Program Development by Stepwise Refinement and Related Topics By N. GEHANT (onuccit recive Seotanber 22, 1980) Computer program development ly stepwise refinement hae been voor! by many people. Wa take anather look at stepwise refine. ‘ent in light of recent developments in programming layne and prowramming methodology such as abstract data pes, correctness [proofeand format apecifications,parolle programs ana! multiversion programs. We offer suggestions for the refinement processand discuss program maintainability, “The cormect design of nontivil programs and systems of programs is an intellecrullychallenying snd dificult task. Often programa are designed with very litle tine spent on the design itself, the effort, ‘being concentrate} on coding. ‘Thi could be due to management's desire vo ace womething working as soon aa possible to bo assured that ‘work is progressing, or it could be due tothe programmer’ dcsirv to “adtack the prabler right as "Not only there no exaphasis on design, the wpprowch Lo i ia also not ayatematie or disciplined, This resules in programs thet do aot tet epecifeationsin wrmsof corte output and performance require ments, ‘What we want is a programming methodology chat pls some isciplne and wirucurein the design process without stilling creativiy ‘A progeucaming methodology shoul: (i) Hp ws marcer the corplesty of the problra being solved and vet anne guidelines on how to ormuite the problem elution. Tai Provide us with writen record of the design proce, The erign can lien be teed by others, and the design dovkiona can he ‘appreciate or constructively eriticized, (ai) Result im programa that are uniertandable. oar (io) Lesd to programs whose corectnesa can be verified by prook Since proofs are difficult, the methodology should allow for a sy tematic approach vo progear lasting (Gi) Be generally applicable and sol restricted tow clas of problems, (Gi) Allow forthe production of efficient programs. (oii) Allow far the production of prosrams that can he modified systematically. In this tutorial wo discuss « programming methodology called step ‘wis refinement and informally show that it salisfios these criceria I. STEPWISE REFINEMENT Stepwise refinement is a top-down design approsch to program development (first advocated hy Wirth’), Wirth really gave a aye temacie formulation and description of what many programmers were roviously doing intuitively. According to Brooks, stopeice refinement {s the oo: important new programming formalization of the decade Stepwise refinement ic wpplicable not only to program desien hut also to the desig of complex eyatems In a top-down approsch, the problem to be solved is decomposed or zofinod into subproblems which ure then solved, The decomposition or Feflnemsent swat he auch tha" (2) "The subproblems should he solvable (i) A subproblem should be solvable wich aa itl impact on the other subproblems as posible (ii) The solution of eueh subproblem should involve less effort than he original problem, 1G) Onoe the subprobleme are solved, the solution ofthe problem hhould not require mich aditona efor. "This prvessisrepeated on the subproblems; of course ifthe slusion ‘of « problem is obvious or trivial, then thie decomposition is not 1f-P> is cho inital problem formulation/soluton, thu dhe fal problem formulation/solution P, fan executable program) is arrived at aftr acerios of gradual "Yofinement” steps, Pom Pio Ppa Pa ‘The refinement Ps of Ps produced by supplying more details for the problem formblation/solution Ty. The reGnements. Pay, Py ‘epresent different levels of sbemaction, Py may be said give the rest abstract view ofthe problem solution P., while # reprecena ‘otal version of the setion for By ‘As an example of abstraction evel, considera program that auto- ‘mates the record-keeping of an ineurance company. AL the highest level of abetraction, the program deal withthe insurance company at aout, At aueeceding lower levee of absteection che program dents vit + itferent snaurance enters (nats, heme, He 6) * groupe of polices in the sve eategorie 1 Titividual polis in the ave rors derail of individual polices Fach refinement consiss uf w sequence of instructions and data Aeserptions By, Pa Po In each rofinement stap, we provide mare details on how each Pyis ta be implemented, The refinement process stops when we reuch a stage {G) hore all the instructions can be exceuted on a computer, oF (ir) where instruction can be