Some Techniques for Proving Correctness of Programs which Alter Data Structures

Transcription

1 Some Techniques for Proving Correctness of Progrms which Alter Dt Structures R. M. Burstll Deprtment of Mchine Intelligence University of Edinburgh 1. INTRODUCTION Consider the following sequence of instructions in list-processing lnguge With roughly ALGOL 60 syntx nd LISP semntics (hd (hed) is LISP CAR nd tl (til) is LISP CDR). x: = cons(1, nil); y:=cons(2, x); hd(x): =3; (compre LISP RPLACA) print(x); print(y); The intention is s follows. x becomes the list (1) y becomes the list (2, 1) The hed (first element) of the list x becomes 3. Since y ws mnufctured from x it 'shres' list cell with x, nd hence is side-effected by the ssignment to hd(x). When x is printed it is (3) nd y when printed is (2, 3) rther thn (2, 1) s it would hve been hd the lst ssignment left it undisturbed. How re we to prove ssertions bout such progrms? Figure 1 trces the course of events in the trditionl picture lnguge of boxes nd rrows. Our tsk will be to obtin more forml mens of mking inferences, which, unlike the picture lnguge, will del with generl propositions bout lists. We will extend Floyd's proof system for flow digrms to hndle commnds Which process lists. The principles which pply to lists would generlise in strightforwrd wy to multi-component dt structures with shring nd circulrities. Although this technique permits proofs, they re rther imperspicuous nd fiddling for lck of pproprite higher level concepts. Investigting the specil cse of liner lists in more depth we define 'the list from x to y' nd consider Systems of such lists (or perhps we should sy list frgments) which do not 23

2 PROGRAM PROOF AND MANIPULATION x: = cons (1, nil); 1 nil y: = cons (2, x) 2 1 nil hd (x): =3 2 3 nil Figure 1. shre with ech other or within themselves. (By liner list we men one which either termintes with nil, such s LISP (A, (B, C), D), or is circulr; by tree we men list structure which termintes with toms rther thn with nil, such s LISP ((A. B). (C. D))). We thus get rther nturl wy of describing the sttes of the mchine nd the trnsformtions on them nd hence obtin esy proofs for progrms. Some ides from the ppliction of ctegory theory to tree utomt help us to extend this tretment from lists to trees: frgments of lists or trees turn out to be morphisms in n pproprite ctegory. Acquintnce with ctegory-theoretic notions is not however needed to follow the rgument. Our im hs been to obtin proofs which correspond with the progrmmer's intuitive ides bout lists nd trees. Extension to other kinds of dt structures wits further investigtion. 2. PREVIOUS WORK Since McCrthy (1963) rised the problem number of techniques for proving properties of progrms hve been proposed. A convenient nd nturl method is due to Floyd (1967) nd it hs formed the bsis of pplictions to non-trivil progrms, for exmple by London (1970) nd Hore (1971). Floyd's technique s originlly proposed delt with ssignments to numericl vribles, for exmple, x: = x + 1, but did not cter for ssignments to rrys, for exmple, [i]:=[j]+ 1, or to lists, such s t/(x): =cons(hd(x), 11(11(x))). McCrthy nd Pinter (1967) del with rrys by introducing 'chnge' nd 'ccess' functions so s to write [i]:=[j]+1 s : = chnge (, i, ccess 24

3 BURSTALL (, j)+ 1), treting rrys s objects rther thn functions. King (1969) in mechnising Floyd's technique gives method for such ssignments which, however, introduces cse nlysis tht sometimes becomes unwieldy. Good (1970) suggests nother method which distinguishes by subscripts the vrious versions of the rry. We will explin below how Good's method cn be dpted to list processing. Although the proofs mentioned bove by London (.1970) nd Hore (1971) involve rrys they do not give rigorous justifiction of the inferences involving rry ssignments, which re rther strightforwrd. List processing progrms in the form of recursive functions hve received ttention from McCrthy (1963), Burstll (1969) nd others, but quite different problems rise when ssignments re mde to components of lists. This ws discussed in Burstll (1970) s n extension to the xiomtic semntics of ALGOL, but the emphsis there ws on semntic definition rther thn progrm proof. Hewitt (1970), Chpter 7, touches on proofs for list Processing progrms with ssignments. J. Morris of Berkeley hs lso done some unpublished work, so hve B.Wegbreit nd J.Poupon of Hrvrd (Ph.D. thesis, forthcoming). 3. FLOYD'S TECHNIQUE Let us recll briefly the technique of Floyd (1967) for proving correctness of progrms in flow digrm form. We ttch ssertions to the points in the flow digrm nd then verify tht the ssertion t ech point follows from those t ll the immeditely preceding points in the light of the intervening commnds. Floyd shows, by induction on the length of the execution pth, tht if this verifiction hs been crried out whenever the progrm is entered with stte stisfying the ssertion t the entry point it will exit, if t ll, only with stte stisfying the ssertion t the exit point. The rules for verifiction distinguish two cses: tests nd ssignments. (1) A triple consisting of n ssertion, test nd nother ssertion. thus Si YES S2 is sid to be verified if Sli PF AS2, tht is, ssertion S2 is deducible from Si nd test P using some xioms A, sy the xioms for integer rithmetic. If 52 IS ttched to the NO brnch the triple is verified if SI, IPI-AS2. (2) A triple consisting of n ssertion, n ssignment nd nother ssertion, thus 25

