Estimating the correctness of computer programs

Program testing will for some time remain the major means by which program designers convince themselves and others of the correctness or validity of their programs. Thus it is desirable to be able to use test results to measure the degree to which a program approaches correctness. The probability of correctness of a program can sometimes be estimated according to the success of testing. A general parameter is introduced which has the property that its value is zero for a correct program and is greater than zero for an incorrect program. Under reasonable interpretations, the parameter is related, through probability density functions, to characteristics which are observable through program testing. For instance, if the parameter is interpreted as the number of errors in a program, a related, observable characteristic is the number of errors discovered through testing. Upper bounds on the parameter value are established as a function of the value of the observed characteristic and the desired level of confidence in the result. Results are presented for cases of combinations of interpretations, observable characteristics, and probability density functions.     

Total correctness of CSP programs

Summary In this paper we propose an axiomatic system for proving the total correctness of CSP programs. The system is based on the partial correctness system of [6, 7]. We use the proposed system to prove the total correctness of a program for set partitioning.This work was supported in part by the NSF grant no. ECS8404725     

On the total correctness of nondeterministic programs

For an arbitrary programming language with nondeterminism to be implementable, the existence of computation trees modelling the possible changes in state in the course of a computation is postulated. A general definition of what constitutes an execution method is then presented. Falling naturally out of these ideas is the correspondence between execution methods and total correctness, in that different properties are required of a program to be correct when different methods are adopted. We describe a variety of plausible methods of execution falling under the general definition and single out four particular ones. The arguments made are then illustrated by analysing the properties required by Dijkstra of guarded commands in view of these four methods. We conclude that a general approach such as that suggested here seems to be needed for dealing with programming languages and execution methods other than the particular ones treated by Dijkstra.     

Verification and correctness issues for nonmonotonic knowledge bases

Anomalies such as redundant, contradictory, or deficient knowledge in a knowledge base indicate possible errors. Various methods for detecting such anomalies have been introduced, analyzed, and applied in the past years, but they usually deal with rule-based systems. So far, little attention has been paid to the verification and validation of more complex representations, such as nonmonotonic knowledge bases, although there are good reasons to expect that these technologies will be increasingly used in practical applications. This article does a step towards the verification of knowledge bases which include defaults by providing a theoretical foundation of correctness concepts and a classification of possible anomalies. It also points out how existing verification methods may be applied to detect some anomalies in nonmonotonic knowledge bases, and discusses methods of avoiding potential inconsistencies (in the context of default reasoning inconsistency means nonexistence of extensions). © 1997 John Wiley & Sons, Inc.     

Generation of correctness conditions for imperative programs

Verification of imperative programs in the sense of Floyd-Hoare is an approach to proving correctness of programs annotated by preconditions, postconditions, and loop invariants. It is based on generation of correctness conditions. In the structured deterministic case, the problem of generation of correctness conditions seems trivial, since it is solved by a syntax-driven algorithm, the complexity of which linearly depends on the number of control constructs. Vice versa, in the unstructured nondeterministic case, it seems a priori clear that the complexity of generation of the correctness conditions exponentially depends on the number of statements in the program. In the paper, an efficient and complete algorithm for the generation of the correctness conditions is presented and justified. It can be used both in the structured deterministic and unstructured nondeterministic cases. The algorithm complexity linearly depends on the number of control constructs and/or program statements.     

Total correctness in nonstandard logics of programs

We show that termination is a first-order notion if approached via Nonstandard Logics of Programs (NLP). We give explicit first-order characterizations of the program-verifying power of the well-known Manna-Cooper method for proving total correctness assertions (tca's). Similar characterization is given to the Intermittent Assertions Method (w.r.t. tca's). A comparison of the tca-proving powers of distinguished methods (or logics of programs) is also attempted. We also show that NLP provides new methods which are strictly stronger than the Manna-Cooper method. In the end we turn to partial correctness issues related to the main body of the paper.     

Axiomatic approach to total correctness of programs

Summary We present here an axiomatic approach which enables one to prove by formal methods that his program is totally correct (i.e., it terminates and is logically correct—does what it is supposed to do). The approach is similar to Hoare's approach [3] for proving that a program is partially correct (i.e., that whenever it terminates it produces correct results). Our extension to Hoare's method lies in the possibility of proving both correctness and termination by one unified formalism. One can choose to prove total correctness by a single step, or by incremental proof steps, each step establishing more properties of the program.     

