"A la Burstall" intermittent assertions induction principles for proving inevitability properties of programs

P. Cousot, R. Cousot

Research output: Contribution to journalArticlepeer-review

Abstract

We formalize Burstall's (1974) intermittent assertions method (initially conceived for proving total correctness of sequential programs) and generalize it to handle inevitability proofs for nondeterministic transition systems, hence (in particular) parallel programs. Programs are modeled by transition systems, program executions by sets of complete traces and program properties by inevitability properties of transition systems (generalizing total correctness of programs). It follows that the study is independent of any particular programming language. The basic proof principle that we derive from Burstall's and Manna and Waldinger's (1978) description of the intermittent assetions method is shown to be sound. It is also semantically complete under a condition on execution traces and inevitable properties. This condition is satisfied when considering inevitability properties such as total correctness or properties involving unary assertions on states. However, we conjecture that (even for deterministic programs) the basic proof principle is not complete when considering arbitrary binary inevitability properties (which relate state values at different "time instants"). This conjecture leads us to a generalization of Burstall's intermittent assertions method using transfinite induction (to handle unbounded nondeterminism) and using auxiliary or ghost variables in the limited form of ternary intermittent assertions (which can relate state values on program entry and at two other different "time instants"). From this generalized proof principle we derive a series of induction principles so as to broaden the allowable forms of proofs. Also we obtain more abstract and hence better understood formalizations of Burstall's method. All proof principles are sound and semantically complete (essentially, as noticed by Manna and Waldinger, because Burstall's method can be used to express "à la Floyd" proofs). However, we prove a stronger semantic completeness result in the sense that the propositions and lemmas involved in "à la Burstall" inevitability proofs can be chosen freely (at least under necessary and sufficient conditions that we specify accurately).

Original languageEnglish (US)
Pages (from-to)123-155
Number of pages33
JournalTheoretical Computer Science
Volume120
Issue number1
DOIs
StatePublished - Nov 8 1993

ASJC Scopus subject areas

  • Theoretical Computer Science
  • Computer Science(all)

Fingerprint Dive into the research topics of '"A la Burstall" intermittent assertions induction principles for proving inevitability properties of programs'. Together they form a unique fingerprint.

Cite this