4 PROGRAM PROOF AND MANIPULATION Si I: =E S2 where / is some identifier nd E some expression, is sid to be verified if S1 FA [S2]f where [S2], mens the sttement S2 with E substituted for I throughout. (This is clled bckwrd verifiction by King (1969); it is vrint of Floyd's originl method, which introduces n existentilly quntified vrible.) We will here retin the inductive method of Floyd for deling with flow digrms contining loops, but give methods for coping with more complex kinds of ssignment commnd. 4. EXTENSION OF THE VERIFICATION PROCEDURE TO ARRAY ASSIGN MENTS Consider the following commnd nd ssertions 1,i< 9 nd for ll x, such tht 1 <x<100, (x)=x (((i)+1)x(i+1)):=0 (ixi+2xi+1)0(i) The second ssertion does hold if the first one does, but the verifiction rule given bove for ssignments to numeric vribles, such s j: =2 x j, is indequte for rry ssignments such s this. Thus ttempts to substitute 0 for (((i)+1)x(i+1)) in (ix i+2 x i+1)0(i) merely leve it unchnged, but the unchnged ssertion does not follow from the first ssertion. (Floyd's version of the rule, using n existentil quntifier is eqully inpplicble.) Following Good (1970), with slightly different nottion, we cn overcome the difficulty by distinguishing the new version of the rry from the old one by giving it distinct symbol, sy '. We lso mke explicit the fct tht other elements hve not chnged. We thus ttempt to show tht 1 <i<9, (Vx)(1<x<100(x)=x), '(((i)+1)x(i+1))=0, (Vy)(y0((i)+1)x(i+l)'(y)=(y))1-. rith '(ix 1+2 xi+1)0d(i). Once we note tht ((i)+1)x (i+1) is (1+1)2, s is (ix 1+2 x i+1) nd tht, since 1<i, (1+1)201, we hve '(ix i+ 2 x i+ 1)=0 nd '(0=i, so 26

5 IIURSTALL '(0> 0. The distinction between nd ' nd the condition tht ll elements which re not ssigned to re unchnged reduce the problem to elementry lgebr. 5. COMMANDS, CHANGE SETS AND TRANSFORMATION SENTENCES The following technique is vrint of the one given by Good (1970). He uses it for ssignments to rrys but not for list processing. With ech ssignment commnd we ssocite set of identifiers clled the chnge set nd set of sentences clled the trnsformtion sentences. (Rules for specifying these re given below.) The bsic rule of inference is: If set S of sentences re written before commnd C, nd C hs set T of trnsformtion sentences, then we my write sentence U fter C if S, TI-U', where U' is U with ech identifier i in the chnge set of C replced by i'. (1) Simple ssignment Commnd: I:=E e.g. i: =i+j Chnge set: {/} {i} Trnsformtion sentences: /'=E =i-fj Exmple: i>0 j>0 i:=1-fj 1>1 1>1 is legitimte t becuse i> 0, j> 0, i'=i+j1-i'> 1. Note. By AFB we men B is provble from A using xioms of rithmetic or other xioms bout the opertions of the lnguge. Note. Vribles (identifiers) in the progrm become constnts in the logic. (2) Arry ssignment Commnd: A[E1]:=E2 e.g. [[i]]:=[i]+[j] Chnge set: (A) () Trnsformtion sentences: A 1(E1)=E2 '((i))=(i)+(j) (ix)(x0e1 A'(x)=A(x)) (Vx)(x0(i)'(x)=(x)) (3) List processing () Commnd: hd(e1):=e2 e.g. hd(t1(hd(i))):=hd(i) Chnge set: {hd) {hd} Trnsformtion sentences: hd'(e1)=e2 hd'01(hd(i)))=hd(i) (Vx)(x Eihd'(x)=hd(x)) (Vx)(x tl(hd(i))hd'(x)=hd(x)) (b) Commnd: 1/(E1):=E2. s for hd 27

