Abstract: One of the practical methods commonly used to detect the presence of errors in a computer program is to test it for a set of test cases. The probability of discovering errors through testing can be increased by selecting test cases in such a way that each and every branch in the flowchart will be traversed at least once during the test. This tutorial describes the problems involved and the methods that can be used to satisfy the test requirement.

Abstract: This paper extends the predicate calculus formalization of the partial correctness properties of programs (Ki, Go) to include the preservation of correctness under program transformations. The general notion of "program transformations which preserve properties" is fundamental to the theory of programming and programming languages. In the context of proofs of program correctness, transformations which preserve correctness can be used to improve less efficient, but easier to prove, programs. The basic argument in the use of correctness-preserving program transformations (hereafter CPTs) is:Assume that G is a program (with attached assertions) which has been proved correct with respect to some input-output relation Ain-Aout. Now suppose that S is some part of G, e.g. an expression, assertion, statement, etc., which is to be replaced by some other such part S' to produce the program G'. The goal is to prove that G' is also correct with respect to Ain-Aout and therefore the replacement preserves overall program correctness. Moreover, if the replacement has only a local effect, e.g. the body of a loop, then the proof of correctness-preservation should be restricted to that part of the program affected by the replacement.Section 2 reviews the current paradigm for proving program correctness. An example in section 3 illustrates CPTs in a sequence of improvements on a correct and simple, but inefficient, initial program. In section 4, the formalization of partial correctness properties of programs is recast as a semantic language definition using Knuth's semantic method (Kn1). This formalization is then used in section 5 to describe the mechanics of performing CPTs. In section 6, several questions about the formalization of sections 4 and 5 are discussed and a generalization is proposed. Finally, section 7 returns to a concrete example and suggests that the most effective use of CPTs is by identification of schematic forms. Related work is mentioned in section 8.

Abstract: This paper is an initial progress report on the development of an interactive system for verifying that computer programs meet given formal specifications. The system is based on the conventional inductive assertion method: given a program and its specifications, the object is to generate the verification conditions, simplify them, and prove what remains. The important feature of the system is that the human user has the opportunity and obligation to help actively in the simplifying and proving. The user, for example, is the primary source of problem domain facts and properties needed in the proofs. A general description is given of the overall design philosophy, structure, and functional components of the system, and a simple sorting program is used to illustrate both the behavior of major system components and the type of user interaction the system provides.

Abstract: One person's perspectives of program verification and its relation to some aspects of reliable software are presented. The main verification method of inductive assertions is illustrated with several variations of one detailed example; a second example shows a surprisingly simple inductive assertion proof of an iterative tree traversal example. Briefly discussed also are the implicit assumptions of most verifications, proving termination, the creating of assertions, and languages in which to write assertions. An abstract overview is given of existing program verification systems together with a sample list of verified programs. A short bibliography is included.

Abstract: Dijkstra suggests in his “Notes on Structured Programming” that program schema and theorems about their correctness may describe the way that programmers understand programming. This paper follows up his suggestion by describing a general model for domains of programming knowledge in terms of schema, transformations, and derivation rules. The model is illustrated by the results of a case study of the knowledge about 10 programs which use arrays. The model and case study illustrate a methodology for constructing and proving correct programs based on knowledge which is independently expressed and partially proved in an abstract form and which can be applied in a stepwise way.

Abstract: The paper investigates methods for applying an online interactive verification system designed to prove properties of PASCAL programs. The methodology provides techniques for developing a debugged and verified version starting from an incomplete program.

Abstract: In the author's view structured programming consists of the use of the following: structure, abstraction, and specification. The purpose of this paper is to develop formal specifications for a nontrivial program in order to facilitate a proof of correctness. It is shown how the specifications serve as an abstraction for the program. A proof of correctness then consists of merely showing that the program at each level meets its formal specifications. Under this methodology lower levels of the program can be changed without affecting higher levels.

Abstract: We present the germ of an idea for automatically correcting logical errors in programs by manipulating the invariants of the program. An invariant tree is defined, and we show how it can be used to change the program in order to guarantee correctness.Debugging could be incorporated into a verification system which would first try to prove the correctness of the program. If the attempt is unsuccessful, two alternative approaches are suggested and compared. In the first, we try directly to correct the invariants and - through these - the statements, taking the calculated risk of modifying an already correct program. In the second approach, we initially prove incorrectness, and only then try to correct the program, by invalidating this proof.

Abstract: In order to prove the correctness of a computer program, one must be able to characterize the data in the program. Proofs by the inductive assertion method require the construction of concise, precise assertions to describe the data. This paper presents some techniques for characterizing data structures which can be used to build adequate assertions. New primitive relations are introduced for describing intra-structural relationships. These primitives form the basis for two important concepts: The invariant of a structure is a concise characterization of a structural class. A representation function is a mapping from a structure to a corresponding abstract data object; this concept provides a means for expressing relationships between a structure and other data, and among the values of a structure over time. By means of verification lemmas, these concepts can be integrated into proofs of correctness, and the proofs as well as the assertions can be dramatically simplified. An example program is presented which demonstrates the use of these concepts in constructing the assertions, and the resulting proof of correctness is outlined.

