can have the form e, = e2, where e, and ez are expressions .... com- parison operators. + , -, *, /, ~,. A, V, etc. These opera- tions treat values rather than ... Page 5 ..... (crmtaicss[T1,T2] [e1,e2]& contains[Tz,TJ[ez,eJ) .... V13 (New disjoint) r~e.
Making An
Variables
Equational
Alan
Theory
for
Demers
Computer Science Department Cornell University Ithaca,
Abstract:
New York
Russell
James Donahue Palo Alto Research
Xerox
Center
3333 Coyote Hill Road Palo Alto, California 04304
14853
“Once a person has understood the way in which variables are used in programming he has understood the quintessence of programming. ” – Edsger Dijf@ra [72, p.11]
the overall
Introduction One of the fundamental notions of programming, and thus of programming languages, is the vari~ble. Recently, the variable “functional
has come under attack. The proponents programming” have argued that variables
paper In
world
of functional
the
1.&t.~~Uti&!
leaves much to be desired. In this to make variables “abstract”, i.e.,
Backus’s [Backus78].
notion of variable into reasonable mathematical .
—
a language properties.
tO
the
so that variables have This paper includes:
a description logic
of an equational
language follows
Russell much
of
logic
the
Although
development
of
—
research
ence Foundation
was supported under
Grant
in part
We
ought
equational —
Permission to make digital or hard copies of part or all of this work or personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. To copy otherwise, to Permission copy part of thistomaterial is grantedprior republish, to to post on without servers,fee oralltoorredistribute lists, requires specific permission fee.not made or distributed for direct provided that theand/or copiesaare commercial the ACM copyright notice and the title of the © 1983 ACM advantage, 0-89791-090-7…$5.00
provides
equational that
fol-
thought to languages
(and
remain)
convinced
language
and state.
must
However, proof
that
any
incorporate we were con-
to
be able
to give
This
concern
has led us in two
or algebraic
rules
for
all
of
directions.
The
first
completeness
(1)
specific permission.
$00.75 59
theory.
have states that [Backus78, p.618]
we have
the essential development
was significantly
means
0-89791-090-7/83/001/0059
underlying
an
we gave considerable “vonNeumann”
programming
feel that
The
otherwise,
1983 ACM
the
achieved
are both
vastly
simpler
of these
goals.
Below we present the equational theory of Russell. It is small enough to fit on a few pages of text, yet we feel it
publication and ifs date appear, and notice is Eiven that copyin~ i~ by permission of the Association for Computing Machinery. To copy
@
were
languages that than real ones.”
Sci-
MCS79-10148.
requires a fee and/or
in this
The proof system should be small and yet treat the We did not want to restrict ourentire language. weak subsets of full vonNeumann selves to “small,
We
or to republish,
numbers
used there.
Hans Boehm [Boehm82] has developed a Hoare-style proof system for the language. In this paper we take a different approach to specifying the language – an
this
abstract
by the National
the rule
of
of variable
Russell.
data types (cf. [f2uttag78]), it is novel in its treatment of a language in which expressions not only produce values but also can have efTects. We discuss
This
We
general-purpose
for the program-
[Boehm80].
Russell,
criticisms
some notion cerned that
a discussion of language design principles that allow a more mathematical treatment of variables in pre gramming languagw, and
ming
in detail
Principles
IrI designing
how
introdllce
and
the numbers
we discuss section, needed to make
next
principles
While we may not, believe all the claims of the functional programming advocates, there is evidence that the treatment of variablw in most programming languages we discuss
and present
specification of variables possible. In the sections low, we present a logic that does so for Russell.
combinators.
paper how
in [Demers82],
agree with
language
of the logic
particularly relevant to the semantics of A complete presentation of the logic
appears
of are
at the root of all our problems in programming. They claim that we must rid our languages of all manifestations of the “vonNetrmann bottleneck” and learn to live in the changeless
structure
the rules variables.
Every
of
aided
insights
needs.
logic
by two
design
these was to [Demers80].
Russell
a programmer
of an equational
expression
important
adopt the Basically, has a type;
for
Rusself
decisions.
principle of typetypecomplet eness
(2)
For
any type
type; (3)
in Russell
there
is an expression
is a type-complete language. It type-valued expressions and treats
of that
and
ing with
Any Russell expression can be parameterized with respect to any free identifier occurring in it to yield a function
of a more complex
Russell
type.
gramming
the builtin types and, most importantly the operations on variables. In most
languages
grams (they
variables
can be manipulated
can be passed as arguments
usually
is a named
primitive
typed.
As described
for pro-
var
below,
the
by which we associate with type specifier or signature S.
The signature of e tells whether variable, and gives an expression a signature has the form exp
e denotes a value or a for the type of e. Thus,
or
val exp
by pro-
to procedures,
where,
for
operation,
but
informally,
expression.
example) but the operations that manipulate them are not all part of the surface syntax of the language. Assignment
is statically
expressions.
Russell logic includes rules each expression e a syntactic
Because Russell is type-complete, it has a simp!e, clearly identifiable language core of combining forms and then a larger set of interchangeable parts. These interchangeable parts include our purposes,
more conventional
includes functionand them on an equal foot-
“exp”
must be a type-valued Russell S is a legal signature iff the formula
Formally,
legal
S
other
operations like variable allocation usually are not, making it impossible to define the semantics of variables using the
is provable
same logic
that
of the
following
description,
language.
There
-
represent represent
identifiers; variables beginning with d,...,h or T and those beginning with S expressions; signatures. A Russell expression may be any of
defines are
the non-variable compelling
component
reaaons
languages have type structures rich such operations as variable allocation. makes it variables
for
this
Expressions
few
enough to describe Type-completeness
represent
possible for all the operations that manipulate in Russell to be named functions in the proMaking Russell type-complete language.
gramming allowed us to bring
the operations
on variables
An
manipulate
variables.
The
important
other
as equations decision to interesting language
among develop consequence
for
describing
the programming
up to the
—
decision
was
to
—
begin
this
idea:
the
on variables
could
not
– instead Russell,
of enriching we were
itself.
—
forced
of the proof
programming
rules
language
—
The language Russell [Boehm80].
In the
p,q,...,x
identifiers
are builtin
,y, z
such as
types,
and
a
to be introduced below, may not be redeclared.
of the form
—
this
of the form
An
application eO [ elj
-.l
confusion cations
—
should in infix type
func[...;
rather
than
em. When
frequently
prefix
expression,
functions, SI
names,
For
e, through
arise we shall
write
no
appli-
notation.
of the form
such an expression
parameter parameter
1
Xi:Si; . ..] S
Intuitively, ter
en
eO to arguments
A ,function
be
describe the Russell We then present the
e2 else es tl
e, do e2 od
of function
point
should
d;; ,,. in e ni
=
A loop, of the form while
to enrich
may
Xi
if e, then
overall structure of our equational proof system, and discuss the most important inference rules, The complete set of rules is given in [Demer&2]. Next we discuss proof rules for operations on simple variables. We give two sample proofs to convey the flavor of reasoning in the sysFinally, we give rules for composite variables tem. (records) which show how their semantics are straightforward compositions of the semantics of their components.
Programming
Special
which
with
of the form
A conditional,
an assertion
It seems to us that
In the following section we language subset used in this paper.