6 PROGRAM PROOF AND MANIPULATION (c) Commnd: I: = cons(eli E2) Chnge set: {I, used, new} Trnsformtion sentences: new'oused used' =usedk.) (new') hd(new' )= tl(new')=e2 I' =new' e.g. i: =cons(2, j) {1, used, new} new'oused used' =usedu {new') hd(new')=2 tl(new')=j i' =new' Note. We ssume E1 nd E2 do not contin cons. Complex cons expressions must be decomposed. It should be cler tht the choice of two-element list cells is quite rbitrry, nd exctly nlogous rules could be given for lnguge llowing 'records' or 'plexes', tht is vriety of multi-component cells. 6. CONCEPTS FOR LIST PROCESSING We could now proceed to give exmples of proofs for simple list processing progrms, but with our present limited concepts it would be difficult to express the theorems nd ssertions except in very d hoc wy. We wnt to tlk bout the list pointed to by n identifier i nd sy tht this is distinct from some other list. We wnt to be ble to define conveniently such concepts s reversing or conctenting (ppending) lists. To do this we now specilise our discussion to the cse where cons, hd nd t/ re used to represent liner lists. Such lists terminte in nil or else in cycle, nd we do not llow toms other thn nil in the til position. Thus we exclude binry trees nd more complicted multi-component record structures. First we define the possible sttes of list processing mchine. A mchine is chrcterised by: C, denumerble set of cells nil, specil element A, set of toms (C, {nil} nd A re disjoint), function from finite subsets of C to C, such tht (X) 0 X, function for producing new cell. It is convenient to write XO for Xu {nil} where Xg. C. A stte is chrcterised by: Uc C, the cells in use hd: U--0 Au Uo 11: U-+ UO(thus we re tlking bout lists rther thn binry trees) Let X* be the set of ll strings over set X, including the empty string which we write s 1. Also let T= {true, flse}. It is convenient to define unit strings over Au UO thus Unit: (Au Uo)* Unit (cr).:*.cr e (Au U0) We cn now ssocite set 2 of triples with stte. (cc, u, v) e 2 mens 28

7 BURSTALL tht is list from u to v (or perhps we should sy list frgment from u to v). Thus c (Au Uo)* x U0 x U We shll write u )v s mnemonic bbrevition for (, u, v), hd u for hd (u) nd tl u for 11(u). We define 2 inductively, thus: (i) 2 for ech u e U0 P (ii) if u--ve 29 nd v w 2 then u.-+w e hdu (iii)u-+ t/ue2forechu U. l For exmple, in figure 2, X-4y, y-9, nd z * nil re ll in Figure 2. Identity lists re defined thus Identity: Identity (u, v)<=ne = 1 A prtil opertion of composition (.) between lists is defined thus :2x2-+T p ft (14-40 (1)-+W)=14 W Thus list from u to v cn be composed with one from v' to w if nd only if Vry'. The reder fmilir with ctegory theory will notice tht 2 forms ctegory with U s objects nd the lists (triples in 2) s morphisms. (A definition of 'ctegory' is given in the Appendix.) Indeed it is the free ctegory hdu generted by the grph whose rrows re the lists u + 11 u for ech u. There is forgetful functor from 2' to (A u U )*, where the ltter is regrded s ctegory with one object. This functor gives the string represented by list frgment (cf. Wegbreit nd Poupon's notion of covering function in the unpublished work mentioned on p. 25). 29