基于属性的访问控制策略的正确性验证

基于属性的访问控制策略以更精确的粒度控制着用户或进程对系统资源的访问,因此获得了越来越广泛的应用。然而必须保证所制定策略的正确性,才能防止对系统资源的非法访问,因此必须研制出一种有效的方法来验证策略的正确性。基于模型检测技术提出了一种访问控制策略的覆盖性与完整性验证方法。主要思想是将覆盖性与完整性验证归约为模型检测问题。将规则集与其变异分别视为模型,以模态逻辑公式描述其性质。调用模型检测算法,分别在模型及其变异模型上检测性质,生成反例报告以确定模型故障点和模型规则缺失点,同时分析性质本身的完善性,最终以完善后的模型和性质再次调用模型检测算法来完成覆盖性与完整性验证。实例分析结果表明覆盖性验证能够有效发现错误的规则,完整性验证能够有效识别验证规则的完备性。方法依托于模型检测工具完成,具有自动化程度高、易操作、测试结果可靠的特点。     

Proving total correctness of nondeterministic programs in infinitary logic

Summary It is shown how the weakest precondition approach to proving total correctness of nondeterministic programs can be formalized in infinitary logic. The weakest precondition technique is extended to hierarchically structured programs by adding a new primitive statement for operational abstraction, the nondeterministic assignment statement, to the guarded commands of Dijkstra. The infinitary logic L ₁ is shown to be strong enough to express the weakest preconditions for Dijkstra's guarded commands, but too weak for the extended guarded commands. Two possible solutions are considered: going to the essentially stronger infinitary logic L ₁₁ and restricting the power of the nondeterministic assignment statement in a way which allows the weakest preconditions to be expressed in L ₁.     

Nondeterministic flowchart programs with recursive procedures: semantics and correctness I

In this paper, we study some aspects of the semantics of nondeterministic flowchart programs with recursive procedures. In the first part of this work we provide the operational semantics of programs using the concept of an execution tree. We propose a new definition of the semantics of a non-deterministic recursive program as a mapping from the input domain to the set of execution trees determined by the program. Using this new concept, we prove that every nondeterministic flowchart program with recursive procedures can be unfolded into a semantically equivalent infinite pure flowchart (without procedures). This result is applied in the second part of this work to prove the soundness of an inductive assertion method which is also complete with a finite number of assertions (contrary to De Bakker and Meertens's method [11]).     

Nondeterministic flowchart programs with recursive procedures: Semantics and correctness II

In the second part of this work, we formulate a new inductive assertion method applying to the class of nondeterministic flowchart programs with recursive procedures studied in part 1. Using results on unfolding proved in part 1, we prove that this method is sound and complete with a finite number of assertions. We study four notions of correctness: two notions of partial correctness (existential and universal) and the corresponding notions of total correctness. We also formalize two notions of extension and equivalence (existential and universal) in the second-order predicate calculus.     

Verification of programs with procedure-type parameters

Summary A verification system is developed for proving the correctness of programs containing procedures with procedure-type parameters. The system, which reduces programs and their specifications to assertions to be proved in ordinary logic, is shown to be logically sound. The reduction process is controlled by the syntax of the program and is completely mechanical, requiring no human intervention. The resulting assertions involve higher-order predicates, but they engender no significant difficulties which are not already present in ordinary first-order theories.Our system views the intermediate objects in the reduction process as extended programs, thereby making verification a much less abstruse process. Treating logical assertions as commands appeals strongly to a programmer's intuition.This research was partially supported by the National Science Foundation under grant MCS77-24236     

Verification of schedulability for real-time programs

Assume that a real-time programP ^T consisting of a number of parallel processes is executed on a system having a setPr of processors which are shared between the processes by a real-time schedulerS ^T. Assume that P^T must meet some timing deadlines. We show that such an implementation ofP ^T can be represented as a transformationL(P ^T) and that the deadlines ofP ^T will be met if they are satisfied by the timing properties of the transformed program. The condition for feasibility of a real-time program executed under a scheduler is formalized and rules are provided for verification. The schedulerS ^T can be specifiedgenerically and applied to different programs, making it unnecessary to introduce low-level operations such as scheduling primitives into the programming language. Thus real-time program specification and Schedulability can be considered in the same framework and the timing properties of a program can be determined at the specification level. By separating the specification of the scheduler from that of the program, the feasibility of an implementation can be proved by considering a scheduling policy rather than its implementation details.