The
type,
composition,
A let-block,
be expressed
Our expressions of the language. an equational specification had an
requirements
A sequential
let ....
is an important point. A good deal has been written about the need to develop a language and its proof rules simultaneously; the hope is that the language will be molded by the desire to keep its proof rules simple. The use of an equational system puts an interesting twist on out areas where the made more expressive.
or constant. and
syntax.
beginning
(e,; .... e.) design
language
bool
conventional
variables
number of builtin functions are treated as constants that
developing an equational proof system for Russell before the language design waa frozen, While developing the equational system, we found places where critical properties of the operations
have a fairly
identifier
int,
surface, so that the same equational theory that defines the language core can also define the parts of the language that
in the logic.
through
signatures,
denotes
where x, through SD are and
the
S is the
the type
of n-
x, are param~ corresponding
result
signature.
example, func[x :val int; y:val
is an expression
for the type
int]
VZd
int
of the integer
addition
operation.
—
A function func Such
Language
an
construction,
of the form
t[...; Xi,Si; . ..] { e } expression
denotes
a function,
where
x,
through X. are parameter names and S1 through S, are the corresponding parameter signatures as above;
used below is a minor modification of As we have already remarked, Russell
identifier
60
t is a local
name
for
the
function,
which
allows
it to call itself
the function func
body.
recursively;
For
square[x :val int] if x 0 then
square[x–1]+
of the programming
x+ x–1
problems
else Ofill} is an expression
The
Structure The
first
is to find their
formulas.
for an integer
of the
suitable
for
sort of behavior
must
—
Thmt variables can alias -- two syntactically variable-producing expressions in a program
That
new variables
In
Russell
extraction, operation
the
the
operations
of allocating
lar builtin
functions.
pure of
This
allocation
assignment
test
for
a new variable
and
aliasing
are all just
it seemed natural
applications,
to
defining
encountered two problems tional specifications: (1)
Russell
expressions
Russell.
In
not common
doing
the
so we
(let x.*
for Russell
is obviously
effects,
as well
as pro
formulas
variables
of the
e neither value
a
form
e is independent
-
produces
has an
that
depends
An expression e is said The notion of purity at some length
are formulas
to be is an below.
of the form
el = e2,
el and e2 are completely
expression
‘Lexp = True”
pure,
total
by
without
error
expression
we will
sometimes
abbre-
“exp”. Note that True always – its evaluation
expression
It is worth
is the semantics
noting
is independent
is true
the
or observable exp must
effect
likewise
xni)
in y :=
is a ter-
– so the
be pure
and
the truth
expressions
e, and
or falsity
For
of any for-
example,
et may
if e, = e2
reference
program
be equivalent by those vari-
ables.
of the
Environments An
environment
r
is a set of formulas
r=eu+ =
(y:=4;3)
where
0 is a set of typings
in which
(not arbitrary expressions) may sides, and @ is set of equivalence tains x. in
4; x ni)
4; ValueOf(y)
disallow
that
of the store.
variables but the two expressions must independent of what values are possessed
ni)
a typing
proofs
Given Xn,
(x-S)
we
r
only
simple
identifiers
appear on the left hand formulas. When 0 con-
we say that
I’ is closed if e defines every a formula of e or @. All
correct
but
are
expression
expressions
viate
mula
Again we have just substituted the right-hand side of a declaration for the left-hand identifier. However, this equivalence is clearly invalid. The equations of our system must include premises that allow the first substitution
assert that
equivalent
Here we have substituted the right-hand side of the declaration (“4”) for the declared identifier (“y”) within block body. On the other hand, consider
(y:=
any nor
These
valid:
3 in y :=4;
=
of the form
total. can have
(let x ❑. ValOf(y)
that
one and is discussed
minates
to the usual equa-
Equivalences between expressions may hold only in certain contexts. For example, the following equivalence
of
effect
exp is a Boolean
but also the effects of evaluating them. In a sense, one of the major problems in the development of an
(2)
of
equivalent – that they have the same value and produce the same observable effects when evaluated. If
duce valuesthat is the whole point of having variablcs in the language. Thus, the equations of our system must relate not only the values of expressions
equational theory “;” operator.
values
which
the
ideas of abstract data type specification, where semantics is given by a set of equations relating the results of function
the
assert
Equivalences.
particu-
to apply
the
kinds
include:
are formulas
These
Assertions.
important
value
and
These
on the current state. pure if pure e holds. —
of
other
is S.
e, which
observable
of any existing variable, alias with any existing
that
Thus
Purity
distinct can pro-
results.
can be allocated.
predicates
the
—
indistinguishable
does not change the value nor does the new variable variable.
extract
to deal with
legal S, which assert that S is a legal signature - S IMS the form var e or val e where e is a type-valued expression whose value is independent of the store.
recaptured? and
of our system
L ecjalify Assertions.
characterizing
That one can assign to a variable ualue possessed by a variable.
—
The formulas
However,,
we need several
Typings. These are formulas of the form e - S, which assert that e is a legal Russell expression
of variables
—
duce semantically
—
above
whose signature
the semantics
a set of operations What
function.
Logic
task in specifying
behavior.
squaring
language.
discussed
e (and
hence r)
identifier that environments
defines
occurs free arising in
are closed. and a set of program
identifiers
xl
through
may construct
the second.
These constraints led us to a Gentzen-style deductive tem having much in common with those of [Bates82]
A (r’
sysand
is closed)
i.e., the maximal
[Martin-Lof79]. In the remainder of this section we present the basic structure of the system, In later sections we give the rules of inference that define our Russell subset.
61
through
x,.
deletes
from
A (r’
defines
closed subset Less
r
formally,
definitions
this of
none of XI,...,Xn)
of r not defining x,
construction through
X.
}.
any of X1 simply and
any
formulas
that
depend
on them.
is closed, since an arbitrary is easily seen to be closed.
BY construction
r/xi,...,x,
Theorems
union of closed environments Using the above construction,
The set of theorems is the smallest set of goals closed under deduction using the inference rules. This set is nonempty, since there are inference rules with no
we define (r,xl-&,...,xS,),) r/xl,...,xn
which
gives
the effect
the environment of the identifiers then
new
closed
of declaring
x.
X,
are added.
Note
r I Xl,...,xn,
‘d,f
U{
r’
&
the var
! (r’
them
is
are among
X1
restriction
r so that
tution
*
~i y =
any free identifiers
Xl )
with
}
vrm signa-
x..
and
that
allow
rules
and
modus
ponens
and transitivity provably
stating
typings. rules,
rules
of =,
equivalent
obviAmong stat-
and substi-
expression
to
for one another in equivalence formulas These rules are straightforward, and can be
in [Demers82] subset
we are using includes
builtin
types
tions
treat
style tions
system there are equivalent, in the assertion language.
about
values
terms
rather
that
than
variables,
and in a Hoar&
identically-named funcTo enable us to reason
use these operators,
we include
all rules
of the form ‘&f
r I
of I’ to no var val
rules
some logical
equivalences
symmetry
The Russell
we define
with
about
are assumption
be substituted and typings.
of
includes
facts
int and bool with the Boolean, arithmetic and comparison operators + , -, *, /, ~, A, V, etc. These opera-
xl through
i.e., the restriction
system
ing rej7exivity,
~r)
T)Er’
r,,,
identifiers
The
is closed)
be among
Finally,
(r,...,xi_Si)...)
Rules
ous basic
found
A ( (y-var
rest;icts
on
by
Xa,
1X1,.,.,X.
ture must
identifiers
in r/xl,...,x..
we define
A (r’
This
that
of % through
or are defined
-through r
Basic
program
– first all references to previous instances are deleted from the environment, and
typings
Similarly, r to
u {X,-sl,...,sm},m},
if all free identifiers
through
hypotheses.
