>) ' [<a , 1 ,h> | i f l=h then <NEWARRAY, ZERO, Z E R O • else < A S S I G N ( a , S U C C ( h ) , x l ) , S U C C ( 1 ) , S U C C ( h ) > ] LHS * 9 (FRONTQ) ( <AS S IGN (AS S IGN(a , SUCC(h) , x l ) , SUCC(SUCC(h)) , x r , S U C C ( l ) , SUCC(SUCC(h))>) = i f SUCC(l) = SUCC(SUCC(h)) then UNDEFINED - (A2-1) - (A2-2) 31 else D A T A ( A S S I G N ( A S S I G N ( a , S U C C ( h ) , x l ) , . SUCC(SUCC(h)) , x) , S U C C ( S U C C ( 1 ) ) ) - i f SU CC(SUCC(1)) = SUCC(SUCC(h)) then x else i f SUCC(h) = SUCC(SUCC(1 )) then xl else D A T A ( a , SUCC(SUCC(1 ) ) ) (using the inva rian t 1 <_ h) RHS = if ( l=h) then ©(FRONTQ) ( <AS SIGN(NEWARRAY,SUCC(ZERO),x), ZERO,SUCC(ZERO)>) else ©(FRONTQ) ( < A S S IG N (A S S IG N (a , S U C C ( h ) , x l ) , SUCC(SUCC(h ), x ) , S U C C ( l ) , SUCC(SUCC(h ))>) = i f ( 1 -h) then if ZERO=SUCC(ZERO) then UNDEFINED else (DATA(ASSIGN(NEWARRAY,SUCC( Z E R O ) , X ) , SUCC(ZERO)) ' else i f SUCC(l) = SUCC( SU C C(h )) then UNDEFINED else DATA ( ASSIGN (ASSIGN (-a, SUCC( h) , x l ) ,, SUCC(SUCC(h)) ,x) , ' SU CC(SUCC(1))) Using the fact that ZERO is not equal to SUCC(ZERO), the d e f i n i t i o n of DATA, and 1 £ h => SUCC(i) 4 SUCC(SUCC(h)) , we get RHS ' = if l=h then x e ls e DATA( A S S IG N (A S S IG N ( a , S U C C ( h ) , x l ) , SUCC(SUCC(h)>,x) , S U C C ( S U C C d ) )) = i f l=h then x else i f l=h then x else i f SUCC(h) * SUCC(SUCC(1 )) then x l . . else D A T A (a , SUCC(SUCC(1 ) ) ) = if l=h then x else i f SUCC(h) = SUCC(SUCC(1 )) . then xl else D A T A ( a , SUCC(SUCC(1 ) ) ) Thus LHS = RHS. - This completes the proof of (A 2- 1 ) . The proof of (A2-2) can be carried through s im i l a r l y . - Proof of (F I ) : FRONTQ(NEWQ) = 0 (FRONTQ(NEWQ)) LHS = FRONTQ(NEWQ) = UNDEFINED. 32 RHS - DATA(NEWARRAY, SUCC(ZERO)) - UNDEFINED -R H S Proof of ( F 2 ) FRONTQ( ADDQ ( ( q , x ) ) - 9 (FRONTQ(ADDQ( q , x ) )) LHS - FRONTQ(A D D Q ( q , x ) ) = if ISEMPTYQ(q) then x else FRONTQ(q). RHS - 9 ( FRONTQ( A D D Q ( q , x ) ) ) = 9 ( FRONTQ)( < A S S IG N (a , S U C C ( h ) , x ) , l , S U C C ( h ) > ) - if l-SUCC(h) then UNDEFINED e ls e D A T A ( A S S I G N ( a , S U C C ( h ) , x ) , S U C C ( 1 ) ) ) . This proof needs a case a n a l y s i s . The two cases on the LHS are ISEMPTYQ(q) : x ; - (F2-L1) not ISEMPTYQ(q) : FRONTQ(q) - (F2-L2) On the RHS, there are ag a in two cases l-SUCC(h) : UNDEFINED; - (F2-R1) not i=SUCC(h) : DATA( A S S IG N ( a , SU C C(h ),x ) , SUCC(1 ) ) ) ; - (F2-R2) In order to complete the proof, we can assume the following as induc tio n h y p oth e s e s : FRONTQ(q) = 9 ( FRONTQ(q)) - D A T A ( a , SUCC(1 ) ) ISEMPTYQ(NEWQ) = 9 (ISEMPTYQ(NEWQ)) = TRUE - ISEMPTYQ(q) = 9 (IS EMP