IEEE TRANSACTIONS ON SOFTWARE ENGINEERING, VOL. SE-7, NO. 5, SEPTEMBER 1981 On the Development of Correct Specified Programs ANDRZEJ J. BLIKLE Abstract-The paper describes a method of program development which guarantees correctness. Our programs consist of an operational part, called instruction, and a specification. Both these parts are sub- ject to the development and the refinement process. The specification consists of a pre- and postcondition called global specification and a set of assertions called local specification. A specified program is called correct if: 1) the operational part is totally correct w.r.t. the pre- and postcondition, 2) the precondition guarantees nonabortion, 3) local assertions are adequate for the proof of 1) and 2). The requirement of nonabortion leads to the use of a three-valued predicate calculus. We use McCarthy's calculus in that place. The paper contains a description of an experimental programming language PROMET-1 designed for our style of programming. The method is illustrated by the derivation of a bubblesort procedure. Index Terms-Assertion-specified programs, bubblesort procedures, program correctness, program development, PROMET-1, sorting. I. INTRODUCTION THE PROBLEM of program correctness is frequently un- derstood in a too narrow sense as the problem of proving programs correct. It is implicit in this understanding that program development and program verification are two inde- pendent processes, the first of which must be completed before the second starts. The scheme "first develop then prove" corresponds, maybe, to the way of establishing simple mathe- matical theorems, but is certainly inadequate for the use of mathematics in engineering. Nobody would dare to suggest that a civil engineer postpone the calculations until his bridge has been constructed. Why then is a software engineer sup- posed to be an exception? The present paper describes a method of programming where program correctness is systematically controlled during pro- gram development. Of course, in order to talk about correct- ness one must have a standard against which to measure this correctness, i.e., a specification, and a standard of how to measure this correctness, i.e., a satisfiability relation. In our method the specification consists of a precondition, a post- condition, and a set of local assertions. Strictly speaking we are dealing here with specified programs of the form Manuscript received December 11, 1980; revised March 10, 1981. This work was supported in part by PAS MFCS Grant MR.I/3-04.1.1 and the National Science Foundation under Grant MCS 77-09906. Early versions of this paper were presented at the International Con- ference on Formal Methods and Mathematical Tools for the Construc- tion of Software, Oberwolfach, West Germany, January 1979, the International Conference on Mathematical Foundations of Computer Science, Olomouc, September 1979, and the Fourth International Conference on Software Engineering, Munich, West Germany, Septem- ber 1979. The author is with the Institute of Computer Science, Polish Academy of Sciences, Warsaw, Poland. pre Cpr IN post cpo, where Cpr and cp,, are the precondition and the postcondition, respectively, and where IN is an instruction with nested asser- tions. Such a program is called correct if: 1) IN is totally cor- rect w.r.t. Cpr and cp0, i.e., Cpr guarantees nonlooping and cPo is satisfied upon termination; 2) cpr guarantees nonabortion; 3) the assertions of IN are adequate for the proof of 1) and 2). It is essential in our method that in program development we construct and refine both the virtual program and the specifi- cation. All development rules must be sound, i.e., must pre- serve program correctness. At the same time they may quite substantially change program meaning. This is in contrast to some other methods of program development where programs are developed from, rather than with, specifications [2], [5], [6], [11], [121. The reason why we do not follow this style is twofold. First, in program development and maintenance one frequently has to change the specification. Programming is a creative art and any specification Which is given ahead may turn out inadequate or at least incomplete. Second, the devel- opment of programs from specifications requires the concept of an equivalence relation between programs. This leads to tedious technical problems, since any practically acceptable equivalence is not a congruence [6]. Another issue which is substantial in our approach is the three-valued predicate calculus of McCarthy [21] used as a pattern in the definition of semantics of Boolean expressions. Except the clasical truth values true and false we admit the third value undefined which we need for an adequate treat- ment of abortion. Our rules of the evaluation of Boolean expressions are similar to that of many existing languages, e.g., of Pascal [171. In the present paper we describe an experimental, simplified programming language PROMET-1 oriented towards the sys- tematic development of correct specified programs. We start in Section II with the concept of an abstract data type which is fundamental for our style of programming. This is followed in Sections III and IV by the syntax and the denotational semantics of PROMET-1. Section V explains our two con- cepts of correctness: the global correctness of instructions and the correctness of specified programs. Program construction and modification rules are described in Section VI. In Section VII we give a detailed example of the derivation of a bubble- sort procedure. The idea of systematic program development is, of course, not new. Starting from Dijkstra [13] and Wirth [24] it has been advocated for many years and by many authors. In the recent few years it started to evolve towards a more disciplined 0098-5589/81/0900-0519$00.75 © 1981 IEEE .519