eesily Irate 1 eomputersezeut sb: nstruetions Pictorial, the refinement process may be depicted us shoven in Fig. 1 The foal program ‘a collection of the covles x the lst refivemat evel Pe ‘The design ean be probed y wy esr level of detail # (= =m). Undeminding the design process ie wed by Une fact thac level # provides overview of vale ¢ + 1 theo "We iltzave the seyoriae refinement proceas wich annotate ex amples, The ruins we wil use Zor conveying our iden wil be Dsl He? nd inluse guste commande "Pr wil he used to show te executable version uf some proqrara, | “lo Lele Es cre H gt These SIEOWISE REFINEMENT PROGRAM DEVELOPMENT 349 The guarded commands are (i) Selection te = su Ub Su I = st, ‘The Bs ace calle the yards (Boolean expressions) an the 8 ane staremene lim, Fora macceaaful execucon ofthe selection statement, srleast one of the guards mus be true. I only one guar i (rue, then the corresponding statement list i exceuted, I moze thon one guard Je true, then ore of thy corresponding statetnl Use iy sleeved ondeterministielly (iy Ue te earn el beforehand) anu es ted, fa — thon both the guards are cue and either of che stavements max 12 @ ur mae '= D may hee executed. Rther way, the answer i Hight. This symnelry i aesthelivaly pleasing: when! compared 48 ‘conventional deterministic programing. ie) Repetitine ‘The loop ie repeatedly exceated ws Tung ws one ofthe guards i true fone guned ix i, ths the corresponding seine! T x ee Asin che wlection aterm, i unre tat one guard i true, he ne ‘ofthe corresponding lar is erbtrariy elected and executed. Imaplemestatn if three tars i € Pascal Py yl be deerminite, For example, in 01/1 fey Selection rb, THEN 00; SL; END: ELSE IF 0; THEN DO; SL;; END; ELSE IF 6, THEN DO; SL,: END: ELSE ERROH 250 THE BELL SYSTEM TECIINICAL JOURNAL, MARCH 196: Fb. ELBE IF by THEN DO; SL, END: ELSE If iy THEN D0; SL; END: ELSE GOTO LE: ENDL le: ote: hess aatemenis could be mare convenietly ismplemuntel SLLKCT aed RAVE seatemonts ving che near mL 1M, EXAMPLES OF STEPWISE REFINEMENT ‘The raompes une to Wusteao slepwite rfinemanc are amall out of necenriy, ‘The redor i cnontaged to ppl stepwise renew 1 larger problems. exemple 1 \Weily w program to simelate a wock in Tube’ ie Anil refinement Py ‘Simulates week in John's it we were programming in 4 Tinjonge that underaceod the shove inetraction, then we woulda’ have to rine turer Refinoment » dis manday [nant day bo ve Smulated iso) be repeat © simulate day din Joha's tte & Unb week over [A tetinemene cunsie-s of programming language mstractions mixed ith nglsh statements Refinement Pe Linge of Pia rfined us Sloep unt alain goes off Go threugh morning rtusl Spend tne ay 530 though evening etal Prapare to lao Line dia etd we SSIEPWSE REFINEMENT PROGRAN UEVELOPNENT 351 d= sundey 0 He? sunday monday Succi) ‘hora the Poscel fanetion SUCC gives the nest dav in the range of rs mona ny, == unde, Th: eek aver” fined As “d= nl (Collecting checeretinemanra of #5 instructions, we get refinement z (t= monday repeat ‘Sleep until alarm gost off Go through marnina ritual Spena the say Prone to logo WG nday + d= wanday Tay sunday = a succia) # untit d = monday. ‘This collection can be done mochanially and we shall m general omit 1 Spend the day" may he refined 38 We weekeay > go tn wore rete home weekend > read newpaper laze arount reat! bce watch TV " Similay, che acer inatvetions of Fe may be refined and the refinement process eontinaed to the derived lavel of detail. Tn the refinement wo have tried to model procetses of the problem domain.” An nitiel decomposition might not be feasible a nice in which cane sve bock up and try another decomposcon, We all only present the final 26 of decompositions, Example 2 ‘Write & prosrum chat ronds in a let of positive mumbers 0, ae (2-2 0) nl pri the suet of al aural numbers up to each fa ky the ums Se Ba, Be 962 THF BELL SYSTEM TECHNICAL JOURNAL, MARCH 1081 Initial vefinement Py: Print Ea E24 = Pr read.a ‘do while there . exists data —+ Compute sum = 3 i Print eum od ecauce we are aiming for an executable program in 2 roquencial programming langue, the refinement P, reflects the decision to reed In on injut latent, compare ies som, pint the sum, and then Yead fother inpur element. Allernarls, had our target been a parallel fomputer we would hive prolibly read in all the input elements, Computed the sma in parallel, and then printed them out. Many Implicit decisions underlie weery