‘d,f
typings).
L 10 (equivalent
identifiers This
(leaving
operation
only
terms)
@~(el-T,
e2 -T)
is useful
because expressions that can be typed using information in I’vll are guaranteed to be pure.
only
the where
Goals A goal G has the form r*F
(1)
61 consists
of tbe typings
(2)
T is either
int
(3)
Expressions
the meaning
the typings
Inference
that
the formula
and equivalences
F is a consequence
of
int
and bool
Free identifiers
in r.
These
rules
An inference
rule has the form
systems
of proof
Using
the
G,
can show
that
...
listed
above,
terms
operators
are considered
correspond
true formulas in the quently made when
Rules
in r.
e, and .2 are equivalent
the builtin with
contained
or bool,
roughly
using
mentioned
universally to
the
quantified.
assumption
assertion language discussing relative
only
above.
“all
are axioms” completeness
freof
[Demers82],
we
rules – cf. [deBakker80]. complete
set of rules
if el and
from
e2 use only
the
bool
operators
and if
G, G with
the meaning
clude
G.
through
We
that
call
from
G the
conclusion
G, its hypotheses
abbreviate
by
allowing
G, through
or wb~oak lists
of
G, we may
of the
rule,
con-
and
to
appear
then
is provable,
and so is
G,
We shall frequently
formulas
is provable,
in
hypotheses and conclusions. We also follow the convention that the variables t,u,..., z represent new identifiers, and that an expression of the form
whenever cally
e$ is a bool
implies
term
such
that
e, *
ea tautologi-
es.
d[...xix]...] which
represents
el through occurs.
the result
em for X1 through
of simultaneously Xn, is legal only
substituting
Purity,
if no capture
Null
Effect
and
In giving the semantics expressions may have effects, limit sions
62
Legality
of
a language in which it is necessary at times to
the use of inference rules to only those that are provably independent of state.
subexpresFor exam-
pie, an equivalence
such as
must
only
capture this sions being below,
be provable
independent and
the
of the order
guarantee tively, affect
that
number
in
this
if the
of times
which
they
by requiring
evaluation
the value
meanings
that
of el and they
are
We
r
can
of e, or ez neither
depend Thus,
~
pure
purity
awertions
and
a number
of
rules
Consider
the
same
as freedom
from
Rules
Below are the rules by which one deduces purity of One of the attractive points of Russell is expressions. that there is a large class of syntactically identifiable pure
side-effects.
tively,
the expression
extracts
expression
the
identifiers
evaluation
since
Thus
(pure null
possessed but
by
its value
variable
x.
This
depends
r}
expression
can have
r
of a pure
it does not
the plausible
necessarily
terminate
without
r
~
(e,; e2) -
r
1-
pure
r
*
(e,; e2) =
~
rval
S
r
e2
or nontermination
in e,.
For
example,
for possible
abortion
(1/0; is clearly
untrue
in the
a pure
its effect must
every
17) =
it could
be used to
because
left
division
equation
is independent
time
it is evaluated.
but
~
if it has a value,
is evaluated.
by
not
In
short,
r
it does not that
1~ ~
nontermination, must
or
e,; x2:,
of var
the rule
is pure
even
if
a
var
typings
can be used to the
it does not refer
expression to variables
context.
purity)
=e2-S
r
~
pure
e,
r
1-
pure
e2
This
be the same
a pure
provided
it
rule
it violates
expression
allows
us to prove
the simple
given in the previous to another expression
is
an expression
syntactic
is pure
characterization
two rules, by proving known to be pure.
even if
of purity it equivalent
In addition to the above rules, there are rules that us to deduce purity of composite expressions. These in [Demers82]. For the most part they – they merely state that composite
expressions are pure if their components are, and that function type expressions and function constructions are pure unconditionally, For applications the purity rule is more subtle, however.
reordering)
let xl=
it requires without
the value
e)
=
introduction Thus,
provided
rules can be found are straightforward
(el -41; e2 -S2; pure e,
prohibit
an expression
variables,
Afthough
in an environment
of the subgoals.
r~e,
and
r r
powerful.
e to begin
P5 (substitution
the
e
r~e=(e;
P2 (pure
e
the surrounding
allow pure
pure
of pure
idempotence)
r~e-s r 1-
is pure.
of the state,
Similarly,
may be evaluated any number of times, evaluated atleast once; The two rules P1 (pure
any var
val T
P4 is surprisingly
from
the erroneous
side of the
expression
expression, it
e -
proof
prove
17
be the same – abortion,
- every
time
result
no
x
Rule
right.
of a pure
imports
purity) ~
allocates
no effect
a var
Intui-
purity)
pure
in proofs
show
Since
that
this. and that
e,
because it fails to account
zero occurs
expression
is pure
x-s
typings,
which
two rules illustrate
any identifier
and does not produce
P4 (value
null eflect rule
effect (UNSOUND))
is unsound
that
Russell
P3 (identifier
manifestly
following
state
thus it is not pure.
Conversely, an effect, error.
value
has no effect,
on the state;
The
they
type-correct VatOf[x]
which
or e.
that
expressions. is not
conclusion involves moving eliminating) subexpression
on nor
allow us to deduce that expressions are pure. Purity assertions are perhaps the most novel aspect of this work, and they appear as hypotheses in many of the rules below. Purity
e
the logic Purity
includes
only one of two expresIn the rules be pure.
of the form
appears whenever the rule’s duplicating (but not entirely
e, and e2 be pure – intui-
possessed by any variable.
a hypothesis
N’ote that needs to
e2 are
are evaluated
evaluated.
behavior. reordered
P12 (application es -SS)
purity)
r t-- (..., ei -
e2ine~ni
let x2 :: e2; xl Z=e, in e3 ni
63
r
l--
f(...,
r
*
(pure
r
➤
pure
Val l’i,
ei, ...) -
val
f, .... pure f(..., ~i,...)
...) T
q, ...)
This rule states that an application is pure if the function and argument expressions are pure and neither the urgunoT the result
ments
are variables.
Although
this
Signature
rule may
seem weak at first glance, it is the strongest rule one could Applications that take var arguhope for in genera!.
is independent to make
ments or produce var results may be impure even though all their subexpressions are pure – value extraction and variable
allocation,
are simple
both
examples
Applications even though of rule P12
of certain
the remaining
Null
Effect
builtin
expression
be pure
ones may be found
argued
that
our
to be discarded there
evaluation
may
is guaranteed
e there
rules
cannot
of Russell
to
terminate
allow
a pure
is never
constructs without
~
(e,; et) -
r
~
(cl; e2) = ez general
rR-(x;
that
var
evaluation
of
a pure
expression
does
not
terminate without error. Thus, for example, rule allows a legal signature to contain a nontype expression. This is generally acceptable,
We could additional
easily eliminate hypothesis
precludes
1-
it
by
adding
to the
rule
the
(T; True) = True
nontermination
approach
is taken
simplifies
the presentation
or
in the discussion
abortion
of T,
This
of records
below,
aa it
of the rules.