8 PROGRAM PROOF AND MANIPULATION We define the number of occurrences of cell in list by induction (5: Ux..T-4N (i) 6(v-,v)=0 (ii) 6,4(x-o t/ x-02 w)=6,(t1 x:-,w)+1 if x=u =3 (t1 x-+w) if xou It follows by n obvious induction tht 6 (A p)=3 (A)+6 (p). To keep trck of the effects of ssignments we now define reltion of distinctness between lists, tht is, they hve no cells in common. Distinct: 2' x 21-4T Distinct(A, 1t)<=15 (A) =0 or 5p) =0 for ll u e U. We lso define property of non-repetition for lists Nonrep: 21-+T Nonrep(A)<*15 (A)< 1 for ll UE U Lemm 1 1 (i) Distinct(A,u-+u) for ll A nd u (ii) Nonrep(u-4u) for ll u (iii) Distinct(A, p) nd Nonrep(A) nd Nonrep(p) = Nonrep(A p), if A p is defined. Proof. Immedite. We re now equipped to stte the correctness criterion for simple list processing progrm nd to supply nd prove the ssertions. Consider the problem of reversing list by ltering the pointers without using ny new spce (figure 3). We first need to define n uxiliry function to reverse string rev: X*-4 X* rev (1) =1 rev (x)=rev()x for XE X, e X* Before After nil nil Figure 3. 30

9 BURSTALL j =RE VER S E(k) Assume rev: U*4 U* reverses strings. K is constnt string. ':=nil 1 K -k-nil e Nonrep(k3ni1). IC --(343)[k->ni1e 2.j3nile 2. Nonrep (k-> nil). Nonrep (j-> nil). Distinct(k- > nil,] -1-3>nil). rev ()fl =rev (K)]. YES rev(k) j --> nil e 2. := ilk (314)[k4t1 k e 11 k-; nil e 2. Anil e 2. Nonrep k->ni1). Nonrep(j->ni1). Distinct(k-> ilk, ii k-3ni1). P 1 Distinct (t1 k-> nil,)->ni1). Distinct (j->nil, k-> k). Unit (k411 k). rev (1413 =rev (K)]. 1 P - -- (3143)[k-> tike 2. i;nil e 2. j-> nil e 2. NonrepOni1). P 1 Nonrep (j--)ni1). Distinct (k-> ilk, i-)nil). P P 1 Distinct (13 nil, j->ni1). Distinct (j->nil, k-> tl k). i Unit (k->t1 k). rev ()113 =rev (K)]. ilk =j I 1 P (314)[i->nil e 2. k->j e 2. p> nil e 2. Nonrep(i->n11). j:=k k:=i Nonrep (j-> nil). Distinct(k4j, i->nil). Is P : Distinct(i3nil,j-)ni1). Distinct (j-nil, k-)j). : Unit (k--)j). rev ()1,3 =rev (K)]. Figure 4. Reversing list. 31

10 PROGRAM PROOF AND MANIPULATION By well-known methods of induction on the length of the string (structurl induction) we cn prove simple lemms such s rev (i3)=rev(13) rev() for; fie X* Notice the distinction between the function rev which works on strings nd hs esily proved properties nd the function or procedure REVERSE to reverse lists using ssignment, which we re bout to define. The ltter is essentilly function from mchine sttes to mchine sttes, where mchine stte is chrcterised by the two functions hd nd The flow digrm for REVERSE with ssertions is given in figure 4. Notice tht the ssertions re long nd tedious. We cn verify the ssertions by using the techniques given bove, distinguishing between d nd ti' nd consequently between List, Distinct nd List', Distinct'. The verifiction proofs re quite long for such simple mtter nd very boring. We will not wery the reder with them; insted we will try to do better. 7. DISTINCT NON-REPEATING LIST SYSTEMS We will now gther together the concepts introduced so fr into single notion, tht of Distinct Non-repeting List System (DNRL System). Using suitble bbrevited nottion we cn render the ssertions brief nd perspicuous. To mke the verifiction proofs eqully ttrctive we show how the vrious kinds of commnds, nmely ssignment to hed or til nd cons commnds, correspond to simple trnsformtions of these systems. We cn prove this once nd for ll using our previous technique nd then use the results on vriety of progrms. We define Distinct Non-repeting List System s n n-tuple of triples 1i, 1=1,.. n, such tht (i) Ai e 2' for ech i= 1,.. n (ii) Nonrep(1i) for ech i = 1,...,n (iii) If j0 i then Distinct(2,, 2) for ech i, j = 1,.. n It is cler tht if S is DNRL System then so is ny permuttion of S. Thus the ordering of the sequence is immteril. We should not think of S merely s set of triples, however, since it is importnt whether S contins triple x-+y once only or more thn once (in the ltter cse it fils to be DNRL System unless =1). (S1 CC2 2k-1 s 2 Abbrevition. We will write ui-4u2-u3. -4 uk, for u1-4u2, u2-4143, k - 14_1 U. We lso write *S for 'S is DNRL System'. For exmple, n bbrevited stte description for the stte shown in figure 2 is ls s 4s s l s *(X u-*y --+ u, z--q1 w--41 z) or less explicit description p y (3fly(5)(*(x-,u-9,-)u, z-)nil) nd *(w--nil) nd Atom()) 32

