So-called "guarded commands" are introduced as a building block for alternative and repetitive constructs that allow non-deterministic program components for which at least the activity evoked, but possibly even the final state, is not necessarily uniquely determined by the initial state. For the formal derivation of programs expressed in terms of these constructs, a calculus will be shown. CR-category: 4. Guarded commands, non-determinacy and a calculus for the derivation of programs.
|Published (Last):||12 September 2016|
|PDF File Size:||16.12 Mb|
|ePub File Size:||9.45 Mb|
|Price:||Free* [*Free Regsitration Required]|
Only permissible final states are possible and each permissible final state is possible. Formal definition of the semantics. Notational prelude. The way in which we use predicates as a tool for defining sets of initial or final states for the definition of the semantics of programming language constructs has been directly inspired by Hoare , the main difference being that we have tightened things up a bit: while Hoare introduces sufficient pre-conditions such that the mechanisms will not produce the wrong result but may fail to terminate , we shall introduce necessary and sufficient —i.
We take the position that we know the semantics of a mechanism S sufficiently well if we know its predicate transformer, i. We consider the semantics of S only defined for those initial states for which has been established a priori that they satisfy wp S, T , i. By suitably changing S, if necessary, we can always see to it that wp S, T is decidable. End of note. Example 1. Example 3. The alternative construct. In order to define the semantics of the alternative construct we define two abbreviations.
From this definition we can derive —by simple substitutions— Theorem 1. Note which can be skipped at first reading. Let its smallest solution for t0 be tmin X. Here we have added the explicit dependence on the state X. Then tmin X can be interpreted as the lowest upper bound for the final value of t if the mechanism S is activated with X as initial state. Intuitively, Hk R can be interpreted as the weakest pre-condition guaranteeing proper termination after at most k selections of a guarded list, leaving the system in a final state satisfying R.
Via mathematical induction we can prove Theorem 3. Note that the antecedent of Theorem 3 is of the form of the consequents of Theorems 1 and 2. Because T is the condition by definition satisfied by all states, wp S, T is the weakest pre-condition guaranteeing proper termination for S. This allows us to formulate an alternative theorem about the repetitive construct, viz. Theorem 4. Theorems 3 and 4 are easily proved by mathematical induction, with k as the induction variable.
Formal derivation of programs. In the mean time we have proved that the maximum of two values is always defined, viz. As an example of the deriviation of a repetitive construct we shall derive a program for the greatest common divisor of two positive numbers, i. The formal machinery only gets in motion, once we have chosen our invariant relation and our variant function.
Because the guard must be a computable boolean expression and should not contain the computation of gcd X, Y —for that was the whole problem! In other words we are invited to massage the value pair x, y in such a fashion that their gcd is not changed. Besides that we must require guaranteed decrease of the variant function t. Let us investigate the consequences of the choice.
Guarded commands, non-determinacy and a calculus for the derivation of programs
SPIN verifies correct operation of concurrent software applications. From Wikipedia, the free encyclopedia. Retrieved August 16, Skip and Abort are very simple as guardex as important statements in the guarded command language. Its simplicity makes proving the correctness of programs easier, using Hoare logic. Skip is the empty instruction: If none of the guards are true, the result is undefined. Criticizing Professor Dijkstra Considered Harmless.
List of important publications in theoretical computer science
They define the semantics of an imperative programming paradigm by assigning to each statement in this language a corresponding predicate transformer: a total function between two predicates on the state space of the statement. In this sense, predicate transformer semantics are a kind of denotational semantics. Actually, in guarded commands , Dijkstra uses only one kind of predicate transformer: the well-known weakest preconditions see below. Moreover, predicate transformer semantics are a reformulation of Floyd—Hoare logic. Whereas Hoare logic is presented as a deductive system , predicate transformer semantics either by weakest-preconditions or by strongest-postconditions see below are complete strategies to build valid deductions of Hoare logic.
Predicate transformer semantics
Each named step is passed two blocks: an ensure block that defines a test for a necessary and sufficient condition of the step, and a using block that will cause that condition to obtain. If the using block is ommitted, the step acts as a simple assertion. If step is called in void context i. If do is given arguments, they will be passed to the ensure block and if necessary the using block.