Expressions we described the rules by which we may a composite expression is pure. We shall also
require .signakwe rules for composite expressions, which allow us to deduce that expression e is type-correct by proving
of these rules is
a formula
require
effect)
rules
composite site
e)=e
rules
types
and function
simplest
form
e -
us to deduce
expressions.
expression
The which allows us to discard evaluation of an identifier if the value is not subsequently used. There are also null
of the
allowing
ones can be found
ef?ect rules for function
T, legal val T)
necessarily the above terminating
Composite
e)-S
r~(x;
(legal
null eflect rule of the form
S
null
~
Earlier deduce that
r
P13 (identifier
r
r
effect rule scheme)
The most
T - val type pure T
which
or
We now have the mechanism
formal:
E j-
used.
error
that a signature var e expression whose value
legality)
whose
expressions can safely be disFor each such are unused.
is a special
of the store.
r r
Recall
in [Demers82].
even if its value
are a number
observable effect, and such carded when their values (null
functions
Rules
this remark
S1 (signature
llules
have
expression
impure,
they violate the rather stringent hypotheses above. For these functions there are special Some of these rules appear purity rules.
application
However,
are obviously
of this.
below;
We
of which
Legality
Earlier we remarked informally or val e is legal only if e is a type
The are
most
S.
Finally,
equivalences
important
discussed
below;
we shall between
of the compothe
remaining
in [Demers82], signature
rule
is the one for sequential
composition: S2 (; signature)
constructions:
r~e,-sl P14 (func
type
r
*
(func[...;
Xi:Si; ...] S; e’) -S’
I’
Ken-S,
r
~
(func[...;
Xi:Si; ...] S; e’ ) ~ e’
r
}
P15 (func
null
effect)
construction
..
null
Basically, this rule states that a composite expression is type-correct if all its subex pressions are. Most of the other signature rules are similar, and may be found in
effect)
r
~
(func
f[...; Xi:si; ...]{e}. e’ ) -
r
~
(func
f[...; Xi:Si; ...]{e}. e’) S e’
S’
[Demers82]. The signature blocks are more interesting,
These rules state that building a function tion value in Russell has no effect. Of nothing function
There
applying effect rule
“signature The
the for
There
is a separate
are no specific
site expression
rules
has no effect
null
S3 (application
such facts are provable
r~f–
effect rule for each
for proving
that
if its components
a compohave
calculus” signature
rules for applications and Ie% however, as they embody the
rules of [Boehm80]. rule
for function
applications
is aa fol-
lows:
since this depends on the details of the funcA number of the builtin functions are to terminate without error or effect if their
arguments do. such function.
however,
type or a funccourse, they say
about the effect of subsequently – there can be no general null
applications, tion body. guaranteed
(el; .... e,) — S,
none;
signature) Vd func[...;
+ ~
(..., q - Si[...CXjX],..], legal S[...eXjX]...]
r
~
f[..., ei, ...] -
The subgoals and taneous substitution
in the system.
64
X,,S,; ...] S
r r
. ..)
S[...eXjX]...]
conclusion of this rule involve simulof the argument expressions q for the
corresponding enable
parameter
the rule
example,
names
to deal with
xi.
let p be the polymorphic func
p[t:val
These
type-valued identity
type;
x:val
substitutions
parameters.
C6 (let
For
absorption
r
function
l--
(r/...Xi...)
j-
r,Q
R
type;
x:val
t] val t allows
For the (type-correct)
application p~nt,
The
second
and
third
rule are instantiated
from with
17]
subgoals
of the
function
r
17 ~
an expression
e2 to be “absorbed”
the right. The an environment
requirement from which
have been eliminated
signature
The
as
ensures that
following
two
capture
rules
allow
ni=(d;
e)
into
a let-block
that e2 can be typed the new identifiers xi cannot
let-blocks
occur.
to be intro-
duced and eliminated.
r ~ int N val type~rrt,17/t,x] I’”~
S2
let .... xi ==di; ... in e, ni; e2 let .... xi =, di; ... in el; e2 ni
= val func[t:val
ez -
t] {x}
so that P -
(right))
let .... xi .= di; ... in el ni --- S1
C8 (let
val t@t,17/t,x]
elimination
(a))
r~letx==dineni-S
legal val t~nt,17/t,x]
rjx~e-S or, equivalently, r
l--
r~17
int - va! type - val int
r
Iegal
~
These allow
r~letx:=
This rule states that may be eliminated.
val int
l--
a binding
that
is never
referred
to
that
the
the conclusion C9 (let
r
dine
pfint,17]
-
val int
elimination
rt---
(b))
s-s
a-s desired. The signature rule for let-blocks the application signature rule.
from
‘(principle expression
of correspondence”
I’+letx..
can be developed Following Landin’s
\Landin66],
we expect
In neither
the
Iet .... xi:Si ==~; ... in d ni to be type-correct
be pure.
The
complex
C1O (let
S4 (let
r r
K ~
r ~
follows
d -
body
d.
The rule
r
...)
l--
When
- S[,,,eJ/xJ,,.]
to the obviously
the number
C1O. 1 (let
directly.
~
a complete interesting
of the rules
list appears in the and, for our purposes,
are the ones dealing
the components
of a let-block,
expression,
with
or to combine
For example,
f-
e ~ e’
Informally,
a
equivalence
~
es
~ =
S
e’
hi can be used as a predicate
describing
so the general form of the rule allows us of the bound values in proving the
of e and e’.
hl be dl, we can derive
65
is zero, this rule specializes
rule:
let .... xi:Si ==di; ...in e’ ni
the bound values; to use knowledge
the rule
of ~-hi pairs sound
let .... xi:Si =. di; ...in e ni =
function applications and conditionals. Most rules are used to rename bound identifiers, to an adjacent
l--
hj
equivalence)
r
with
gjj pure
let .... xi:Si .: di; ...in e ni -
are described below; [Demers82]. The most
block
pure
let .... xi:Si ==di; ...in ef ni
(r,...,XSiS)...)
rearrange
1-
let .... xi:Si .= di; ...in e ni s
The remaining composite expression rules are those that allow us to deduce equivalences. A few of these rules
let-blocks, of the let
let .... xi:Si :. di; ...in hj ni
s
let .... xi:Si =. q; .. in d ni
important
*
(r,...,xi~S)...) ...
r
the most
following
s
(..., % - Si[...t3XjX],..], legal S[...ex;x]...]
quite
is the
.. .. Xi:Si =: di; ...in gj ni
(f’,...,xi~S)U{ .,gj~hj,g}~hj,...} 1-
rules
let .... xi:Si S* di; ...in e ni N S
let
signature)
(r,...xsis)...)
let
substitution)
[ .... X,:Si; ...] S
of the block
of the
rule:
(r,...,xSjS)...)
f has signature
and S is the signature
l--
any requirement
..
f [ .,., q, ... ]
func
most
substitution
iff the application
where
of these rules is there
subexpressions
r
is type-correct,
einxni=e
For example, the following
letting extremely
g, be xl and useful rule:
C1O.2 (pure
C16 (if substitution)
/3-conversion)
r
1-
let XI:SI ., d,; ...in e ni -
r
~
pure
r
➤
let X1:S1 = d,; ...in e ni
r
S
~
ifelthen
.r +
d,
pure
e2eLsee~fi-S
e,
➤ ➤
N{el=True}
=
IIJ{el=False}
let X1:S, =, d,; ...in e[dl/x,]
no capture
to the ,tkonversion Two
This
occurs.
derived
rule of the lambda
important
rules
give
the
rule
calculus. meaning
r
1-
r ~
argument
d[..., q, ...] -
1-
if e, then .2 else es 6 — if e, then d2 elee d~ fi =
is related Like
of function
let
substitution
equivalences
application: C18 (application
es = d~
ni r
provided
e2 = dz
into
(C1O),
this
rule
the environments
introduces
of its subgoals,
new making
it possible to use knowledge of the truth or falsity of the condition in proving properties of subexpressions e, and ez.
evaluation)
As we illustrate below, the if substitution elimination rules can be used together
S
analysis
d[..., ei, ...]
to
and parallel if perform case
in the system.
