Axiomatic Basis for Computer Programming

This paper considers a formal method, known as axiomatic semantics, used to prove the correctness of a computer program. This formal method extracts, using some proof rules, the mathematical verification conditions from a computer program. The axioms of program flow, including, sequential flow, iteration, and alternation flows are presented. Using the axiomatic basis the completeness of two variants of integer multiplication program is proved. Results show that computer programs can actually be verified sufficiently for correctness without necessarily testing them, or more practically put, to complement their testing.


Introduction
Computer programming is consisted in the designing, writing, testing, debugging, and maintaining of the source code of computer programs. It employs one or more programming languages. Programming occurs at the implementation phase of the software development life cycle (SDLC) [1].
Usually, the choice of a programming language is subject to, amongst other factors, the task for which the program is meant, and the efficiency with which the language helps programs written in it to execute. Different programming languages support different style of programming Basically, there are fundamental properties that must be satisfied by every program. Some of these include reliability, which is a measure of the correctness of the program result; usability, depicting the ease of use of the program for its intended purpose; portability, the ability of a program to run on different platforms; maintainability, the ability of a program to be modified, upgraded, or improved upon [1]; and robustness, the ability of a program to withstand unusual conditions [2]; to mention but few. Reliability is closely tied to the correctness of the algorithm, and the amount of errors present in the program codes. Its validity relies on the variable values before the initiation of the program [3].
Hence, considering the preconditions and post conditions, one can prove the correctness of a program (or part of it). This system is known as axiomatic semantics [4]. This paper focuses on self-evident basis for proofs of some program properties.

Background of Study
In the software development lifecycle (SDLC), one of the most important stages is the test phase, as shown in Figure 1. At this phase, the software is verified to ascertain its capability to do what it is expected to do under all conditions. It is at this stage that design and implementation flaws are supposed to be detected [5]. Testing thus incorporates debugging, which is the process of finding and removing errors (bugs) in a program [6].  [5] The higher the algorithmic complexity of a program is, which invariably determines how complex a program is, the more likely there would be errors in the program. Program testing is often rigorous, especially for very large and complex programs. Except in small programs, testing cannot prove the correctness of a program. Testing only exposes errors in the codes. And in most cases, errors in a program never cease to be exhausted.
Consequently, the need for other complementary methods of achieving correctness of program cannot be overemphasi zed. These formal methods and the intuitive judgment of programmers can mutually support each other [7] One of the formal methods used for proving program correctness is the axiomatic method [7]. The word axiomatic connotes self-evidence, obviousness. An axiomatic method has the potency of providing basis for measuring the quality of a programming language [7].

Statement of Problem
The conventional way of ascertaining the correctness of programs has always been through the testing for error detection and removal. The less the amount of error detected and successfully removed the more correct the program is deemed. However, for large and complex programs, this method has never proved adequate. In addition to the rigor usually associated with the exercise, it hardly exposes all the bugs (errors) in the program codes. Therefore, it is expedient to seek other methods of establishing program correctness.
A formal method of proving correctness of a computer program involves the use of axioms of discrete mathematics as basis for logical reasoning to extract from and prove the mathematical verification conditions of the program.

Review of Related Works
There have been considerable advances in the quantity and quality of methods deduced to prove the correctness of programs. While each had some strengths there were always limitations in their uses. For instance, though recursion induction, structural induction, and interpretation of flowcharts methods were applicable for proving correctness of programs that contained repetitions, the first two dealt with programs that achieved repetition by recursion, while the last one with programs that achieved by jumps and assignment [8]. Floyd's method has been used in proving correctness of programs in flow diagram form [9], Floyd-Hoare logic in proving imperative programs [10]. Burstall [9] extended Floyd's method to handle lists processing commands, while [11] used the inductive assertion method for multiprocess programs.
Some methods focused on the type of programs. Nakamura [12] proved the correctness of functional programs using Mizar, a popular proof checker. Basically, proof checkers contain library of mathematical models, lemmas and theorems. The checker works by relating the semantics of programs to the models. On the other hand, [10] considered modular functional programs.
Another method of classifying these methods is in whether they prove partial or total correctness of programs. Total correctness simply is consisted in partial correctness plus termination of loops [10,13,14]. Floyd-Naur's and structural induction methods, and Hoare logic are used for partial correctness, while Floyd's method, the extended Hoare logic is used for total correctness [14].