11 BURSTALL j=reverse(k) Assume rev: (Au U)*->(Au U)* reverses strings. K is constnt string.. Assume, b, c.., Ay re existentilly quntified before ech ssertion. fi *(k3 nil, j-> nil). rev ()fl =rev (K). y p rev(y)fl=rev(k). Unit(). 7 P *(k-)i->nil, nil). rev(y)fl=rev(k). Unit(). fl 7 *(k3j->nil, rev(y)l3=rev(k). Figure 5. Reversing list. 33

12 PROGRAM PROOF AND MANIPULATION Figure 5 shows the REVERSE progrm gin with much pithier ssertions. We will now consider how to verify ssertions such s these pinlessly. The following proposition which enbles us to mnipulte DNRL Systems follows esily from the definitions bove. Proposition 1 (i) Permuttion *S*S' if S' is permuttion of S. (ii) Deletion *Pi, An) *(22, An) (iii) Identity *Pi, An) *(u--+u, Ai, An) (iv) Composition p p *(u--)v-w, 11, Ali. An) nd conversely s *(14-4W, Alp.0 An)(3v)*(u-ov-+w, An) (v) Distinctness p *(u-*v, u-+w)cc= 1 or ig =1 (vi) Inequlity *(uv) nd u v(3bi3)(unit(b) nd cc =0). Proof. (i) nd (ii) Immedite from the definition of *. (iii) By Lemm 1 (i) nd (ii). (iv) By Lemm 1 (iii). (v) lf 1 nd $1 then 6.(u-- v)= 1 nd (5 (u-4w)=1 so they re not distinct. (vi) By definition of 2'. We re now ble to give the trnsformtion sentences ssocited with the vrious commnds, in terms of * rther thn in terms of hd nd 11. They enble us to verify the ssertions in figure 5 very esily. The trnsformtion sentences ll involve replcing or inserting component of *-expression, leving the other components unchnged. They re displyed in figure 6. We will mke some comments on these trnsformtion sentences nd how to use them. Their correctness my be proved using the trnsformtion sentences given erlier for hd nd ti nd the following lemm. Lemm 2. Suppose for ll y x, hd'y=hd y nd tl'y. = Then for ll A e 2' such tht 3(A)=0 we hve A e 21' nd 5(A) =ö(a)for ll y. Corollry. Under the sme suppostion if A, /I e 2' nd 5n(2)=0 nd 3 04)=0 then Nonrep(A)Nonrep'(A) nd Distinct(A, p)distince(a, Proof. By n obvious induction on 2'. The rule for ssignment to simple identifier is s before. Trnsformtion sentences re given for the YES nd No brnches of test, even though these do not lter the stte (their chnge sets re empty). 34

13 BURSTALL Assume n, Ai,..., An, x, y, re universlly quntified. The trnsformtion sentences re shown to the right of the commnd. We ssume tht E, E1 nd E2 do not contin cons. II:=E I Chnge set = {I} 1' =E Chnge set = { } =E2 YES Chnge set ={ E1 E2. NO hdei:=e21 Chnge set ={17d,..., A ) nd Unit()=. E2 *'(El 4Y, Al f 'I An) Chnge set ={ ti, * *(E1-)y, A1, An) nd Unit() ii : = E2 *'(E14E2, A1, An) E:=cons(Eb E2) Chnge set ={*, I} An) *'(E ->E2, A1, An) Figure 6. Trnsformtion sentences for stte descriptions. 35

