2C 0and states
s;t
, 9(u
:State):Ic
(c
1 )(s;u
)^Ic
(c
2 )(u;t
) Ic
(c
1 ;c
2 )(s;t
)Proof. By induction on
c
1followed by induction onc
2. The cases when eitherc
1orc
2is a conditionalor a labelled command are straightforward from the inductive hypothesis. Assume
c
1 andc
2 areassignment commands:
c
1is :=(al;l
1 )andc
2 is := (bl;l
2 ). IfIc
(c
1)(
s;u
)then, by definition ofIc
u
=update((pc;l
1
)
al;s
). Similarly, ifIc
(c
2)(
u;t
)thent
=update((pc;l
2)
bl;u
). The correctnessof the assignment list of
c
1 ;c
2 is straightforward from assumptions I
c
(c
1 )(s;u
) and Ic
(c
2 )(u;t
), fromu
=update((pc;l
1)
al;s
), the definition of correct? and from Theorem (4.1). The definition of Ic
(c
1 ;
c
2
)(
s;t
)requires thatt
is update((pc;l
2 )/
((pc;l
1cl
);s
)), wherecl
is((pc;l
1 )al
)(bl /
(pc;l
1)
al
). Note that from Theorem (3.1), update((pc;l
2 )bl;
update((pc;l
1 )al;s
))is equivalent to update((pc;l
1 )al
((pc;l
2 )bl
)/
(pc;l
1)
al;s
). That this is equivalent tot
is straightforwardby extensionality. 2
For any commands
c
1 2C0
;c
22Cand states
s;t
, ifc
1begins in state
s
and ends in statet
andc
2is not enabled in
t
thenc
1 ;c
2begins in state
s
and ends in statet
.Theorem 6.2 Property (2) For any commands
c
1;c
22C
0, label
l
2Labels and states
s;t
2State, Ic
(c
1 )(s;t
) pc6t
l
Ic
(c
1 ;(l
:c
2 ))(s;t
)=Ic
(c
1 )(s;t
)Proof. By induction on
c
1, the cases whenc
1 is a labelled or a conditional command are straight-forward from the inductive hypothesis. Assume
c
1 is the assignment command:= (
al;l
1 ). By Definition (6.3),c
1 ;(l
:c
2) is a conditional command with the test equal(
l
1;l
) and false branch
c
1. From the assumption,I
c
(c
1)(
s;t
), statet
is update((pc;l
1)
al;s
). It follows that pc 6t
l
ispc
/
((pc;l
1)
al
) 6s
l /
(pc;l
1)
al
. Substituting for pc, and for the constantl
, this isl
16
s
l
.It follows that the testI
b
(equal(l
1;l
))(
s
) is false and therefore Ic
(c
1 ;l
:c
2 )(s;t
) is equivalent to Ic
(c
1 )(s;t
). 2Let
c
be the result of the composition of any two commandsc
1;c
2 2C0. The interpretation of
c
in states
s
andt
implies that either there is an intermediate state in whichc
1terminates andc
2 begins6.2 Properties of Sequential Composition 31
Theorem 6.3 For commands
c
1;c
22C 0,
l
1;l
22Labels and states
s;t
, Ic
(l
1 :c
1 ;l
2 :c
2 )(s;t
) (9(u
:State):Ic
(l
1 :c
1 )(s;u
)^Ic
(l
2 :c
2 )(u;t
))_(Ic
(c
1 )(s;t
)^pc6t
l
2 )Proof. By induction on
c
1followed by induction onc
2. The cases when either is a labelled or a con-ditional command are straightforward from the induction hypothesis. Let
c
1 be the assignment com-mand:=(
al;l
3 )andc
2the command :=(bl;l
4 ). Assumel
1s
l
2and letu
=update((pc;l
3 )al;s
).It follows, from the assumption, that(pc
;l
3)
al
is correct ins
, since it is contained in the assign-ment list of
c
1 ;c
2. That I
c
(c
1
)(
s;u
)is true follows from the definition of Ic
. Since the assignmentlist of