Mathematical Foundations
Axiomatic basis for information flow in computer programming was considered. The axioms (proof rules) for sequential program flow, considering the assignment statement; iteration program flow, considering the while…do and do…while statements; and the decision (alternation) flow, considering the if…else statement are presented.

Definition of Notations
ⅰ. { } is used to express relationship between a precondition (A), a program {B}, and a postcondition (C). It is interpreted "If the assertion A is true before initiation of a program B, then the assertion C will be true on its completion" [3].
implies that if logical statements A1,…An are true, then so is B [17].

Axiom of Assignment
Consider an assignment statement: = Where is a variable identifier, and is an expression of a programming language.
The precondition entails an assertion A(f), which must have been true of the expression f , before the assignment is made. With this in place, A(x) is said to be true. This is expressed as:

Axiom for Iteration (while…do)
Consider the statement: while P do Q To deduce an axiom, suppose L is an assertion invariant over execution of P. P becomes false when the iteration terminates. Hence, the axiom for iteration is given as: L is called the loop invariant. It is an assertion that is usually true before the loop is initiated; it remains true after every execution of the loop; and also at the end of the loop.

Axiom for Iteration (do…while)
Consider the statement: do Q while P This is similar to the case in the while…do statement except that in this case the statement in the loop would have been executed first before the condition is tested. This means that if the condition is found to be false at the end of the first iteration, the embedded statement would have been executed once. This is given as:

Axiom for Alternation
Consider the statement: if P then Q 1 else Q 2 Axiomatically, this is represented as:

Prove of Correctness of Program for Integer Multiplication
Two different programs for integer multiplication are proved using some of the axioms for integers. The first one uses the method of repeated addition.
Although simple programs are used here, using axioms to prove correctness of programs, on a large scale, basically complements the intuitive judgment of programmers in program testing. Based on the axiomatic definition for iteration (also known as loop):

Program for Integer Multiplication by Repeated Addition
We look for a loop invariant that is true before, within and outside the loop. This, when combined with the exit condition, produces the assertion that follow the loop (that is, the postcondition). The structure is illustrated in Figure 2 (redrawn from [18]): The loop invariant involves a relationship between unvarying variables within the loop. In a while condition, it also incorporates the loop condition, however, in a modified form. The modification is often necessary to accommodate the exit case of the loop [18].
For this problem, we can discover the loop invariant be examining how × is derived. If we let = 3 and = 4, we have:

70
Axiomatic Basis for Computer Programming We can deduce that + ( × ) = × . Also, we modify our loop condition to accommodate the exit case, = 0 . Hence, we have ≥ 0. We can therefore say that our loop invariant is: To show that the loop invariant is initially true, we derive it from the initialization commands and the precondition. is odd ( = 2 + 1) . Remember that / denotes integer division.

Axiomatic Proof
For this problem, to get the loop invariant, we also see how × is calculated, using small numbers. We consider both possible cases consequent upon the if statement. If we let = 3 and = 4, we have: On the other hand, If we let = 4 and = 3, we have: We can also deduce that + ( × ) = × . Modifying our loop condition, we have ≥ 0 . We discover in this case too that our loop invariant is:

Summary
In this paper, some axioms of program properties, including, sequential flow, iteration (for while…do and do…while control statements), and alternation flows were stated. And using the axioms as basis the completeness of two variants of integer multiplication program was proved.

Conclusion
The use of axioms and rules of inference to prove the correctness of a program (or part of it), are meant to complement the intuitive judgment of programmers. As a matter of fact, both are best utilized when they mutually support each other.
Today, there are other methods for establishing program correctness. These include new branches of applied discrete mathematics to formalize programming concepts, and different forms of logic to simplify reasoning. For corecursive programs, they can be proved using fixpoint induction, coinduction, approximation lemma, or fusion methods [19]. As a matter of fact, there are currently computer applications used for proving correctness of programs. These include ESC/Java [20], SPARK, eCv (MISRA-C), Spec# [21], and Dafny [22].
This paper primarily focuses on the axiomatic method of proving correctness. Further works may include using the same method to prove more complex programs, or using other methods to verify the correctness of the two integer multiplication programs presented.