Abstract: The STRUCT system utilizes the flexibility of a powerful graphics display system to provide a set of tools for program analysis. These tools allow the analysis of the static program structure and the dynamic execution behaviour of programs within the entire operating system user program environment of the Brown University Graphics System (BUGS). Information is collected and presented in a manner which fully exploits two aspects of this environment. First, the operating system has been developed in a well-structured hierarchical manner following principles laid down by other researchers. Second the programs under analysis have been written in a structured programming language following coding conventions which make available, at the source code level, valuable program control information. This system is currently being used to predict and analyze the performance advantages available through the migration of function between levels of software and between software and firmware within the BUGS.

Abstract: Techniques are presented for the design of computer programs that are proved to meet stated specifications. The design strategy is the simultaneous step-wise refinement of both the program and its proof so that at each step the program constructed so far is proved. At each step, the specifications for a single program unit are given, the unit is designed, and then proved, by automatically supportable methods, before going on to successive steps. The proof i) shows that the program unit meets its specifications, ii) exhibits any assumptions the unit makes about the problem domain, and iii) defines the specifications for units to be designed in later steps. The design process is based on the refinement of operational and data abstractions in both the program and its specifications. These abstractions are what allow the proof at each step to be supported by automatic, or interactive, program proving systems. The abstractions also keep the proofs of the individual units at an appropriate level of abstraction and also largely independent, thus significantly reducing the size of the complete proof of the entire program. These techniques of provable programming are illustrated by two examples.

Abstract: One of the most important current software issues is reliability, and accordingly, a major criterion of programming language design must be that the language contribute to the production of reliable programs. Although there are other important aspects of software reliability (e.g., fault tolerance), the most fundamental is program correctness: does the program do what it is supposed to do? A language can contribute to this goal by enhancing the provability of its programs. This paper discusses the impact of user-defined data types on program provability.

Abstract: “Program verification” is generally defined as the process of ascertaining and demonstrating that a program is correct, i.e., that a program satisfies a given set of specifications. The most common method of verifying a program is by testing, the process of executing a program for a set of selected inputs and inferring from the results of those executions that the program is correct for all possible inputs.In practice today, a few programs are being proved correct but the most common method of program verification is still testing. Both methods are unreliable in different ways, but when combined, their complementary relationship can provide a high degree of assurance that programs are correct. The purpose of this paper is (1) to review the state of the art of these two approaches to program verification and the relationship between them, and (2) to suggest a number of ways in which program verification can be introduced into the computer science curriculum.

Abstract: Techniques are described for automatically creating a computer program from example calculations which are done in scratch pad fashion at a computer display. The correct program is synthesized even though certain indexing instructions are omitted by the user as he executes the sample calculation. The created program can be tested, debugged, and modified by running examples at the display terminal, observing the program behavior, and forcing by hand a change in behavior if errors are observed. Thus programs can be created, debugged, and modified without the user ever knowing or seeing any traditional language syntax. Most of the methods discussed have been programmed and tested extensively.

Abstract: A description and operating instructions for the Analysis Program Arizona Radiation Trace (APART) are given. This is a computer program that is able to efficiently and accurately predict the off-axis rejection characteristics of unwanted stray radiation for complex rotationally symmetric optical systems. The program first determines the critical objects or areas that scatter radiation to the image plane either directly or through imaging elements: this provides the opportunity to modify, if necessary, the design so that the number of critical areas seen by the image plane is reduced or the radiation to these critical areas is minimized. Next, the power distribution reaching the image plane and a sectional power map of all internal surfaces are computed. Angular information is also provided that relates the angle by which the radiation came into a surface to the angle by which the radiation is scattered out of the surface.

Abstract: Convinced that most educators are shortsighted in planning curriculum design, these writers take the proverbial bull by the horns and present the criteria they feel are necessary for realistic program planning.

Abstract: : The statements of a program do not always provide sufficient information for proving its correctness. The correctness of the algorithm implemented by the program must often be proved with the pure mathematical techniques or exhaustive enumeration. An example program is presented for which the correctness proof of the program is trivial provided that the correctness of the underlying algorithm can be demonstrated. The program can be viewed as an abstraction of a quadratic hash algorithm. It is used at the end of the paper to encode the algorithm most efficiently.

Abstract: Described in this paper is a program-analysis method that can be used to effectively determine the logical structure of a program, explicate the computation a program will perform, and show the equivalence of programs. Applications to the problem areas in test-case generation, proving program correctness, and translation of “GOTO” programs into “GOTO-less” programs are discussed.

Abstract: Program schemes - basic definitions and concepts.- Program schemes - basic properties.- Structured Programs.- Correctness and program verification.- Decision problems.- Recursion schemes.- Monadic recursion schemes.

Abstract: The current approach for testing a program is, in principle, quite primitive. Some small sample of the data that a program is expected to handle is presented to the program. If the program produces correct results for the sample, it is assumed to be correct. Much current work focuses on the question of how to choose this sample. We propose that a program can be more effectively tested by executing it "symbolically." Instead of supplying specific constants as input values to a program being tested, one supplies symbols. The normal computational definitions for the basic operations performed by a program can be expanded to accept symbolic inputs and produce symbolic formulae as output. If the flow of control in the program is completely independent of its input parameters, then all output values can be symbolically computed as formulae over the symbolic inputs and examined for correctness. When the control flow of the program is input dependent, a case analysis can be performed producing output formulae for each class of inputs determined by the control flow dependencies. Using these ideas, we have designed and implemented an interactive debugging/testing system called EFFIGY.