Abstract: Some properties of a program data flow can be used to guide program testing. The presented approach aims to exercise use-definition chains that appear in the program. Two such data oriented testing strategies are proposed; the first involves checking liveness of every definition of a variable at the point(s) of its possible use; the second deals with liveness of vectors of variables treated as arguments to an instruction or program block. Reliability of these strategies is discussed with respect to a program containing an error.

Abstract: The structure of an existing optimizer for the very high-level, set theoretically oriented programming language SETL is described, and its capabilities are illustrated. The use of novel techniques (supported by state-of-the-art interprocedural program analysis methods) enables the optimizer to accomplish various sophisticated optimizations, the most significant of which are the automatic selection of data representations and the systematic elimination of superfluous copying operations. These techniques allow quite sophisticated data-structure choices to be made automatically.

Abstract: Ten years ago Cheatham and Wegbreit [4] proposed atransformational program development methodology based on notionsof top-down stepwise program refinement first expressed by Dijkstra[10] and Wirth [45]. A schema describing the process of thismethodology is given in fig. 1. To develop a program bytransformation, we first specify the program in as high a level ofabstraction and as great a degree of clarity as our programminglanguage admits. This high level problem statement program P isproved correct semimechanically according to some standard approach(see Flovd and Hoare [15, 21]), Next, using an interactive systemequipped with a library of encoded transformations, each of whichmaps a correct program into another equivalent program, we selectand apply transformations one at a time to successive versions ofthe program until we obtain a concrete, low level, effecientimplementation version P'. The goals of transformationalprogramming are to reduce programming labor, improve programreliability, and upgrade program performance. In order for labor tobe reduced, the effort required to obtain P, prove it correct, andderive P' by transformation should be less than the effort requiredto code P from scratch, and also to debug it. Program reliabilitywill be improved if P can be certified correct, and if eachtransformation preserves program meaning. Finally, programperformance will be upgraded if transformations are directedtowards increased efficiency.Experimental transformational systems that emphasize one or moreaspects of the methodology outlined above have been implemented byCheatham [5], Darlington [3], Loveman [27], Standish [41], Feather[14] Huet and Lang [11], and others. However, all of these systemsfall short of the goals, because of a number of reasons thatinclude,1 inability to mechanize the checking of transformationapplicability conditions2 reliance on large, unmanageable collections of low leveltransformations, and long arduous derivation sequences3 dependency on transformations whose potential for improvingprogram performance is unpredictable4 use of source languages insufficiently high level toaccommodate perspicuous initial program specifications and powerfulalgorithmic transformationsYet, convincing evidence that this new methodology will succeedhas come from recent advances in verification, programtransformations, syntax directed editting systems, and high levellanguages. These advances, discussed below, represent partialsolution to the problems stated above, and could eventually beintegrated into a single system1 The transformational approach to verification was pioneered byGerhart [19] and strengthened by the results of Schwartz [39],Scherlis [36], Broy et al [2], Koenig and Paige [26.31] Blaustein[1], and others. Due mainly to improved technology for themechanization of proofs of enabling conditions that justifyapplication of transformations, this approach is now at a pointwhere it can be effectively used in a system. Such mechanizationdepends strongly on program analysis, and, in particular, onreanalyses after a program is modified. Attribute grammars [24]have been shown to be especially useful in facilitating programanalysis [23]. Moreover, Reps [34] has discovered algorithm thatreevaluates attributes in optimal time after a program undergoessyntax directed editing changes (as are allowed on the CornellSynthesizer [43]). He has implemented his algorithm recently, andhas reported initial success2 There are encouraging indications that a transformationalsystem can be made to depend mainly on a small but powerfulcollection of transformations applied top-down fashion to programsspecified at various levels of abstraction from logic down toassembler. We envision such a system as a fairly conventionalsemiautomatic compiler which classes of transformations areselected semimechanically in a predetermined order, and arejustified by predicates supplied mechanically but provedsemimanually. Of particular importance is nondeterminism removalwhich has formulated by Sharir [40] could lead to a technique forturning naive, nondeterministic programs into deterministicprograms with emergent strategies. Such programs could then betransformed automatically by finite differencing [13, 16, 17, 18,29, 30, 31] and jamming [28, 31, 20] (which we have implemented)into programs whose data access paths are fully determined. TheSETL optimizer could improve these programs further byautomatically choosing efficient data structure representations andaggregations3 Of fundamental importance to the transformations justmentioned is the fact that they can be associated with speeduppredictions Fong and Ullman [16] were the first to characterize animportant class of algorithmic differencing transformations interms of accurate asymptotic speedup predictions, eg, they gaveconditions under which repeated calculation of a set former {x ins|k(x)} could be computed on O(#s) + cost(k) steps. By consideringstronger conditions and special cases for the boolean valuedsubpart k, Paige [31] later gave sharper speedup predictions (eg,either O(1) steps for each encounter of the set former or acumulative cost of O(#s) steps for every encounter) associated withanother differencing method. Both Morgenstern [28] and Paige [31]prove constant factor improvements due to their jammingtransformations (implemented by Morgenstern for the improvement offile processing, and by Paige for the optimization of programs).Constant factor speedup has also been observed for data structureselection by the method of basings but a supporting analytic studyhas not been presented [8, 37]4 Essential to the whole transformational process is a widespectrum programming language (or set of languages) that canexpress a program at every stage of development from the initialabstract specification down to its concrete implementationrealization. Since transformations applied to programs written atthe highest levels of abstraction are likely to make the mostfundamental algorithmic changes, it is important to stress abstractfeatures in our language. In addition to supportingtransformations, the highest level language dictions should supportlucid initial specifications, verification, and even programanalysts. Of special importance is SETL [38, 9], because itsabstract set theoretic dictions can model data structures andalgorithms easily, because its philosophy of avoiding hidden asymptotic costs facilitates program analysis, because its semanticsconforms to finite set theory and can accommodate a set theoreticprogram logic, and because it is wide spectrum. As is evidenced bythe work of Schwartz, Fong, Paige, and Sharir, SETL is also a richmedium for transformation.