14 PROGRAM PROOF AND MANIPULATION Consider for exmple the NO brnch of the test 'lc =nil' in the REVERSE progrm of figure 5. Before the commnd we hve (3211)r rev()f3=rev(k)] (1) The trnsformtion sentence, putting n =1, is konil. (2) After the commnd, we hve 7 (3yf3)[*(k->nil,j-mil). rev(y)i3=rev(k). Unit()] (3) But (3) follows immeditely from (1) nd (2) using Proposition 1 (vi). In generl, Proposition 1 will be used to reorder or otherwise mnipulte the *-expressions nd if E1 or E2 contin references to hd or ti these will need to be removed by replcing them by E1 nd E2 using Proposition 2. Still, the verifiction is quite trivil. Consider nother exmple from the REVERSE progrm, the commnd 'ilk: =j'. Before the commnd, we hve 7 (3yfl)[*(k--4-)ni0->ni1). rev(y)fl=rev(k). Unit()] (1) The trnsformtion sentence, putting n =2, is *(k--)y, 21, 22) *'(k->j, 21,12), for ll, y, Ali 12 (2) Rewriting the sttement fter the commnd with *' for *, we hve p (9y13)[*'(k-+j--+nil, rev(y)(213 =rev(k)] (3) We must prove this from (1) nd (2). Combining (1) with (2) we get 7 (3y13)[*1(k-V, rev(y)13=rev(k). Unit()] ' But permuting the *' expression (Proposition 1 (i)) nd using obvious properties of rev we get (3). The sentences for hd nd cons re used in n nlogous wy. Becuse their mening chnges in reltively complex wy it is dvisble to debr hd nd ti from ppering in stte descriptions nd work in terms of * lone. We now consider how to reduce n expression involving hd or tl with respect to stte description so s to eliminte references to these. For exmple the expression hd(t1(t1(0)) with respect to the stte description c..) with Unit(), Unit(b), Unit(c) reduces to c. If such n expression occurs in trnsformtion sentence we reduce it to obtin n equivlent trnsformtion sentence not involving hd or ti. The reduction of n expression E with respect to stte description D, written E, is defined recursively by (i) If E is n identifier, constnt or vrible then E=E (ii) If E is hd El nd D contins *(EI x,.) nd Unit() then f= 36

15 BURSTALL (iii) If E is 11E1 nd D contins *(E\--* x,.) nd Unit() then E=x. Proposition 2. D t= E. The proof is strightforwrd by induction on the structure of E, using the definition of *. 8. EXAMPLES OF PROOFS FOR LIST PROCESSING The trnsformtion sentences cn best be understood by seeing how we use them in proving some simple list processing progrms which lter the list structures. Although these progrms re short their mode of opertion, nd hence their correctness, is not immeditely obvious. We hve lredy looked t the progrm REVERSE. Another exmple, involving cons, is conctention of two lists, copying the first nd terminting it with pointer to the second, see figure 7. Notice tht the input lists need not necessrily be distinct. The other, destructive, method of conctention is to overwrite the finl nil of the first list with Pointer to the second. In this cse our initil condition would hve to be ensuring distinctness. Our next exmple, figure 8, is reversing cyclic list, where insted of terminting with nil the list eventully reches the strting cell gin. The next exmple, figure 9, involves list with sub-lists. A list of lists re to be conctented together nd the REVERSE nd CONCAT routines lredy defined re used. The suspicious reder my notice tht we re mking free with.' in the ssertions, but we cn lwys replce (s1, by, sy, (si)7.,1 or sequence(s,l,n), so nothing mysterious is involved. Some of the ttrctions of such proofs seems to come from the fct tht the form of the ssertions is grph-like nd so (t lest in figures 6, 7 nd 8) strictly nlogous to the structures they describe. 9. TREES We will now pss from lists to trees. We will consider generl 'record' or plex' structures with vrious kinds of cell ech hving specified number of components, s for exmple in Wirth nd Hore (1966). A prticulr cse is tht of binry trees. Thus, insted of hd: U--+Auuo U UO we now llow hd: U--+AuU 11: U AuU (nil hs no specil plce in binry trees; it cn be considered n tom like ny other). More generlly we my replce trees built using cons with trees (terms or expressions) built using ny number of opertors with rbitrry numbers of rguments, corresponding to different kinds of records. 37

16 PROGRAM PROOF AND MANIPULATION m=concat(k,l) K nd L re constnt strings of toms, nd b units. j: =k YES in: = cons (hd j, nil) j: =tij i:=171 *(k-i.> nil). *(1-14ni1). *(k->nil). *(13ni1). K=1. m: =I L see EXIT below p L *(k4x4ni1). *(I->nil). pig = K. 1 P L *(k->j->nil). *(1->ni1). l3= K. 1 ft *(k4 j-.> nil, m->ni1). L *(I->nil, fl = K. e If *(k->j->nil, i ->x). L *(19nil, in? ix). fl = K. *(k->nil, i 4 *(I->nil, m->i->x). ow= K. i: =I!E XIT K K KL --*(k-> nil, m41). *(m4i-->nil). by *(k3j-)nil, in-> i ->x). L :0(0 nil, n13 i -)x). by= K. 11 = cons (hd j, nil) by b *(k->j->nil, m-> 4y). L b j: =11j *(I->nil, m31-3y). by = K. I:= tl Figure 7. Conctention. 38

