Correctness and Refinement
5.2.1 Correctness and Refinement
As we remember, the refinement ordering was introduced in Chapter 4 to rank specifications in terms of strength, reflecting how demanding a specification is or how hard a specification is to satisfy. As we recall, this ordering plays a role in
84 PROGRAM CORRECTNESS AND VERIFICATION
determining whether a given specification is complete with respect to a completeness property and whether a given specification is minimal with respect to a minimality prop- erty. Surprisingly, or on second thought not surprisingly, the same refinement ordering plays an important role in defining program correctness, as the following propositions provide. For the sake of simplicity, we restrict our attention to deterministic programs (i.e., programs that produce a uniquely determined final state for any given initial state).
Proposition: Correctness, Refinement-based Formula Let R be a specification (relation) on space S and let p be a program on space S whose function we denote by P. Program p is correct with respect to specification R if and only if P refines R.
Function P refines relation R if and only if it has a larger domain that R and for all elements s in the domain of R, the pair (s,P(s)) is an element of R; this is exactly how we defined (total) correctness in Section 5.1.
Proposition: Partial Correctness, Refinement-based Formula Let R be a specifi- cation (relation) on space S and let p be a program on space S whose function we denote by P. Program p is partially correct with respect to specification R if and only if P refines R PL .
Unlike with total correctness, in partial correctness P does not have to satisfy R for all initial states in the domain of R; rather it suffices that it satisfies R for elements of the domain of R for which p terminates normally (whence the term PL). Note that if we take P= (i.e., program p fails to terminate for all initial states), then this condition is satisfied.
Proposition: Termination, Refinement-based Formula Let R be a specification (relation) on space S and let p be a program on space S whose function we denote by P. Program p is defined with respect to R if and only if P refines RL.
Relation RL has the same domain as relation R, but because it assigns all the elements of S to any element of the domain of R, it imposes no condition on the final state; this is exactly what termination is about.
We conclude this section by revisiting the definition of refinement: so far we have interpreted the refinement to mean that a specification is stronger than another, more demanding than another, and so on. There is a simple way to characterize refinement, now that we have defined correctness; it is given in the following proposition.
Proposition: Characterizing Refinement by Correctness Given two specifica- tions R and R on space S, R refines R if and only if any program p that is correct with respect to R is correct with respect to R .
Isn’t the essence of being a stronger specification to admit fewer correct programs? Any program that is correct with respect to the stronger/more demanding/more refined specification is necessarily correct with respect to the weaker/less demanding/less refined specification. The necessary condition of this Proposition is a mere
5.2 CORRECTNESS: PROPOSITIONS
consequence of the transitivity of the refinement ordering: if a program p is correct with respect to R, then its function P refines R; since R refines R , then a fortiori P refines R , hence p is correct with respect to R .