This paper discusses the technique of structural induction for proving theorems about programs. This technique is closely related to recursion induction but makes use of the inductive definition of the data structures handled by the programs. It treats programs with recursion but without assignments or jumps. Some syntactic extensions to Landin's functional programming language ISWIM are suggested which make it easier to program the manipulation of data structures and to develop proofs about such programs. Two sample proofs are given to demonstrate the technique, one for a tree sorting algorithm and one for a simple compiler for expressions. (First received April 1968 and in revised form August 1968) Since the problem of proving that computer programs really do what their inventors allege them to do was discussed by McCarthy (1963), there has been considerable progress and proofs have been produced for non-trivial programs such as a simple compiler (Painter, 1967;

A consideration of several different examples sheds new light on the problem of ereat-ing reliable, well-structured programs that behave efficiently. This study focuses largely on two issues: (a) improved syntax for iterations and error exits, making it possible to write a larger class of programs clearly and efficiently without go to state-

This paper traces the important steps in the history --up to around 1990-- of research on reasoning about programs. The main focus is on sequential imperative programs but some comments are made on concurrency. Initially, researchers focussed on ways of verifying that a program satisfies its specification (or that two programs were equivalent). Over time it became clear that post facto verification is only practical for small programs and attention turned to verification methods which support the development of programs; for larger programs it is necessary to exploit a notation of compositionality. Coping with concurrent algorithms is much more challenging -- this and other extensions are considered briefly. The main thesis of this paper is that the idea of reasoning about programs has been around since they were first written; the search has been to find tractable methods.

This paper traces the important steps in the history --up to around 1990-- of research on reasoning about programs. The main focus is on sequential imperative programs but some comments are made on concurrency. Initially, researchers focussed on ways of verifying that a program satifies its specification (or that two programs were equivalent). Over time it has become clear that post facto verification is only practical for small programs and attention turned to verification methods which support the development of programs; for larger programs it is necesary to exploit a notion of composability.

Tupling is a transformation tactic to obtain new functions, without redundant calls and/or multiple traversals of common inputs. It achieves this feat by allowing each set (tuple) of function calls to be computed recursively from its previous set. In previous works by Chin and Khoo [8, 9], a safe (terminating) fold/unfold transformation algorithm was developed for some classes of functions which are guaranteed to be successfully tupled. However, these classes of functions currently use static-sized tables for eliminating the redundant calls. As shown by Richard Bird in [3], there are also other classes of programs whose redundant calls could only be eliminated by using dynamic-sized tabulation. This paper proposes a new solution to dynamic-sized tabulation by an extension to the tupling tactic. Our extension uses lambda abstractions which can be viewed as either dynamic-sized tables or applications of the higher-order generalisation technique to facilitate tupling. Significant speedups could be obtained after the transformed programs were vectorised, as confirmed by experiment.

This paper makes several contributions towards a clarified view of schema-based program development. First, we propose that schemata can be understood, formalized, and used in a simple way: program development schemata are derived rules. We mean this in the standard sense of a derived rule of inference in logic. A schema like Figure i can be formulated as a rule stating that the conclusion follows from the premises defining F, G, and the applicability conditions. By deriving the rule in an axiomatic theory, we validate a semantic statement about it: the conclusion of the rule holds in every model where both the axioms of the theory and the premises of the rule are true. Hence, by selecting a language to work in we control which development schemata are formalizable, and by selecting a theory we determine which schemata are derivable

Several descriptions of basically one transformation technique, viz. accumulation, are compared. Their basis, viz. the associativity and the existence of a neutral element inherent in a monoid, is identified. Keywords transformational programming, factorial, fast reverse, accumulation, continuations, lambda abstraction, generalisation, tail recursion, implementation of lists. This research has been sponsored by the Netherlands Organisation for Scientific Research (NWO), under grant NF 63/62-518 (the STOP --- Specification and Transformation Of Programs --- project). 1 Introduction One of the first program transformations that appeared in the literature was the accumulation transformation. The transformation is now classic, although not everyone may know it under exactly this name. In this note, I try to relate several descriptions of this program transformation technique. In a purely algebraic view, it is the exploitation of the properties of a monoid. In literature, it can be fou...

Several induction theorem provers have been developed which support mechanized verification of functional programs. Unfortunately, a major problem is that they often fail in verifying tail recursive functions (which correspond to imperative programs). However, in practice imperative programs are used almost exclusively. We present an automatic transformation to tackle this problem. It transforms functions which are hard to verify into functions whose correctness can be shown by the existing provers. In contrast to classical program transformations, the aim of our technique is not to increase efficiency, but to increase veriability. Therefore, this paper introduces a novel application area for program transformations and it shows that such techniques can in fact solve some of the most urgent current challenge problems in automated verification and induction theorem proving.

vation of semantics. When deriving from a program P1 a new program P2 by transformation, we need to preserve semantics, that is, we want Sem(P 1) = Sem(P 2) for some given semantic function Sem. Actually, we want the equivalence induced by Sem to be a congruence w.r.t. the operations which are used for building programs. This is an important engineering requirement, because for the maintenance and the enhancement of software products we have to allow for the substitution of software modules by new, better modules which satisfy equivalent specifications, and this substitution should not affect the semantics of the programs. For these reasons we look for compositional semantics, that is, semantics which can be defined as homomorphisms over the structure of the programs. Moreover, in order to allow for language evolution we look for tech