17 BURSTALL j=cyclicreverse(1) (*(/->ni/) nd L=1) or (*(1-->I) nd L=). YES j:- rev(l) *(g1). L=. *(1:13k41). rev () =rev (L). p *(j-314)c,k41). rev ()fl =rev(l). /i *(j-)l >x). fici =rev (L). - # b 7 *(F> 14x, k-->y -)1). rev(by)fl =rev (L). # b *(j413x, k > i-->1). rev (by)fl =rev (L). ---*(k;$ax, 41). rev (by)fl =rev (L). tl I: =j *(j rev(l) Figure 8. Reversing cyclic list. 39

18 PROGRAM PROOF AND MANIPULATION 1=M ULTICONCAT(i) Assume N, C1,. CN, Aj, AN re constnts. =RE VE RS E(i) j:=i : =nil C CN At AN nil, Cir> nil). rev(cf. CN) At AN * nil, Cr> nil,. CN.->ni1). 1 rev(ci...cn) At AN " *(j3j > nil, Ci--> nil,. Cpr> CN.. Cm Cm-1..C1 Ary )J >nil,l )nil, At AN CN-->ni1). 11 I:=CONCAT(hd j,1) =tlj CN..Cm Cm- I 2..Cl Am... AN - > j > x --> ni1,1 > nil, CN.. Cm Cm-1 Cm- 2.. Ct At. AN C1--> nil,. C >ni1). Am I Am...AN x-4 nil, 1 > y > nil, At C1-)'nil,.. AN CN-)nil). CN...C1 At AN *(i nil,! ---> nil, C r-> nil). 1:=REVERSE(i) *(i C1...CN AI AN Af AN > ni1,1--)nil,cr> Figure 9. Multiple conctention. 40

19 BURSTALL Our previous discussion depended rther hevily on the conctention opertion for lists. Fortuntely Lwvere (1963) with his notion of 'Free Theory' hs shown how conctention cn be extended from strings to trees (see lso Eilenberg nd Wright 1967). His ctegory theory pproch is convenient in view of the remrk in n erlier section tht 2 forms ctegory. We will not present our ides in ctegory-theoretic lnguge, since this my not be fmilir to some reders, but will be content to point out where the concept of ctegory is pproprite. Our first tsk is to define system of trees or expressions with composition opertion, nlogous to the strings used bove. We will then pply them to tree-like dt structures under ssignment commnds. Let 12 = tfln), n=0, 1,.. be sequence of sets of opertors, (xi}, i = 1, 2,.. sequence of distinct vribles, nd let X, = We define sequence of sets of terms (or trees) T =[Tn(X,)},m =0, 1... TrI(X,,,) mens ll terms, in the usul sense of logic, in the opertors fl nd vribles X,. We cn regrd Tn(X, ) s subset of the strings (Uf2uX,)* nd define it inductively thus (i) x etn(x,) if x e X, (ii) coti t e Tn(X, ) if ) e 12 for some n nd th t e (Algebriclly speking Tn(X,) forms the word lgebr or generic lgebr over f2 with generting set X,.) If t e Tn(X,) nd (Si, s,) e Tn(X )m, m 0, by the composition t (s1,. s,) we men the term in T(X) obtined by substituting si for xi in t, 1,. To preserve the nlgy with our previous tretment of strings we would like to mke composition ssocitive. For this we consider n-tuples of trees. Thus, more generlly, if Oh. ti) e Tn(X,)I nd (Si,. s,) e we define the composition by (ti, ti) (si, s,)=(ti (si,., sm), ti (si,, Sin)). This composition is in T0(S,)1. For exmple if C22= {cons}, C20= {, b, c,..}, nd we llow ourselves to write prentheses in the terms for redbility (cons(xli ), cons(x2, xi), b) E Tn( Xz)3 (c, xi) e XI )2 nd their composition is (cons(c, ), cons(xi, c), b) e T(X1)3. The composition is now ssocitive nd (xi, x) T0(X) " is n identity for ech n. It is, however, prtil opertion (compre mtrix multipliction, which is only defined for mtrices of mtching sizes). We see now tht the disjoint union of the Tn(X ) forms ctegory, Tn, with s objects the integers n=0,1,.. nd with set of morphisms Tn(X )"' from in to n for ech m, n. Indeed, this is just wht Lwvere clls the Free Theory on f2. Eilenberg nd Wright (1967) use it to extend utomt theory to trees s well s strings, giving ctegory theory presenttion (see 41