TYQ(q )) - (1-h) . By d e f i n i t i o n of 9 ( I S EM P T Y Q (q ) ) , and the induction h ypothesis, LHS of (F2-L1) * ISEMPTYQ(q) -> (1-h) => not ( l- S U C C ( h ) ) , hence the second case (F2-R2) on the RHS a p p l i e s . - Further, (1-h) -> D A T A (A S S IG N ( a , S U C C ( h ) , x ) , SUCC(1 )) - x ; - Thus , ISEMPTYQ(q) => FRONTQ( ADDQ( s , x ) ) - x , and --(1) ISEMPTYQ(q) -> not (l-SUCC(h)) 4 . (1-h) -> 9 ( FRONTQ( A D D Q ( q , x ) ) ) - x - (2) A g a in , not ISEMPTYQ(q) -> not (1-h ), and not ISEMPTYQ(q) => FRONTQ(ADDQ( q , x ) ) - FRONTQ(q) By the ind uc tio n h y p oth e s i s, FRONTQ(q) - 9 ( FRONTQ(q)) - D A T A ( a ,S U C C ( 1 ) ) . --(3) If we use the fact that 1 < h is an in v a ri an t in the derived alg..ebra (see 33 b e i o w ) , the it can never be the case that 1 ■ SUCC(h) . Hence, we have ( 1 4 SUCC(h)) & ( 1 4 h) => RHS of ( F2-R2) - D A T A (A S S IG N (a , S U C C ( h ) , x ) , SUCC(1) = i f SUCC(h) = SUCC(l) then x e lse DATA(a,SUCC( 1 ) ) = DATA(a , SUCC( 1) ) . - (4) The proof of (F 2 ) Follows by v i r tu e of ( 1 ) and ( 3 ) and ( 4 ) . Proof of the inva rian ce of _1 <_ h ^ The proof is by induction on the structure of the terms of the derived a l g e b r a . ‘ Base case The base constructors form the set of terms in ^ Queue [pQueue ^ ^ The inva rian t must be v e r i f i e d for each base constructor (there is only o n e ) . We have 8 (NEWQ) = <NEWARRAY, ZERO, Z E R O . 1 « ZERO <_ ZERO - h . In du c t io n step I f 9 (q ) - < a , l , h > then assume as the induction hypothesis 1 <_ h, i f q is in , and is obtained by applying a constructor function to terms in [FQu eu e , V] . " . 0 ( A D D Q ( q , x ) ) = <ASSIGN(a,SUCC(h) ,x) , 1 , SUCC(h)> 1 1 h => 1 1 SUCC(h) 9 (D E L E T E Q (q ) ) = if l=h ' . then <a ,ZER 0, ZERO> - else < a , SUCC(1 ) ,h> 1 <_ h & l=h «> ZERO <_ ZERO 1 <_ h & not l=h => 1 < h *> SUCC(l) £ h T n u s , in both c a s e s , the c ondition (1 <_ h) is preserved, concluding the p r oof. „ ' Proof of ( I I ) ISEMPTYQ(NEWQ) - 8 (ISEMPTYQ(NEWQ)) --(II) LHS = true. RHS = (ZERO * ZERO) " t r u e . ‘ * Proof of ( 1 2 ) ‘ ISEMPTYQ( A D D Q ( q , x ) ) = 8 ( ISEMPTYQ( ADDQ(q , x ) ) ) - (12) LHS ■ f a l s e . RHS = 8 ( I S E M P T Y Q ) ( < A S S I G N ( a , S U C C ( h ) ,x ) , 1 , SUCC(h)>) ' ' » 34 = ( i = SUCC(h)) *.fai se (Using the fact that (1 < h ) ) 35 [1] ' O . J . D a h i , E . W . D i j k s t r a , C . A .R .H o a r e . Structured Programming. Academic P r e s s , New York, 1972. [2] L . F l o n , J .M i s r a . A Un ifi e d Approach to the S p e c i f i c a t i o n and V e r i f i c a t i o n of Abstract Data Types. In Proceedings of £ Conference on S p e c i f i c a t i o n s of R e l i a b l e So f tw a r e , pages 162-169. IEEE Computer S o c i e ty , A p r i l , 1979. [3] R .W .F l o y d . Assigning Meanings to Programs. In J . T . S c h w a r t z , e d i t o r , Proceedings of a Symposium in Applied Mathematics, V o l . 