TY - JOUR

T1 - "A la Burstall" intermittent assertions induction principles for proving inevitability properties of programs

AU - Cousot, P.

AU - Cousot, R.

PY - 1993/11/8

Y1 - 1993/11/8

N2 - We formalize Burstall's (1974) intermittent assertions method (initially conceived for proving total correctness of sequential programs) and generalize it to handle inevitability proofs for nondeterministic transition systems, hence (in particular) parallel programs. Programs are modeled by transition systems, program executions by sets of complete traces and program properties by inevitability properties of transition systems (generalizing total correctness of programs). It follows that the study is independent of any particular programming language. The basic proof principle that we derive from Burstall's and Manna and Waldinger's (1978) description of the intermittent assetions method is shown to be sound. It is also semantically complete under a condition on execution traces and inevitable properties. This condition is satisfied when considering inevitability properties such as total correctness or properties involving unary assertions on states. However, we conjecture that (even for deterministic programs) the basic proof principle is not complete when considering arbitrary binary inevitability properties (which relate state values at different "time instants"). This conjecture leads us to a generalization of Burstall's intermittent assertions method using transfinite induction (to handle unbounded nondeterminism) and using auxiliary or ghost variables in the limited form of ternary intermittent assertions (which can relate state values on program entry and at two other different "time instants"). From this generalized proof principle we derive a series of induction principles so as to broaden the allowable forms of proofs. Also we obtain more abstract and hence better understood formalizations of Burstall's method. All proof principles are sound and semantically complete (essentially, as noticed by Manna and Waldinger, because Burstall's method can be used to express "à la Floyd" proofs). However, we prove a stronger semantic completeness result in the sense that the propositions and lemmas involved in "à la Burstall" inevitability proofs can be chosen freely (at least under necessary and sufficient conditions that we specify accurately).

AB - We formalize Burstall's (1974) intermittent assertions method (initially conceived for proving total correctness of sequential programs) and generalize it to handle inevitability proofs for nondeterministic transition systems, hence (in particular) parallel programs. Programs are modeled by transition systems, program executions by sets of complete traces and program properties by inevitability properties of transition systems (generalizing total correctness of programs). It follows that the study is independent of any particular programming language. The basic proof principle that we derive from Burstall's and Manna and Waldinger's (1978) description of the intermittent assetions method is shown to be sound. It is also semantically complete under a condition on execution traces and inevitable properties. This condition is satisfied when considering inevitability properties such as total correctness or properties involving unary assertions on states. However, we conjecture that (even for deterministic programs) the basic proof principle is not complete when considering arbitrary binary inevitability properties (which relate state values at different "time instants"). This conjecture leads us to a generalization of Burstall's intermittent assertions method using transfinite induction (to handle unbounded nondeterminism) and using auxiliary or ghost variables in the limited form of ternary intermittent assertions (which can relate state values on program entry and at two other different "time instants"). From this generalized proof principle we derive a series of induction principles so as to broaden the allowable forms of proofs. Also we obtain more abstract and hence better understood formalizations of Burstall's method. All proof principles are sound and semantically complete (essentially, as noticed by Manna and Waldinger, because Burstall's method can be used to express "à la Floyd" proofs). However, we prove a stronger semantic completeness result in the sense that the propositions and lemmas involved in "à la Burstall" inevitability proofs can be chosen freely (at least under necessary and sufficient conditions that we specify accurately).

UR - http://www.scopus.com/inward/record.url?scp=0027912450&partnerID=8YFLogxK

UR - http://www.scopus.com/inward/citedby.url?scp=0027912450&partnerID=8YFLogxK

U2 - 10.1016/0304-3975(93)90248-R

DO - 10.1016/0304-3975(93)90248-R

M3 - Article

AN - SCOPUS:0027912450

VL - 120

SP - 123

EP - 155

JO - Theoretical Computer Science

JF - Theoretical Computer Science

SN - 0304-3975

IS - 1

ER -