Stepwise Program Derivation

Our understanding of the program derivation process has evolved to the point where it can be described in terms of a clearly defined sequence of steps. In this paper, we will identify those steps and show how they may be used to derive programs from formal specifications. In describing the program derivation process we will focus on two things, its broad structure, and some detail for each of the principal steps. The suggestions made are practical and easily integrated with conventional methodologies for handling larger problems. The detailed steps described also provide the basis for the construction of a system for computer-assisted program derivation from formal specifications. 1. THE STRUCTURE OF THE PROGRAM DERIVATION PROCESS The ideal we seek in program derivation is to begin with a formal specification of a problem, and then to proceed by a well-defined process of transformation and refinement until eventually a program implementation is derived. The process should be constructive, that is, at each stage in the development, the original, or derived specifications, should guide the process. The process we will present here describes a sequence of heuristics which aspire to that ideal. It is best suited to deriving programs for precisely specified problems that require either single or nested loop structures. Such structures represent the building blocks for larger, more elaborate program structures. The task of handling these larger structures becomes one of identifying well-defined and precisely specified sub-problems, deriving their solutions, and composing them accordingly. We are fortunate that a large class of problems, but not all, submit easily to this kind of treatment. The structure of the derivation process, at its broadest interpretation, involves essentially three distinct phases. Phase I Obtaining a Suitable Primary Specification Identification of a precondition/postcondition specification (Q,R) that is deemed to be suitable to guide the formal derivation process. A by-product of this phase is an appropriate initialization for the iterative structure. Phase II Obtaining Secondary Specifications Identification of ancillary specifications, and commands that may be used directly to guide the derivation of the body of the iterative structure. A by-product of this phase is the identification of the guard for the iterative structure. Phase III Derivation of the Body of the Iterative Structure Use of the results from the second phase to derive the body of the iterative structure. (In the course of this phase the need to derive additional iterative structures may be discovered such structures must be derived accordingly.)