19, pages 19-32. American Mathematical Society, 1967. [4] J .G o g u e n , J . T h a t c h e r , E .W a g n e r . An I n i t i a l Algebra Approach to the S p e c i f i c a t i o n , C or r e c tne s s , and Implementation of Abstract Data T y p e s . P r e n t i c e- H a l l , N . J , 1979, pages 30-149. [5] J . G u t t a g , E .H o r ow i t z , D.Musser. Abstract Data Types and Software V a l i d a t i o n . CACM 2 1 : 1 0 4 8- 6 4 , 1978. [6 ] C . A . R . H o a r e . An axiomatic Basis for Computer Programming. Communications of the ACM 1 2 ( 1 0 ) : 5 7 6 - 5 8 0 , 583 , October, 1969. [7] C . A . R . H o a r e . Proof of Correctness of Data Re p r e s e nta tions . Acta Inforrnatica 1 :2 7 1-2 8 1 , 1972. [8 ] 5 . H . L i s k o v , A .S n y d e r , R .A t k in s o n , C . S c h a f f e r t . A b st r a c t io n mechanisms in CLU. Technical Report Computation Structures Group Memo 144-1, MIT-LCS, Jan, 1 977-. • [9] D.C.Luckham et a l . Stanford Pa s ca l V e r i f i e r User Ma nua l, E d i t io n _1_. T echnical Report, Stanford U n i v e r s i t y , A p r i l , 1979. [ 1 0 ] P . A.Subrahmanyam. Towards Automatic Program S y n t h e s i s : O b t a in i n g Implementations from Formal S p e c i f i c a t i o n s . Technical Report, State Unive r s i ty of New York at Stony Brook, October, 19 7 7 . [11] P .A .Subrahmanyam. Perspectives on the use of Abstract Data Types in Programming Methodology. November 1 9 7 8 , Unpublished Memo, Dept, of Computer Science, SUNY at Stony Brook. [1 2 ] P . A.Subrahmanyam. , Towards a_ Theory of Program S y n t h e s i s : Automating Implementations of REFERENCES Ab st rac t Data T y p e s . PhD t h e s i s , Department of Computer S c i e n c e , State Un iversity of New York at Stony Brook, August, 1979. 36 [13] J . T h a t c h e r , E .W a g n e r , J . W r i g h t . Data Type S p e c i f i c a t i o n s : Parameterization and the Power of S p e c i f i c a t i o n Techniques. In Proc eed in gs, Tenth SIGACT Symp. , pages 119-132. ACM.SIGACT, April 1 9 7 8 , 1978. [14] W . A .W u l f , R .L .L o n d o n , M.Shaw. Abst raction and V e r i f i c a t i o n in ALPHARD. Technical Report, CMU, I S I , August, 1976. [15] W . A . W u l f , R . L . L o n d o n , M.Shaw. An Introduc tion to the construction and v e r i f i c a t i o n of Alphard Programs. IEEE T ransa ct io ns on Software Engineering SE-2( 4 ) : 2 5 3 - 2 6 5 , December, ' " 1 9 7 6 . '