Abstract: A new program representation is presented which permits certain optimizations to be performed at less expense than with other forms. This paper describes code motion, common subexpression elimination and induction variable detection. Scalar propagation and constant folding are sketched here, but detailed elsewhere. The powerful code motion strategy allows entire regions of the program to be moved. The representation described may be used as a compiler intermediate form or simply as a model for program analysis. It has great potential for use in translation for parallel machines.

Abstract: This paper deals with issues that have emerged as a result of a successful implementation of a source level symbolic debugger for HP-1000 computer systems. By analyzing a user's thought processes during a debugging session we created a powerful and easy to use tool for program analysis.

Abstract: Despite the attractiveness of the concept, attempts to date to use proof of correctness techniques on production software have been generally unsuccessful. The obstacles encountered are not fundamental. We have implemented a proof of correctness system to be used for improving the realiability of certain small, real-time programs. It appears that many of the problems of past systems can be avoided.This work is supported by the Long Range Research Program of the Ford Motor Company, Dearborn, Michigan.

Abstract: This paper deals with issuces that have emerged as a result of a successful implementation of a source level symbolic debugger for HP-1000 computer systems. By analyzing a user's thought processes during a debugging session we created a powerful and easy to use tool for program analysis.

Abstract: This paper discusses the relationship between machine organization and control program design in high-end commercial computer systems. The criterion is cost/performance, subject to achieving an acceptable performance level. A brief discussion of the environment expected for the design and operation of high-end commercial computer systems is outlined, followed by a discussion of machine organization techniques which are classified and reviewed to permit a qualitative evaluation of the degree to which control program intent is exploited in machine organization. The thesis is developed next, using a hierarchical model which illustrates the contention that architecture has acted as a barrier to communication between the control program and machine organization. Examples of techniques that exploit knowledge of the intent of the control program and comments on the methodology that might be used to investigate such techniques follow. Directions for further research are then proposed.

