Abstract: A set of test data T for a program P is reliable if it reveals that P contains an error whenever P is incorrect. If a set of tests T is reliable and P produces the correct output for each element of T then P is a correct program. Test data generation strategies are procedures for generating sets of test data. A testing strategy is reliable for a program P if it produces a reliable set of test data for P. It is proved that an effective testing strategy which is reliable for all programs cannot be constructed. A description of the path analysis testing strategy is presented. In the path analysis strategy data are generated which cause different paths in a program to be executed. A method for analyzing the reliability of path testing is introduced. The method is used to characterize certain classes of programs and program errors for which the path analysis strategy is reliable. Examples of published incorrect programs are included.

Abstract: This paper explains, in an introductory fashion, the method of specifying the correct behavior of a program by the use of input/output assertions and describes one method for showing that the program is correct with respect to those assertions. An initial assertion characterizes conditions expected to be true upon entry to the program and a final assertion characterizes conditions expected to be true upon exit from the program. When a program contains no branches, a technique known as symbolic execution can be used to show that the truth of the initial assertion upon entry guarantees the truth of the final assertion upon exit. More generally, for a program with branches one can define a symbolic execution tree. If there is an upper bound on the number of times each loop in such a program may be executed, a proof of correctness can be given by a simple traversal of the (finite) symbolic execution tree. However, for most programs, no fixed bound on the number of times each loop is executed exists and the corresponding symbolic execution trees are infinite. In order to prove the correctness of such programs, a more general assertion structure must be provided. The symbolic execution tree of such programs must be traversed inductively rather than explicitly. This leads naturally to the use of additional assertions which are called "inductive assertions."

Abstract: This paper explores a technique for proving the correctness and termination of programs simultaneously. This approach, which we call the intermittent-assertion method, involves documenting the program with assertions that must be true at some time when control is passing through the corresponding point, but that need not be true every time. The method, introduced by Knuth and further developed by Burstall, promises to provide a valuable complement to the more conventional methods.We first introduce and illustrate the technique with a number of examples. We then show that a correctness proof using the invariant assertion method can always be expressed using intermittent assertions instead, but argue that the reverse is not always the case. The method can also be used just to prove termination, and any proof of termination using the conventional well-founded sets approach can be rephrased as a proof using intermittent assertions. Finally, we show how the method can be applied to prove the validity of program transformations and the correctness of continuously operating programs.This research was supported in part by the Advanced Research Projects Agency of the Department of Defense under Contract DAHC15-73-C-0435, by the National Science Foundation under Grant GJ-36146, by the Office of Naval Research under Contract N00014-75-C-0816, and by a grant from the United States-Israel Binational Science Foundation (BSF), Jerusalem, Israel.

Abstract: This paper presents an overview of the current state of the PSI automatic program synthesis system and discusses the design considerations. The PSI system allows a user to specify a desired program in a dialogue using natural language and traces. PSI then synthesizes a program meeting these specifications. The target programs are simple symbolic computation programs in LISP.PSI may be described as a knowledge-based program understanding system. It is organized as a collection of closely interacting modules, or experts in the areas of natural language, discourse, traces, application domain, high-level program modelling, coding, and efficiency. An implementation effort is underway and several modules are now working.

Abstract: Proofs of program correctness tend to be long and tedious whereas testing, though useful in detecting errors, usually does not guarantee correctness. This paper introduces a technique whereby test data can be used in proving program correctness. In addition to simplifying certification of correctness, this method simplifies the process of providing specifications for a program. The applicability of this technique to procedures, recursive programs, and modular programs is demonstrated.

Abstract: This paper deals with the problem of assessing the reliability of programs written using structured programming techniques and having undergone a certain amount of testing. A program is said to be verified if, for a given set of tests it can be shown that every case of interest has been tested. As this end is, however, unattainable, we will consider, in the following, that a program is verified if one can prove that all the logic paths in the program flow graph have been traversed. Therefore, we will consider that a certain degree of verification is attained with a given set of tests, according to the number of paths actually traversed. This degree of verification, which is a non-decreasing function of the number of tests can be considered as an assessment of program reliability. The degree of verification attained through experiments can then be deduced from the images of experiments in the program flow graph. This paper defines a practical procedure to perform such an evaluation.