- let x zs d; .... y, . . e,; . in x[..., K, ...1ni The This rule states that argument evaluation let-binding; thus, the rule implies that passed from
by value,
and
that
argument
may be done by parameters are
evaluation
proceeds
T includes
left to right.
C19 (application r
(func
p[...; Xi:Si; ...]{e})[ .... q, ...] _
r /-
(func
p[...; Xi:Si; ...]{e})[ .... e;, ...]
= let p :: (func
S
recursive
specify
for p in the right hand side of the conclusion in case e calls p recursively. If there are no
calls,
this
binding
Another ‘expressions. rules
can
and
be eliminated
the func
to the
let
absorption
rules
for
all
and
ez else e$ fi -
r
if True then
ez else ea fi = ez
to
there
nothing
is
if False then
e2 efee e~ fi --- S
r
K
if False then
e2 efae ej fi = ei
r r
K
➤
ifelthen if el then
The most complex
We give the rules the same
composite
rules
types
rules are expected
VI
(:=
such
to hold
e2elsee2fi-S
as for
that
operation it will
in
the
with
necessarily name
of
the
right
obey an
signature
these
rules
operation
-
that
its semantics. and first
value
Value
step in specifying
Extraction the semantics
of variables
➤
r
➤
by
(left))
t-- (el := e2) pure e,
r
V2 (:=
(parallel))
for hold
as WCII. However, one must be someThe fact that a user-defined type hap-
a New
mean
r
C15 (if elimination
have
including Similar
value extraction The rules below
is to give rules relating the effects and values produced assignment and value extraction. These include
(false))
\
essentially
types here.
Arw”~nment
S
r
behave.
but
types,
does not prescribes
a
argument rules:
they
int,
and records.
The
if True then
C14 (if elimination
builtin
assignment, of type T.
how
type
user-defined what careful
the null
(true))
I’ j~
builtin
arrays
conditional absorption
above,
to application if elimination
precisely
the
pens
evaluation rule similar There are also three
C13 (if elimination
using
construction
important claw of rules define These include a signature rule,
analogous
condition evaluation.
(C8)
the components:
These operations perform and allocation for variables
p[...; Xi:Si; ...]{e}).
.... Xi ==e,; ... in e ni ni
let-elimination rule effect rule (P15).
of Variables
:= : func[var T; val T] val T ValOf : func[var T] val T New : func[ ] var T
meaning)
h
The binding is necessary
Semantics
In Russell, the operations that manipulate variables are generally components of data types. Each builtin type
val int
(.l := e2) = (e, := e,; ValOf[e,])
value
(right))
r
1-
(e, := e2) -
r
1-
(pure
val int
r
~
(e, := e2) = (e, := et; ez)
el, pure
ez)
e2 efee ez 6 = (e,; e2) of the if rules is: These two rules give the value of assignment expressions: the value produced is the value of the right hand side and the value of the right hand side becomes the value produced by ValOf
66
after
the assignment.
P16 (ValOf
null
The
effect)
-
r~x
var
rEe-S r
V5 (alias
1-
This
(ValOf[x];
t-- (e:=el) ~ (e:=ez)
r
l--
(pure
r ~
e:=ez)
r r
~ ~
(e:=ValOf[e]) pure e
r
➤
e:= VidOf[e] two
a (e,; e:=e2)
the
same
variable,
The
“pure
value
-
r
l--
(el -
var
h
(pure
el, pure
~
(e, -
var
r
t-
(pure
el, pure
give
if two
the effect
successive
only
the to
able. Rule V4 states that to itself has no effect.
r
~
disjoint[T1,T2]
of assignment.
assignments
second
the
to
one can be noticed.
rule
guarantees
on the prior assigning
Rule
are made
value
that
the value of a variable
To do so in an equational system new builtin functions to the
purity)
r
+
contains[T1,T2]
r
E
(pure
r
F
pure
P18 (contains ~
alias, contains, disjoint: val func[Tl,Tz:val
we must add programming
of
changes and
is true
expression
el.
if
change
to the contents
vice versa.
change
to a variable
of e, will
Formally,
these
possible;
but
efficient required.
large
in-place
arrays
of e2, while [el,e2]
affect
can
after
be
[xl,x2]; e) -
S
e)
transitivity)
r
1-
(x, -
var T,, X2 -
var
T2, X8 -
r
F- ( ( contains [T1,T.J[x I,x2] A contains[T2,T3] [x2,x3] ) +
var
TJ
(Tl; T,; T$; True)
r~x
is
r,~
of the contrue
if
T
to test whether copying
~
contains[T,T][x,x]
= (T; True)
V9 (nonoverlap)
of e2
are related
or
var
no by
r
t-
(..., xi -
r
➤
Var
Ti)...)
((contains[T1,TO] [xl,xo] A contains[T2,TO] [x2,xO])
+ (contains[T1,T2] [x1,x2] V - (To; T,; T2; True)
cOntains[T2,T11 [X2,Xl]))
V1O (acyclic)
some consideration
used
reflexivity)
-
chang-
the contents
functions
can use them
algorithm
[el,e.J
(T,; T,; e)
V8 (contains
that
they began to seem natural and potentially quite useful in ordinary programming. For example, a program that manipulates
val bool
effect)
s
inference rules given below. . As mentioned earlier, we feel it is important that our attempt to develop an equational specification of Russell pointed out areas in which the language needed to be made more expressive. The alias, contains and disjoint predicates were introduced to make an equational description of the language
null
e,
the contents
a component
disjoint[T,,T2]
the other.
contains [T1,Ta][x ,,x3] )
expressions
changing
the contents
of e2 will Finally,
so that
the
contains
contains[T1,T2] [e,,e2]
el evaluates
e2 as a component,
eontains[Tl!Tz]
T2] val bool
to the same variable;
ing the contents tents
T1, y:val
alias[T1,TJ[e1,e2]
e, will
[e2,eJ)
ej)
(contains[T1,T2 ][xl,x.J;
V7 (contains
type]
val func[x:var
if neither
[e1,e2] -
e,, pure
(contains[T1,T$]
e
language:
of variable
][e1,e2] & ~contains[T,,Tl]
P17 (contains
r F
if the
[e1,e2] =
are disjoint
The next step in developing a specification of variables is to give rules that describe when variables share
is true
T2)
the
of the vari-
Aliasing
contains
var
e2)
two variables
r
and e2 evaluate
T,, e2 -
(-wontains[T,,T2
= ValOf[e]
e2° premise
Informally,
T2)
var
e2)
definition)
r
val int
of ez does not depend
storage. several
Tl, ez -
in terms of conThese two rules define alias and disjoint tains: two variables alias if each contains the other, and
rules
that
definition)
V6 (disjoint
ez)
V4 (self :=)
These
and
(crmtaicss[T1,T2] [e1,e2] & contains[Tz,TJ[ez,eJ)
val int val int
e, pure
V3 states
a!ias, contains
r 1- alias[T1,T2][e1, e2] ~ -
(e:=el;
rules define
- it has none.
annihilation)
r r
inference
r
e) = e
rule gives the effect of ValOf
V3 (:=
following
disjoint:
int
r
➤
(Xl -- var
r
1-
contains[Tl,T2][x
T, X2 -
var T)
,,x2]
~
contains [T2,Tl][x2,x1]
an These rules give the essential properties of contains. Rule P17 states that an application of contains is independent of the store if its arguments are; similarly, by rule P18 an
is
67
application of contains has no observable effect if the argument evaluations have none. Rules VT and V8 state the obvious facts that containment is transitive and reflexive.