20 PROGRAM PROOF AND MANIPULATION lso Arbib nd Giv'eon (1968)). The ctegory T0 replces the monoid (Au U)* used in our tretment of lists, the min difference being tht the composition opertion, unlike string conctention, is only prtil. The strings over n lphbet E cn be regrded s specil cse by tking f/1 to be E nd S20 to be {nil}. In the Appendix we summrise the bstrct definition of Free Theory s given by Eilenberg nd Wright. We will not use ny ctegory theory here, but it is perhps comforting to know wht kind of structure one is deling with. We will consider fixed n nd X for the time being nd write T, for Tri(X )m, the set of m-tuples of terms in n vribles. If co e n. we will tke the liberty of writing co for the term coxi x in T1. This bbrevition my pper more nturl if we think of n element r of T1 s corresponding to the function txi x t from T0(25)" to T(Ø). For exmple cons is short for 2x1, x2 cons (xi, x2), but not of course for 2x1, X2. cons(x2, We will write 1 for the identity (x1,.. x ) e T nd 0 for the 0-tuple o G To,,. We will sometimes identify the 1-tuple (x) with x. 10. STATE DESCRIPTIONS USING TREES We cn now use the m-tuples of terms, T,, just s we previously used strings to provide stte descriptions. Suppose now tht ech co e n =0, 1, corresponds to clss of cells U0 (records) with n-components nd tht these components cn be selected by functions Sr: e UQ), 1=1,. n We put U=U U0,:co e US1). For exmple if n2 = { cons}, Slo= A nd Q,=Ø for 0)00 or 2 then 6cions is hd: Ucons--. U H _ cons A 32"'s is th cons--* UconsU A (here we hve put U,, ={) for ech e A, nd Ucons is just our previous U, the set of list cells). A stte is defined by the U nd the br nd we ssocite with it set of triples, just s the set 2 ws previously ssocited with stte. If triple (r, u, v) is in.9" then for some m, n, u e Urn, v e U" nd r e T,. As before we write u-+v for (r, u, v). We define.t inductively thus: (i) If e T, is (xi xi,,,) nd if e {1,..., n} for j=1, m (tht,is, r involves only vribles nd not opertors) then (ui. ) is in T (ii) If u---ov e nd v 'w e 9" then their composition (u + v) (v--0 w) is T 41 defined s u-+w, nd it is in ". (t1) (to t, to (iii)if(u1) v,.. (10 0 v re in.9- then (ui,. u )--4 v is in (iv) If co e S2 nd br(u)= vi for i =1, n then (u)-- (vi, v ) is in 9. 42

21 BURSTALL Tking the cse where f2 consists of cons nd toms, (iv) mens tht cons (u) (v, w) E g. if hd(u)=v nd 11(u) =w, lso tht ()-() is in.9" for ech tom e A. An exmple will mke this clerer. In the stte pictured in figure 105" contins the following triples, mongst others, (i) cons(cons(cons(c,d),),cons(cons(c,d),b)) cons(cons(xl,),cons(xi,b)) (ii) (j) cons(c,d) (iii) (j)--- cons(cons(xl,),x 2) (iv) ( (j, k) cons(x 1,x i) (V) (1)---4(1) The first of these is the composition of the second nd third. Figure 10. It will be noticed tht 9" forms ctegory with objects u for ech u e U", n. 1,.... The triples (T, u, v) in.9" re the morphisms from to v. There is forgetful functor represents: g".-'. We cn now define Distinct Non-repeting Tree System nlogous to Distinct Non-repeting List System. We tke over the definitions of Distinct- ness nd Non-repetition lmost unchnged except tht they now pply to.r rther thn to 2. We cll (T, u, v) e elementry if involves vribles nd opertors in Oo but none in 1"2, n> 1 (for exmple, trees which shre only elementry constituents cn shre toms but not list cells). We now define, s for lists, the number of occurrences of cell in n n-tuple of trees, thus 6: Ux,-*N (i) 6 (v--% w) =0 if u is elementry CO T (ii) 6 ((x)- v -w)=3 (v->w) +1 if XU )>f =6 (v-uv) if xou 43 WE 0, n>