Abstract: The problem: How to convince programmers and computer science students that the proving of correctness of their programs is a way of program verification, which is feasible to anybody who has some experience with systematic thinking and reasoning (represented by some mathematical or engineering training)? The question: Why even good programmers and good computer science students hesitate to learn and to use correctness proving? An answer: One of the reasons may be the fact that in last years much more frequently formal (formalized) proofs of correctness are studied from pure logical point of view, based on Hoare's proof rules and notation [Hoar69] (e.g., a tutorial [Haki76], or [OwGr76], or a textbook [Bakk80], or [ApFR80], etc.), rather than informal (usual mathematical) proo[s based on original Floyd's approach [Floy67] elaborated, in more details, in another textbook [Mann74] concerning program scheme theory. As a consequence there is a perception by programmers that each program correctness proving must be formal with a lot of special notation making it incomprehensible. A solution: Frequently to present informal program correctness proofs of programs, which assume deep knowledge of the problem solved, in a very similar way as there are collected proofs of mathematical theorems, and to stress that, essentially, proving program correctness is as easy or difficult as is actual informal, mathematical proving theorems. It seems to be much more inportant to train programmers in informal mathematical proving than in formal logical proving.(in accordance with [Aust 79] but contrary to [Srie 80]). 1. Formalisation~ formal versus informal proofs in mathematics In the development of mathematics (computer science)~first a conjectured theorem is discovered (an algorithm or program is designed), and only later one tries to prove, somehow, the conjecture (the correctness of the program). A formal proof was not designed either to discover new theorems or to pro~e them. The original Hilbert's formalization was a method how to eliminate any meaning from reasoning to ensure that only pure logical forms are used. Obviously, an informal reasoning was assumed. The concept of formal proof within a logical system has been around for a very long time, but since its introduction mathematicans did prove thousands and millions [MiLP79]of theorems independently ofanyldea of formal proof. In addition, all ambitious attempts of automatic proving theorems in AI failed totally. How anybody can expect a different fate with formal correctness proving of programs?. Floyd versus Hoare I or Fortran versus Algol Floyd's original …

Abstract: Ada is frequently being discussed these days in the Department of Defense community as a program design language (PDL). In some cases, large software projects are using some variant of Ada as their only language for stating software design. My position is that such exclusive reliance on Ada as a PDL should be considered carefully. My analysis identifies three major problems which may arise when using Ada as a PDL and traces these problems to the fact that Ada is a programming language, not a design language.

Abstract: This paper describes the design of a prototype experimental secure operating system kernel called xsl that supports compile-time enforcement of an information flow policy. The security model chosen is an extension of Feiertag's model modified to state requirements in terms of program analysis functions. A prototype flow analyzer for Pascal programs, based on Denning's model, has been designed and implemented for incorporation into xs1. In addition, a flow analyzer, based on London's model, has also been designed and implemented. Both kinds of enforcement are supported in xsl. Both program anallyzers use an intermediate code program representation, originally designed for code optimization. Implementation of the flow analyzers is in Euclid with the remainder of xsl in PascaL

Abstract: Program restructuring is a technique that has been used to improve the locality of reference of a computer program and hence reduce its execution cost in a paged virtual memory environment. Conventional methods of program restructuring involve collecting and analyzing an execution trace in order to determine the best layout in virtual memory address space for a program's modules. Unless the restructured program is to be run many times, these methods are not cost effective. One of the objectives of this research is to reduce the cost of program restructuring by analyzing the source code and symbolic structure of a program and having the compiler determine the program's packing in virtual address space. Two prominent features of the packing algorithm are the duplication of code modules in virtual address space, and the detection of code modules that are referenced from within program loops. In addition to determining a packing order, the compiler makes available to the virtual memory management system information about the loop structure of a program. From these compiler-provided aids, the memory management system can compute working set window sizes for various phases of program execution which will allow the program to operate more efficiently. This research also studies the effectiveness of compile-time program restructuring and compiler-provided memory management aids for virtual memory systems based on the newer memory technologies which have smaller latency and transfer times.