refinement. Be: while there exit date 1 refined to not EOF + Conte sum = Sie is rofined to rumi= 0 (@um=O= 1424-41) dolea + ia i+tiaum'= sum + fod Lotus wow examine the coneep! of loop invaiant. A loop invariant ‘an astertion about program varibles; it statically espuures the resning of oop thus helping ur understand it. Loop invariants are fron belone and after the exetion na loop, and before and after each tecution of the Toop body. Dijknira" auggerts some ways of finding the loop invariant using the dased poet-condition (sate of variables lfter the lonp terminates) The Toop invariant an actually aid im determining the guards and the corresponding statement lit. “Let be the loop invaranl sa = 4 1+ 2+ woe Lis true initlly ecause {= O nd sum = Fealoation ofthe guard i # a does ro floc fs the statement i= i+ | destroys J, reulting in eum — 0 PUL O41 1 Bat som ~ sum + f restores the validity of invariant. When the guatd evaluates 19 fale, ie, = he lop terminates, Now in addition to J eing true we have f= a, smplying Ghevdesved remit sum = 0+ 742-4 ba How can we demonstrat loyp termination? Kor thie we must show the existence ofa fanction, initially =O, whe valoo is deeremed by Tn we te ed teens in et dn ancl you get ins rn en Tana nh ce STEPWISE MREFINEMENT PROGRAM DEVELOPMENT 353, cone every time the loop ic executed. When this funetion hecomes = 0, tre stop. Such a function is a ~ t; executing ("= 4-+ 1 decreases ice value by 1. When «'~ 1 ~ 0, we have 1 = a which is when the guerd tevaluaies to flee and the loop erminate. Continuing the refinements we get by road . conotcor + {eompaesum~ 5 i} feo sum foum=041424-0 40 deira > imrtt od Prin um od Patino SUM: PROG OPTIONS(MAIN DCL A /*NEXT INPUT ELEMENT */ 1 /*L00P VARIABLE */ [SUM /*SUM=OVT Hb 0 Jerxe0 EC, EOF BITCID NTC OB ON ENDPILE EOP" GET UsTiAy DO WHILE (-EoFY: mo; SuM=o DO WHILE U~—Ay fet: SUNS=-SUNK I END; PUT SKIPLIST C SUM UPTO. A,“18 SUM: Ger Listy END: END SUM: Bampie3 Visite a program to detormine the maximum element value of an xmamay A (mn = Be: datermine the mae element value o A i: 20 (last row examines, inilaze max. max is the maximum olement fof rowa t+ Fp invariant) 954 THE BELL SYSTEM TECHNICAL JOURNAL, MARCH 1061 doaliows + Rint fot examined marc rmaximemgrous, max) oa Pe: © initlize max a refined to max = ATT, 17 all rows not examined Is refined to inn fax #= anlar (ow J, max) isretined as FO" (max = maximum ot rows 1...) 1 and elements 1 jaf row -looa invariant ey) doll alemaigol yom) tt row inot examined max:= MAXmax, Als!) od Tein the loop invariant. As an exercise, the reader should try and show ‘hat the loops leave fy and Ze invariant, i, unchanged "Pa «al cements of rom j noe examined fs refined a6 jen imax = MAXimax, Ali jD is refined as W max Ali j] + skip qkimensai a) + meen all ‘where skip dno the null statement. “The iterative feature inthe most important feature ofa progamming language.’ The do --- od consirac allows us to express algorithms clearly and suceinety. The above example could have been done bere ‘ha the author nol wel th do --- od constmic Lo jut simulate the while statement, Malking fuller see uf the do --- od construct, we get the following program forthe aoe problem Ph: j=. {number of rows examined eo far} j= 0 [number ofelemants of row i+ 1 examined go far) Inalies max (mas te maxim of al the elements in th first ‘rows and the fal olements of row + 1} ~7 ao i<mrowsandjen tae t flomontsof row i= 4 maxi= MAXImax, Al.) examined Upc rows and al» move tothe next raw ‘element of row i+ 1 examined od SIEPWISE REFINEMENT PROGRAM DEVELOPMENT 958, jo max = ALT, 1] (maxis the maximum ofall the elements inthe fat /eows and the st elements of raw i + 1) — do jemandicnnn fied ‘max = MAxemex, Af, JD [emendj-a + init tj od Gries aso shows that the do -- od construct urualy eliminates the ‘need for loop exits necessary in programs that use the while stave- Example & "The Touch-Tone®cslephone provides an easy but limited meana of communicating with a computer (see Fig 2). The problem isto write f program that provides a simple adding machine to the user” For example: User offhonk 1 # 52 #65 onhook input: system one" “i ten response: peint pine eco} feo” een” "The charneters # ond « roprosont + and =, respectively, “The following modules are avaiable o the programmer © SPEAK string)—provides an mui response for the number represented hy the sting aoe 256 THE BELL SYSTEM TECHNICAL JOURNAL, MARCH 1901