c
1 ;c
2 also contains (pc;l
4 )bl /
(pc;l
3)
al
and is correct ins
, the list (pc;l
4)
bl
must bealso correct in update((pc
;l
3)
al;s
)(Theorem 4.1). From Theorem (3.1), statet
is update((pc;l
3 )al
)((pc;l
4 )bl/
(pc;l
3)
al
);s
)which is equivalent to update((pc;l
4)
bl;
update((pc;l
3)
al
);s
))(Theorem 3.1 and Lemma lem:3.4). The interpretationI(
l
2:
c
2)(
u;t
)is therefore true, completingthe proof for this case. Assume that
l
1 6s
l
2. By definition,l
1 :c
1 ;l
2 :c
2is a conditional commandwith test equal(
l
3;l
2)and false branch
c
1. As in Theorem (6.2), it follows that I
c
(c
1
)(
s;t
)must betrue, completing the proof. 2
Theorems (6.1) to (6.3) describe the behaviour of composition when both commands are executed and terminate. Composition also preserves the failures of the commands: if the composition of com- mands
c
1andc
2 halts then so does eitherc
1 orc
2. Conversely, if either commandc
1 orc
2halts thenso does
c
1 ;c
2.
Theorem 6.4 For command
c
1;c
22Cand states
s;t;u
2State,1. If
c
1 ;c
2halts in a state
s
thenc
1 either halts ins
or produces a stateu
in whichc
2halts.halt?(
c
1 ;c
2 )(s
) halt?(c
1 )(s
)_(9u
:Ic
(c
1 )(s;u
)^halt?(c
2 )(u
))2. If
c
1halts ins
then so doesc
1 ;c
2 halt?(c
1 )(s
) halt?(c
1 ;c
2 )(s
)3. If
c
1beginning in states
ends in a stateu
andc
2 halts inu
thenc
1 ;c
2halts ins
. Ic
(c
1 )(s;u
) halt?(c
2 )(u
) halt?(c
1 ;c
2 )(s
) Proof.1. Assume there is a state
u
such Ic
(c
1)(
s;u
) and a statet
such that Ic
(c
2)(
u;t
). From Theo-rem (6.1), it follows thatI
c
(c
1;
c
2)(
s;t
)contradicting the assumption, halt?(c
1;
c
2)that there is
no state such thatI
c
(c
1;
c
2)(
s;t
).2. Assume there is a state
t
such thatI(c
1;
c
2)(
s;t
)(and therefore:halt?(c
1;
c
2)(
s
)). From Theo-rem (6.3), there is a state
u
such thatIc
(c
1)(
s;u
). This is a contradiction since the assumption,halt?(
c
16.3 Applying Sequential Composition 32
3. From the assumption, halt?(
c
2)(
u
), commandc
2is enabled in
u
and therefore pcu
label(c
2).
Assume that there is a state
t
such that I(c
1;
c
2)(
s;t
). From Theorem (6.3), and from pcu
label(
c
2), there is a state
u
02State such thatI
c
(c
1 )(s;u
0 )andIc
(c
2 )(u
0;t
). The commands are
deterministic (Lemma 4.1) therefore
u
0=
u
andIc
(c
2)(
u;t
). This contradicts the assumptionhalt?(
c
2)(
u
).2
Theorems (6.4) and (6.4), together with the earlier theorems, show that if the composition
c
1 ;c
2
establishes a property then so will the commands
c
1andc
2, executed in sequence. If the compositionc
1;
c
2cannot be executed or cannot establish the property, neither can the two commands considered
individually. The advantage of sequential composition is that it is simpler to show that
c
1 ;c
2 estab-
lishes a property than to verify
c
1 andc
2 individually. Any property of the two commands, executedin sequence, can be established directly from the command
c
1 ;c
2.