Abstract: By manipulating programs to reorganize the way they compute their results, it is possible to improve program performance in certain desirable directions. Further, using certain laws of exchange, it is possible to transform concise, abstract, high-level programs into efficient, concrete , underlying representations. This paper explores the notion of using source-to-source transformations interactively as a basis for an approach to program improvement and refinement. Examples of program manipulation are presented that convey both the flavor of the approach and its requirements.

Abstract: We treat a program as an object of manipulation, determine items of program constancy, and simplify the program based on the constancy. Some motivation for program manipulation is presented, along with two examples of “higher level optimization” written in an Algol-like language. A collection of program transformations and a model of the compilation process in terms of source-to-source transformations are presented. Finally a description of the application of these ideas to an existing programming language is given.

Abstract: Backtracking is a well-known technique for solving combinatorial problems. It is of interest to programming methodologists because 1) correctness of backtracking programs may be difficult to ascertain experimentally and 2) efficiency is often of paramount importance. This paper applies a programming methodology, which we call control structure abstraction, to the backtracking technique. The value of control structure abstraction in the context of correctness is that proofs of general properties of a class of programs with similar control structures are separated from proofs of specific properties of individual programs of the class. In the context of efficiency, it provides sufficient conditions for correctness of an initial program which may subsequently be improved for efficiency while preserving correctness.

Abstract: The verification rules proposed by Hoare are an example of a system which can serve as the basis for a mathematical theory of partial correctness of programs. The purpose of this paper is to extend the previously developed basic theory by (i) defining alternative verification systems and comparing them with the Hoare rules, (ii) deriving several types of useful rules from the basic systems, (iii) showing an ordering on verification systems, (iv) discussing how semi-interpreted program schemas play the role of theorems in a more fully developed theory, (v) formulating a notion of correctness-preserving program transformations and giving a procedure for their use.These extensions provide a more flexible and efficient methodology for proving partial correctness of programs and point to the potential of a mathematical theory which effectively organizes knowledge about programs.

Abstract: A method for compiler testing using symbolic interpretation is presented. This method is a cross between program proving and program testing. It is useful in demonstrating that programs are correctly translated from a high level language to a low level language thereby improving the reliability of the compiler. The term symbolic interpretation is used to describe the process of obtaining an intermediate form of the low level language program that is suitable for further processing by a proof system. Symbolic interpretation is the heart of the system and enables the recording of a transcript of all computations in the program. This process interprets a set of procedures which describe the effects of machine language instructions corresponding to the target machine on a suitable computation model. The highlights and limitations of the process as well as future work are discussed in a framework of a specific LISP implementation on a PDP-10 computer.

Abstract: Three different classes of programs are identified for which the proof of correctness is shown to be “natural”, in that the functional input-output specifications of the programs lead, in a straightforward manner, to the verification conditions that should be proven. Furthermore, these verification conditions are shown to be necessary and sufficient so that a proof/refutation follows by proving/disproving the corresponding verification conditions. It is not necessary to follow the exact control flow of the programs to generate these conditions; certain simple checks are enough to show whether a particular program belongs to one of the classes. These apparently different programs have the common feature that they operate “uniformly” on the data domain; changing the input to the program changes the dynamic behavior of the program in a predictable, easily definable fashion. Implications of this feature in program construction are discussed.