Abstract: An original system to perform an automatic analysis of assembled programs is presented. Executable programs are analyzed from the description of the machine on which they run and are translated into an intermediate language taking into account the particularities of the considered machine. The system was primarily designed as the first step of a project for transferring programs from one machine to another. The final goal of the project is to achieve an even utilization of computer resources for a real-time controlled robot, on the basis of partially dedicated processors. At the present time, the actual implementation provides a tool for studying the theoretical aspect of machine-level program analysis. Nevertheless, other applications can be found in program debugging and assembled program validation.

Abstract: Because of its relevance to program analysis and, ultimately, to program synthesis, the area of formal verification of program correctness is an important part of the education of the programmer and the computer scientist. A case is presented in this paper to advocate the teaching of the formal verification of computer programs. This case is based on three major arguments:- The Why, i.e. the need for including a course on program verification in the computer science curriculum,- The What, i.e. the technical contents of such a course as highlighted by the current state of the art,- The How, i.e. the logistic feasibility of such a course within a fifteen-week semester.

Abstract: Telephone Building Energy Consumption and Control (TELBECC) program has been developed to accurately and efficiently analyze environmental control and energy use in telephone company buildings. The program simulates various operational plans to determine the relative energy and cost savings. By analyzing the operation of the heating, ventilation, and air conditioning system as it regulates a changing environment, TELBECC calculates the heating and cooling load, dry-bulb temperature, and relative humidity in the building. The user specifies the building's dry-bulb temperature limits, which are the control variables for the program analysis. The simplified computational procedure of the program incorporates a recursive scheme using time series to perform the necessary calculations. The results of the computations can be obtained for different periods: the quarter hour, hour, day, or month. Energy consumption and control in several equipment buildings located in three different geographical areas have been analyzed by TELBECC. Analysis and comparison of the resulting data demonstrate the advantages of the program.

Abstract: This article discusses the logic analysis of a program, points out problems with the logic analysis process in general use, and introduces an approach to logic analysis that is more effective and less time consuming. The new method generates logic paths out of programs and preanalyzes the paths in lieu of directly analyzing the program. Three preanalysis software tools are introduced: procedure logic path generator, program logic path generator, and logic path preanalyzer. Sample outputs are given to demonstrate the difference between program analysis and logic path analysis.

Abstract: Because of its relevance to program analysis and, ultimately, to program synthesis, the area of formal verification of program correctness is an important part of the education of the programmer an...

Abstract: The correctness of an indenting program for Pascal is proved at an intermediate level of rigour. The specifications of the program are given in the companion paper.1 The program is approximately 330 lines long and consists of four modules: io, lex, stack and indent. We prove first that the individual procedures contained in these modules meet their specifications as given by the entry and exit assertions. A global proof of the main routine then establishes that the interaction between modules is such that the main routine meets the specification of the entire program. We argue that correctness proofs at the level of rigour used here serve very well to transfer one's understanding of a program to others. We believe proofs at this level should become commonplace before more formal proofs can take over to reduce traditional testing to an inconsequential place.

Abstract: The conversion of database application programs is investigated when migration is required from a system with navigation (CODASYL-like) db interface to a system with specification db interface but the database semantics is not changed. We propose an analysis technique of the source program which heavily relies on program control flow. When the program semantics in analyzed from the point of view of data usage, the db statements appearing in the program are associated with one or more semantic record access patterns. A technique is given for analyzing these multiple associations and combining the access patterns into db queries. Decompilable programs are those which have reducible flow graphs.

Abstract: The paper introduces a reachability predicate for linear lists, develops the elementary axiomatic theory of the predicate, and illustrates its application to program verification with a formal proof of correctness for a short program that traverses and splices linear lists.

Abstract: In modular programs, groups of routines constitute conceptual abstractions. A method for providing execution profiles for such programs is presented. The central idea is that the execution time for a routine is charged to the routines that call it. The implementation of this method by a profiler called gprof is described. The techniques used to gather the necessary information about the timing and structure of the program are given, as is the processing used to propagate routine execution times along arcs of the call graph of the program. The method for displaying the profile to the user is discussed. Experience using the profiles for hand-tuning large programs is summarized. Additional uses for the profiles are suggested.