hypotheses
Rule
There is no requirement that the x’s or y’s themselves be pairwise disjoint, as this is not necessary to show that el
V9 states
that
variables
ables contain anything variabIes must contain well-foundedness
contained
The
following
alias,
contains
- if two vari-
in common, then one of the two the other. Finally, rule V1O is a
requirement,
not be properly type.
the
do not overlap
three and
stating
that
in another rules
a variable
variable
disjoint
tests
in
the
among
y, through
import
Variable
of
(e, -
var
Tl, ez -
var
r r
t~
(pure el, pure e2) alias[T1,T.J[el, ez] = True
programming
This
states
that
two
indistinguishable.
r
exactly
can prove
variables Note
that
the
alias
hypotheses
are com“pure
cancel
one another.
pure
For
example,
equivalent
1; y),(x:=ValOf[x]-l; to
True
x := ValOf[x] are obviously
null
even
y)] though
f
+
(Newl];
the
K
New[ ]:=e
a e
These three rules give value and effect of New
the important properties of the – a new variable is disjoint from
any
allocating
other
variable,
and
or even assigning
to a
new variable has no observable effect. There is no rule stating that New is pure – it is not pure, since it produces a new variable
1
each time
(generalized))
vided
val T,
context.
r
~
(e:=ez)
-
val Tz
(P4) to show that
r
~
contains[T2,T1]
[e,x] = True
r
1-
(pure
e2)
r
l--
(x:=el;
e, pure e:=ez) that
it is invoked.
However,
as noted
assignment
to variable
to x if e contains
x.
As in
&
(..., Xi -
&
(..., Yj — var
Uj,...)
r I- (..., dSjOint[Ti,uj][x;,yj],...) (r I ...xi...) + ~1-- s, (r I ...yj...) E e2 - S2
Note
the
that
a new value
int =. New[ ] in x:=17
above
rules
is the one to which
Two
r ~
To demonstrate two substantial
let t, :: e,; tz ==ez; in e3 ni let t2 ==e2; t, =: e,; in ea ni
evaluated
purity
rule
the expression
17.
r~ea-sa
be
the surrounding
ni
leave
many
things
unsaid
ables in programs. Variable allocation may be done using a stack or a heap; the definition of New is insensitive to such implementation decisions. The operations of assignment or value extraction could have “benevolent side effects” [Hoare72] like garbage collection; the only obligation is that after an assignment the only variable to yield
var Ti,...)
This rule allows us to conclude expressions do not interfere with
from
one can use the value
about variables in Russell. They do not specify an implementation, but only the observable characteristics of vari-
V12 (reordering) r
use any variables
example,
to the constant e hides the
value of x.
r
For
is pure; and, with some manipulation, one can use the New inaccessible rule (V14) to show that it is equivalent
= (el; e:=e2)
an assignment
it does not
let x: var
the annihilation rule given earlier, the purity hypotheses are necessary to ensure that neither e nor e2 depends on
may
e)=e
e-s
w
expressions
(T; e; True)
inaccessible)
(x:=el)
=
New[ ],e] a
above, it may be possible in the system to prove that an expression is pure even if it creates new variables, pro-
annihilation
the previmrs
the allocation
effect)
~
effect of a previous
define
e-s
rt--
impure.
rule states
that
int:
var T
r
This
of type
one r
and
give the rules
disjoint~nt,T][
V14 (New
sub expressions
V3a (:=
~
r
that
[(x:= ValOf[x]+
all y’s.
e,”
alias[int,int]
is
-
P17 (New
and “pure ez” are essential and are not implied by purity of ‘[alias[T1,TJ [e1,e2]” – el and e2 might be impure but have effects that
from
disjoint)
rt--
rule
of el are of et are
Tz)
r~el=ez
pletely
y=, and all x’s are disjoint
for variables
r~e
~
identifiers identifiers
Allocation
function
equivalence)
r
the free var Xn, the free var
We can now
V13 (New
(alias
that
through
and ez do not interfere.
language. Vll
xl
can-
of the same
give the semantic
require
among
A
that the effects of two one another, so that the The in either order.
the assignment
was made.
Examples
Derived
the use of our equational examples.
system,
we give
Rule
Our first example illustrates how case analysis can be performed within the system. We shall prove the following derived
68
inference
rule:
r R
(x,:=el
r r
t~
(pure el, pure e2) (T; True) = True
r
F
val T, xz:=ez
-
(xl:=el; ~
~ val T)
func
which two
x,:=e,;
if disjoint[T,T]
[xl,x2] then
is a standard variables.
correctly
el else e2 6
this rule is true because two variables of the are either disjoint or alias – they cannot over-
lap, nor can one of them The Using
proof
of this
disjoint
(V6),
(C15),
proceeds
contains
null
effect
(P18),
language formula.
r from
there
X2]; xl:=e,;
if disjoint[T,T][xl; then
xl:=el;
X2]
x2:=e2; ValOf [xl]
else x ,:=el;
x2:=e2; ValOf[x ~] 6
using if substitution
rU{disjoint[T,T][x
(C16) with
~,x@True}
(xl:=.,;
x,:=e,; -
x,:=e,; =
(pure q, pure swap = SWAP
e,)
~
This
~
(xl:=el;
x,:=e,;
below)
e,)
cally
we obtain
xl:=.,;
holds
The the
first
definition
obtain
the
desired
result
using
that
xl
and
is straightforward,
X2 are
disjoint
expressions to be reordered. The a bit more complicated. Using
(V6)
and the hypothesis
we obtain,
after
holds
the
second disjoint
Using
contains
juncts
on the
manipulation
acyclic left
result A
Simple
As consider SWAP
[x2,x1] =
that
A X1=17}
{X2=11
cannot
possibly
(X$=ll;
X1:=17)
be
SWap[X,,
X2])
over
~
11 on both
sides.
‘l’he
X2:=17;
swap[xl,
x,])
=
(xl:=
17; xz:=ll)
show
proof
(of
the
true
equivalence)
(xl:=el;
the
two
After
By application
dismore
meaning
(xl:=el;
xt:=e2; (C19)
SWAP[X,,
proceeds the left
as fol-
hand
side
X2])
this is equivalent
to
let y, ==x,; y, ==x2 (body of SWAP) ... ni
A contains[T,T][x2,xl])
alias [T, T][xl,x2]
a
True
Using the derived /3-conversion rule (C1O.2), let elimination ~C8) and identifier null effect (P13) yl and y2 can be
to ali’as, the desired
eliminated
to yield xl:=el;
Procedure a second example of the use of our system, we a theorem presented in [Cartwright78]. Let the Russell
Hoare
if xl and x2 are aliaaed,
precondition
17 is stored
True
directly.
represent
swap[xl,x2]
the
in
xl and x2 have been shown
follows
the
equivalence
this leads to
= that
can
example,
lows. Using substitution we can show of the desired result is equivalent to
side are equivalent.
(contains[T,T][xl,x2]
Now
we
to
the reader
does not hold when xl and X2 are aliased.
x2] = False
(V1O)
hand
For
X2:=17;
(x,:=11;
that
V contains[T,T]
similar convince
does exchange the values of the the two formulas really are techni-
A x,=17}
because
similar
some manipulation,
contains [T, T][xl,x2]
appears
the equivalence
The disjoint[T,T][x,,
X2]) x1:=e2)
if
since
allows
(x2:=e1;
of it should
different.