A property of sequential composition in a flow-graph language is that it is not associative. The label of a command determines whether the command is enabled in a state. The composition of command
l
1 :c
1 withc
2, (l
1 :c
1 );c
2 has label
l
1. The composition of any commandc
with (l
1 :c
1 );c
2,c
;((l
1 :c
1 );c
2 ), will select((l
1 :c
1 );c
2 )iffc
selectsl
1 :c
1 and will behave as
c
otherwise.Even if
c
selectsc
2,c
2 will not be executed since it can only followl
1 :c
1.
Example 6.1 Let
l
1;l
2;l
3;l
42 Labels be distinct. The command goto
l
2 ;(l
1 :gotol
3 ;l
2 : gotol
4 )is equivalent to goto
l
2. However, the command(goto
l
2 ;l
1 : gotol
3 ;)l
2 : gotol
4 is equivalent to gotol
2 ;l
2 :gotol
4. 26.3
Applying Sequential Composition
The commands which result from sequential composition can be complex. To ensure that composition has Property (2), an assignment command
c
1 composed with labelled commandl
:
c
2 results in a
conditional command in which both
c
1andc
1 ;c
2occur. However, the result of sequential composition
can, in some circumstances, be simplified using the properties of the expressions and commands. To replace a command
c
of a program with a simplified commandc
0, command
c
must be equiv- alent toc
0in all states,I
c
(c
)(s;t
)=Ic
(c
0)(
s;t
)(Lemma 5.1). This is possible by the replacement ofexpressions in the command with strongly equivalent expressions. The conditions for strong equiv- alence of expressions can often be established from the syntax of the commands and, in these cases, the simplification of a command can be carried out mechanically. For example, assume
l
1=
l
: in the conditional command if(l
1 =o
l
)thenc
1 ;c
2else
c
1, the expression (l
1
=
o
l
)can be replaced withtrue. From the semantics of the conditional command, the result is a command equivalent to(
c
1 ;
c
2 ).
This method is similar to the techniques used for symbolic execution (King, 1971).
Example 6.2 Assume name
x
2Names, valuesv
1
;v
22Values, labels
l;l
12Labels and expressions
e
1;e
22E. Let
a
2Fn be defined such that for allv
2Values ands
2State,a
(v
)is distinct fromx
in
s
. Also assume forv
1;v
22Values that
a
(v
1 )s
a
(v
2 )iffv
1 =v
2.The assignment command:=((
x;e
1 )/
(a
(e
2 );v
2 );l
)is equivalent to:=(x;e
1/
(a
(e
2 );v
2 );l
). The assignment command:=((x;v
1 )/
(a
(e
2 );v
2 );l
)is equivalent to:=((x;v
1 );l
).6.4 Abstraction of Programs 33
The expression ref(
a
(x
))/
(a
(v
2)
;v
1)is equivalent to ref(
v
1)when
x
has the valuev
2. The conditional command: if(
x
=o
v
2 )then(ref(a
(x
))/
(a
(v
2 );v
1 ):=e
1;l
) else(ref(a
(x
))/
(a
(v
2 );v
1 ):=e
2;l
)is equivalent to the command: if(
x
=o
v
2 )then(ref(v
1 ):=e
1;l
) else(ref(a
(x
)/
(a
(v
2 );v
1 ):=e
2;l
) 26.4
Abstraction of Programs
The method for abstracting from programs is to choose two commands
c
1;c
2 of a programp
andform the subsetf
c
1;c
2gof
p
. Sequential composition is applied to the two commands to obtain thesingleton setf(
c
1;
c
2)g. This is combined with the original program
p
, removing commandc
1 fromp
, to obtain the abstractionp
]f(c
1 ;
c
2
)gv
p
. This can be repeated any number of times, allowing asequence of commands to combined by sequential composition.
This method of abstraction is based on two properties of composition and refinement: the first that the singleton setf(
c
1 ;
c
2
)gis an abstraction of the setf
c
1;c
2g.
Theorem 6.5 Composition forms an abstraction