Abstract: : This paper proposes a system which, when implemented, will be able to understand mathematical FORTRAN programs, such as those in the IBM Scientific Subroutine Package. The system takes, as input, a program and annotation of the program. In order to understand the program, the system develops a 'plan' for it. The plan specifies the purpose of each feature of the program, and how these features cooperate in order to create the behavior exhibited by the program. The system can use its understanding of the program to answer questions about it including questions about the ramifications of a proposed modification. It is also able to aid in debugging the program by detecting errors in it, and by locating the features of the program which are responsible for an error. The system should be of significant assistance to a person who is writing a program. (Author)

Abstract: There is currently considerable interest in the computing community in the evaluation of computer programming. However, in order to objectively evaluate such concepts, it is necessary to undertake a thorough evaluation of the programming process itself. Most previous studies of this type have analyzed, by hand usually, a few instances of programs. This has led to some general conjectures; however, the amount of information that must be processed precludes any large scale analysis. In order to avoid this problem, an automatic data collection facility has been implemented as part of a PL/1 compiler at the University of Maryland. This system automatically collects information on each program that has been compiled - at almost no additional cost to the user of the compiler. This paper will describe the system and will evaluate some of the characteristics of some of the 25,000 programs that have been run since July, 1975.

Abstract: This paper discusses how the synthesis phase of the PSI system constructs programs from high level program models by using coding knowledge and efficiency knowledge. In our preliminary implementation, these knowledge bases are separated into distinct modules, the coding expert and the efficiency expert. We describe how the coding expert uses rule-based programming knowledge to produce alternative algorithm and data structure choices, and how the efficiency expert selects the best choice by estimating the costs of the alternatives using analysis of algorithm techniques. Communication between the modules centers around descriptions of partially developed programs which are produced by the coding expert and analyzed by the efficiency expert. Our system has implemented several small programs. From our experience with these modules, we conclude that there is a strong interaction between coding and efficiency knowledge which necessitates a corresponding complexity in the communication mechanism.

Abstract: The “profitability” of code optimizations is defined in terms of a Markov model of program flow. A system of linear equations for the expected frequency of execution of blocks of a program is derived. A solution method which uses “Cocke-Allen interval” analysis is presented and extensions of this method to other global flow analysis problems are described.

Abstract: Advancement in hardware and software technologies and changes in the use environment of data base management systems often require that the data bases and their associated application programs be translated and converted in order to take advantage of newer technologies and new application needs. Research must be conducted to find efficient techniques for automatic or semi-automatic application program conversion, so that the expense and time involved in manual rewriting of application programs can be avoided. This paper (1) describes the relation between data base translation and application program conversion, (2) identifies the program conversion tasks and their possible automation, (3) explores the techniques for solving the conversion problem through computer aided analysis of application programs, and (4) discusses and illustrates the data mappinq operators useful for data base translation and their effects on program conversion. A semi-automatic approach to the conversion problem is proposed. It divides the conversion into two stages of analysis: data sublanguage statement analysis and conversion, and host language program analysis and conversion. Some conversion tasks and their analysis techniques are identified and described.

Abstract: A program verification system has been developed consisting of three major components. The verification condition generator(which is patterned after the work of Igarashi, London, and Luckham [10]) is used to generate verification conditions from asserted PASCAL programs. The subgoal generator(which is similar to the program described in [2])processes the verification conditions to produce simpler subgoals, a significant number of which it proves using restricted techniques. The subgoal solveris a resolution theorem prover which was developed at NIH by L. Norton [13]. The more powerful techniques of the subgoal solver are used to prove subgoals which the subgoal generator was unable to prove.The verification system has been used to verify a number of programs. These include all but one of the examples from King [11], a Bubble Sort program, and Hoare's FIND program.

Abstract: A specification of the monitor primitives that have been proposed for mutual exclusion and interprocess communication in operating systems is verified to be correct. The specification is given in the PASCAL programming language and the proofs of correctness use the axiomatic definition of this language. Two aspects of correctness are considered: the correctness of the program implementation of the primitives and the correctness as viewed by the processes that execute the monitor primitives.