(x,:=11;
of the two subgoals
assumption
assignment subgoal is
can
int) int)
e2)
formula
because
satisfied; from which we absorption rules.
between
formula
{x,=11
x2:=e2; e2 6
val
x2:=e2; swap[xl,
and a proof
quite
x2:=e2; e,
else xl:=el;
A XI=%}
are equivalences
var
e2 -
calling swap actually argumcllts. However,
if disjoint [T,T][x ~; X2] then
X2 -
int,
equivalence
formula,
ValOf[xl])
{x,=al
is also a deduction
the Hoare =
int,
var val
=
x,:=e,;
(xl:=el;
are discussed
t~
r
~
~,x2]=False}
(x,:=el;
r r
there
subgoals
to
expressions, we cannot even state What we cars show is that for any
(x,
-
– roughly
analogous
formula
swap[x,,xz]
r ~ r ~
(el -
of
swap works
are deductions
ValOf[xl])
(x,:=el;
rU{disjoint[T;r][x
x2:=e2; ValOf[xl]
which
the values
that
something
of our system
programming precisely this
swapping
to show
to prove
A x,=a,}
ni }
xl and Xt are disjoint
like
Since the formulas
as follows.
we show
disjoint[T,T][xl; =
(which
rule
or not
for
like
correctness
{x,=al
the other.
x2:=e2; ValOf [xl] =
Next,
contain
derived
detlnition
and if elimination xl:=el;
properly
would
we would
the Hoare-style
y, := ValOf[t]
function
We
whether
speaking, Intuitively same type
int] val int
Y* := ValOf[yl];
x2:=e2; ValOf [xl]
(x,:=el;
Swap[yl,yz: var
{ let t ., New[ ] in t := Va10f[y2];
expression
69
x2:=e2; let t .= New[ ] in t:= ValOf [x2]; x2:=Va10f [xl]; x2:= Va10f[t] ni
Now
let
motion
can be used to convert
through
this to
T. respectively.
S9 (record
type
We shall
use the signature
rule
signature)
let t =. New[ ] in xl:=el;
(A use of let
t:=ValOf[xz];
x2:=e~;
xz:=ValOf
[xl]; xl:=ValOf[t]
renaming
... I_ ~ legal
ni
may be required
➤
r
hereto
avoid
val Ti
(Ti; True) s
True
.
cap-
ture of free variables of e.) At this point we invoke the let substitution rule in its full generality. We first prove the
r
~
record
(...; fi:Ti;
...) N
val
type
subgoal The let t ,= New[ ] in disjoint ~nt,int] let t == New[ ] in True which
is straightforward;
(r,t–var
X2:==~2; t:=ValOf
ismoresubstantial
straightforward
to transform
(t:=ez;
xl:=el;
the first.
x2:=Va10f[x
disjoint[T,T][xl,x2]
s
From
the two
(C1O) allows equivalent
by using := assignments.
that
the original
which the evaluation
let
Structured
xz:=el;
type
r
➤
record
r
R
pure
no purpose
other
than
to ensure or nonter-
purity) (...; fi:Ti;
record
type
r
\
record
r
~
(record
. ..) -
val
(...; fi:Ti;
...)
null
type
effect)
(...; fi:Ti; ...) -
val type
(...; fi:Ti; ...). e) s
For this section, RR be a fixed
substitution is
without
error.
(...; fi:Ti;
...)
we let =~cf
record
e
and null effect rules, reflecting a record type value is indepen-
record
type
expression.
are the usual operations and variable allocation:
Associated
of assignment,
value
with
RR
extraction
:= : func[var RR; val RR] val RR ValOf : func[var RR] val RR
x1:=e2 ni
New : func[ ni; x2:=el;
xl:=ez using (V14).
In addition, arguThis
Variables
ables like records definition of records
for simple variables of composite vari-
or arrays. Below we present in Russell; arrays can be treated
expression
( fl:T1; .... f.:Tu
This is a slight — in particular,
the by a
are constructor
and field
selector
func-
Tn] val
Mk : func[val
Tl;
f~a’ : func[val
RR] val TI
fr
RR] var
: func[var
.. ..
val
RR
TI
for a record
type
has the form
)
purposes. Such fields fl through
f~i
: func[val
f~
: func[var
RR] val T. RR] var
T,
In Russell, function names can be overloaded – two or more fundt.ions can have the same name – as long % they have different types so they can be disambiguated. Thus, the identifying superscripts “var” and “val” on the field names are technically unnecessary. We retain them below for clarity.
simplification of the actual Russell syntax recursively defined types are not allowed –
but it will sufllce for our denotes a record type with
there
RR
.
approach.
A Russell
] var
tions:
equivalence.
The set of operations used above the basis of the characterization
record
restric-
expressions.
to eliminate
expression
let block can be eliminated (C18) and New inaccessible
gives us the desired
similar
this
in the face of erroneous
dent of the store and terminates
to
let t Z=New[ ] in t:=e2
forms
necessary,
to
is easily transformed
from ment
(V3)
above,
let t ==New[ ] in t:=e2; This
be pure and free
strictly
These are stand ard purity the fact that constructing
= True
subgoals
us to conclude
type
P19 (record
a-s in the
True
annihilation
major
the expressions
T,)
l]; xl:=ez)
The first case can be dealt with easily by reordering the assignments to xl and X2. The second case can be handled just as easily the unwanted
that
through
It is fairly
case in which a1ias[T,T][xl,x2]
not
of the rules
P18 (record
,
the left side to
x,:=e,;
While
demand
(Tl
of the Ti with
soundness minating
At this point we perform a case analysis. Just previous example, weobtain onecase in which
and another
occurrences
1-
ValOf[t])
than
rule
tion considerably simplifies the rules below; without it the conclusions of the rules would have to contain additional
= (t:=e2; x2:=e1; x,:=e2) subgoal
of this
of the fields
of side effects.
[x2];
xl:=
hypotheses
for the types
ni
[t,xi]=True}
x2:= Va10f{xl];
This
=
we then prove
int)U{disjoint~nt,int] (x,:-e,;
[t,xi] ni
To
specify
tor, we must tions. These
an expression f, of types T,
tions
70
the meaning
of the record
type
construc-
give meanings for each of the above operameanings are defined in terms of the opera-
for the types
Ti.
In the rules that
follow,
we use the
Ti$ :=,
notation
value
Ti$ValOf
extraction
and Ti$New
and allocation
for
functions
the assignment, for variables
V20 (field of
type Ti. Construction described
and field
by two simple
V14 (record
val
seleetion
for record
values
h
(..., xi -
r
~
f~’[Mk[...,
(el -
var
r
1-
(pure
e,, pure
r
~
contains [RR ,U][e1,e2] = ,,. v contains[Ti, U][f~[el],
This
rule
and
its
either construction)
- val RR pure e
r
Mk[..., f~’[e],
1-
additional
var -
rt--e
...] = e
aliases with
McCarthy restated
pure
r
~
ValOf[e]
there
field selector
purity
~ Mk[..., Ti$ValOf[f~[e]], and val
Note
that
k
f~[e]
-
r
~
pure
e
r
1--- pure
immediately
The
next
field selection
functions
relate
record
are purity
a record
in a record
or is contained
and null
functions.
var
in one
effect
rules
The var
for the
rules
Ti
few rules
describe
the aliasing
]] -
g) -
r
t-
(fi”%i
d = (e; d
appear
of
pure
r
~
disjoint[Ti,Tj]
all i#j.
variable
~
X:=C .- RR
}
pure
[f~[e],f~[e]]~
rule
~
(e,
r
l--
(pure
-
var
states
r
t-- x:=e be
from
~
True
that
the
one another.
of the preceding
containment
r
they
are
field
both
selector
it neither that vari-
we illustrate
that
the obvi-
e = Mfi[,,., f~[x]:=ffl’[e],
derived
~
from
first (V3)
fields Note
this
fact
G
is
(a))
rules.
