CSE 230: Principles of Programming Languages
Notes on Chapter 4 of Algebraic Semantics (Proving Program Correctness)

This chapter shows how, by having syntax, semantics, preconditions, and postconditions all in the same formal and executable language (OBJ), we can (relatively!) easily do formal proofs of correctness, without annoying problems with Hoare semantics like the following: Consider the Hoare triple

     { a >= 0 & b >= 0 } S { z = a * b } 
which seems to intend to specify that a fragment S of code should multiply a and b. However, the following S satisfies the above Hoare triple
     z := 0 ; a := 0 
even though it does no multiplication at all!

This is an example of what can happen when different kinds of variables are treated as being the same. It is a problem with variables in the usual formulation (as in chapter 3 of Sethi) of Hoare semantics; it is not at all a problem with the semantics of programs as such. The solution is to introduce ghost variables, also called specification constants, and use them in both the pre- and the post- condition.

Note that in the framework of Algebraic Semantics, program variables are constants in the syntax of the programming language (as they should be), so that it does not even make sense to make assertions of the form 'X >= 0 ; it is necessary to include a store to get a value, as in

     S [['X]] >= 0 . 
However, one can still write specs that are statisfied by bogus programs, if one is not careful about quantification, as in
     S[['X]] >= 0 and S[['Y]] >= 0 imply S;P[['Z]] = S;P[['X]] * S;P[['Y]] . 
Instead, one should write specifications like
     (forall a,b >= 0) S[['X]] = a and S[['Y]] = b imply S;P[['Z]] = a * b . 

There is a typo on page 84; the equation at the top of the page should be

     (s ; absx [[`Z]])  is  abs(x)  


To CSE 230 homepage
To CSE 230 notes page
Maintained by Joseph Goguen
© 2000, 2001, 2002, 2003 Joseph Goguen
Last modified: Wed Feb 12 14:50:38 PST 2003