Abstract: Simulation is proving to be a valuable technique in testing computer programs. By simulating different aspects of a program's execution and structure it is possible to detect errors and sometimes demonstrate the absence of certain errors in the program. This presentation will explore three popular testing methodologies which employ simulation techniques. Each methodology is based upon a different type of simulation of the program. The differences in error detection capability resulting from these different choices of simulated execution will be examined. Finally a method for using the best characteristics of each technique in a general validation system will be presented.

Abstract: Over the past five years, our research efforts have been devoted in large part to developing techniques for proving the correctness of assembly-language and machine-language programs running on actual computers. In this paper, we report upon an effort to put this work into practice by proving the correctness of a program written for the Litton C4000 airborne computer. This includes overflow analysis, non-self-modification analysis, round-off and truncation analysis, fixed-point scaling considerations, and analysis of the sub-routine parameter and return-address conventions used in the given program. The basic method we use is the inductive assertion method of (Floyd, 1967), suitably modified and extended for application to a machine-language situation.

Abstract: The interactions between program verification and language design are deeper than just providing assertion statements. Experience with this interaction has been provided by the designs of two programming languages, Euclid and Alphard, each of which has verification as one of its important goals. Verification converns in Euclid were important in controlling, for example, the use of global variables, aliasing, and pointers. In Alphard verification exposed the need for specification of the various objects and operations, and at the same time focussed attention on programming methodology concerns that would otherwise have been missed. Verification serves as an evaluator of language designs by asking how one might verify a language feature, or more generally, by asking what are appropriate axiomatic definitions or proof rules for the language. Even if programs are not verified, the concern for verifiability leads both to better language designs and to better program designs.

Abstract: This article proposes a procedure for using the MIR-2 computer for analyzing programs written in ANAL[TIK language I l l , Our work was done in conjunction with the development o f a programming technologoy oriented toward the creation o f program systems that is currently in progress in the Division of the Theory of Digital Automata, Insti tute of Cybernetics, Academy of Sciences o f the Ukrainian SSR. Our techniques are those presented in [2-4], as adapted to our own situation; the procedure is illustrated by examples.

Abstract: The length equation for programs, initially suggested by M.H. Halstead, has been studied and experimentally verified by several independent investigators. The sets of programs tested have ranged over a variety of programming languages and program sizes. While such studies have tested the equation for programs taken as a whole, there have been no studies on the length equation when applied to individual modules within a program. This paper provides such a study for a compiler composed of fourteen modules. The length equation is shown to hold for program parts (modules) as well as for program wholes (the total program).

Abstract: : This program is aimed at applying computer science and technology to areas of high DoD/military impact. Research areas include: Specification Acquisition from Experts--study of acquiring and using program knowledge for making informal program specifications more precise; Military Message Experiment--development of an experimental user-oriented message service for potential large-scale military use; Program Verification--logical proof of program validity; Network Secure Communication--work on low-bandwidth, secure voice transmission using an asynchronous packet-switched network; Command and Control Graphics--development of a device-independent graphic system and graphics-oriented command and control applications programs; Autopsy--research program on source-to-source program translation combining automatic techniques with an interactive system to provide the human manager complete control over the translation process; Programming Research--development of a major time- shared microprogramming facility with an extension for emulation of microprocessors; Protection Analysis--methods of assessing the viability of security mechanisms of operating systems; Distributed Sensor Networks-- developing algorithms and communication protocols to support the operation of geographically distributed sensors; and Internetwork Concepts--exploring aspects of protocols for the interconnection of computer communication networks, specifically the design and prototype implementation of an internetwork computer message system and the design of internetwork host and gateway protocols.

Abstract: In this paper, formal semantics of program constructs are defined by predicate transformer introduced by Dijkstra [3,4]. A predicate transformer is a mapping which transforms a set of states after the execution of a program to the set of all possible states before the execution of the same program. Thus, the concept of determinism no longer has its significance in this semantic context. Rather, the focus is on the nature of the computation, and hence the concept of iteration, and not how the program iterates, becomes a dominant concern here.