Beginning from (V19) and :=
containment
...). x:=e (V15)
...). x:= Mk[..., f~][e],
evaluation
(C18)
to obtain ...]
this becomes
...). ... in Mk[,..,
ti, ,..] ni
Using let motion rules – note that e is pure and thus commutes with any expression – we obtain
ez)
contains[U,RR][el, e2] = f~[ez]] . A contains[UjTi][el,
...]
construction
let .... ti ❑, f~’[e];
U,e2 C- var RR)
el, pure
val
(...; f~[x]:=f~i[e];
rule.
above
(...; f~’r[x]:=f~t[e];
(...; f~[x]:=f~l[c];
By argument
of a record
the
use field to show
we then use record
are disjoint
not a consequence V19 (field
of new
e
This
but a var
example,
r
x:=e
l--
glance, though
Ti$NeW[ ]
disjoint)
r
first
– even
rule
I’
can
e w varRR
at
As an extended ously sound
x := e, we annihilation
~
strange
is passed a variable as an argument, nor modifies the value possessed by
field type. Thus, by new disjoint (V13), the fields records are disjoint from all existing variables.
r
S
and reasonable
This rule states that a field selected from a new record variable is indistinguishable from a new variable of the
V18 (field
(y~r))
able. behavior
variables.
f~[New[
effect
(f~[e];
function examines
new)
j-
,Iull
1-
may
rules V14 and V16.
f~[e]
r
sound
G Ti$ValOf[fY[e]]
from
the fields of record V17 (field
(field
...]
the identity
f~l[ValOf[e]]
+
between
is contained
(var))
r
P~3
e
to one another.
r
is nothing that
the entire
Finally,
conThe
rules for the LISP in Russell terms.
var RR
+
shows how the var
for
there
and var
P22 (field
selection)
r
r
that
– a variable
rule
V16 (record
follows
states
fields
ez] V ...
of the fields. val
These are the simple structors [McCmthy60]
var U)
ez)
alias [RR,U] [el,ez] V
Xj,...]] = xi
r~e r ~
RR,e2 -
are
rules:
val Ti, ...)
val
(b))
+
selection)
r
V15 (record
containment
r
-
let tl ==f~’[e];
.... t~.l .= f~~~[e];
t, ==(...; f~[x]:=f~’[e];
.... f~’[e])
in h{k[..., tij ...] ni
A It is easily shown
This rule states that a record variable contains all of its else – any variable fields, and that it contains nothing that contains all the fields contains the record.
(f~[x]
71
:=
that f~i[e];
f~’[e])
=
(f~[x]
:=
f~’[e])
Using
this
fact
and let
above expression
==
. ... ti == (f~[x]
let
n times
we can reduce
References
the
[Bockus78]
in Mk[...,
which
motion
to
by argument
:== f~’[e]); ti) . ..] ni
evaluation
Mk[
Ba.ckus, J. vonNeumann
.
,,,; (f~[x]
bra of programs. (C18) finally :=
f~a’[e]);
reduces
to
Boehm, paper
we have presented
and argued
It presents
This
sort
an equational
theory
rnathematica/
specification
of vari-
Boehm, can
be construed like Russell.
The tem.
logic
replacement
Most
to allow
of equational
equational
proofs
theory
presented
for
importantly,
here is certainly
a conventional there
of general
are no induction
properties
of program
to
ahoays
the system of variables;
a particularly pithy way ties of the programming
argues that it and this form
~
J.
(T;
Languages
Mathematical
Prentice-Hall,
Theory
Program
oj
1980.
A. and J. Donahue.
Type
completeness
as a
Symposium (1980), pp.
234-244.
Demers, A. for Russell. Science,
and J. Donahue. An equational theory TR-82-534, Department of Computer
Cornell
University,
1982.
[Dijkstra72]
[ ],e]
Programming,
Guttag, J. specification
produces a result that is and that applying New
effect.
Press, 1972.
In addition, as we noted above, the process of producing the equational theory led us to make some impor-
and J. Horning. of data types, Acts
The algebraic Injormatica 10
pp. 27-52.
[Hoare72] Hoare, C.A.R. Acts tations.
Proofs of correctness of data represenin/ormatica 1 (1972), pp. 271-281.
[Landin66] Landin,
The
P.J.
C.ACM
next
700 programming
languages.
9 (1966).
[Martin-Lof79] Constructive
tant changes in the language. It was only when we began to work on the theory that we found the need to introinto the programming duce alias, contains and disjoint language. We now consider these operations to be perquite
Academic
[Guttag78]
e; True)
and potentially
Programming
[Demers82]
(New[l; e)=e
natural
oj
proSym-
Dijkstra, E. Notes on structured programming. In Dahl, O-J., E.W. Dijkstra and C.A.R. Hoare, Struc-
which say very clearly that New disjoint from any other variable,
fectly
268-280.
Proceedings Seventh language principle. of Programming Languages on Principles
(1978),
has no other
pp.
131-140.
deBakker.
Demers,
and
r p
(1982),
[Demers80]
gives a complete of specification is
T
+
for expressions with side-effects. Symposium on Principles of Pro-
Principles
pp.
Correctness.
to get across important properlanguage to potential users. In
[int$New
of
[deBakker80]
rules such as
disjoint~nt,T]
on
(1978),
tured r
Ninth Languages
posium
correct-
attempts at informal description. When writing the informal description of Russell and explaining the language to others, we often found that describing New as “allocating a new variable” was inadequate. It is far more edifying to
I’~e-var
A logic
Cartwright, R. and D. Oppen. Unrestricted Proceedings I’ijth cedure calls in Hoare’s logic.
sys-
principles
particular, there are components of the Russell equational theory that present the language better than any of our
give inference
H.
gramming
its scope. On the other hand, the fact that it is possible to deduce the result of a terminating com-
putation in specification
An informal Department 1980.
[Cartwright78]
not a
Hoare-style
and J. Donahue.
of Russell. TR-80-430, Science, Cornell University,
Proceedings
ness. Theorems in this system can give the final results of program execution for particular inputs; but statements such as “ for any integer n, the program computes n!” are outside
H., A. Demers
[Boehm82]
and
cover all of even a very rich language
complete
1982.
description Computer
that
a useful
ables in Russell,
—
pp. 612-641.
[Boehm80]
Conclusions for Russell
(1978),
Bates, J. and R. Constable. The definition of pprl. TR-82-492, Department of Computer Science, Cornell
. .. ]
University,
In this
CXG’A421
[Bates82]
as desired
—
Can programming be liberated from the style? A functional style and its alge-
mathematics
ing.
Sizth
dology
and
International
and
oj Science,
Philosophy
computer
Congress
for
Logic,
Hanover,
programmMetho-
Germany
(1979). [McCarthy 60] hlcCarthy,
useful.
expressions I.
72
CACM
J. and
Recursive functions of symbolic their computation by machine, part
3 (1960),
pp.
184-195.
