An abstract programming language and correctness proofs

The realization of an abstract programming language is a good approach for automating the software production process and facilitating the correctness proof of a software system.

This paper introduces a formal language for programming at the abstract level by combining Pascal with VDM (Vienna Development Method). The notation provided by the language obliges programmers to consider the correctness of programs throughout the whole process of programming, and the proof axiom and rules presented in this paper may be used to prove the correctness of programs. A complete example is given to illustrate how to program using APL and how to prove the correctness of programs using the given axiom and rules.     

Algebraic implementation of abstract data types

Starting with a review of the theory of algebraic specifications in the sense of the ADJ-group a new theory for algebraic implementations of abstract data types is presented.While main concepts of this new theory were given already at several conferences this paper provides the full theory of algebraic implementations developed in Berlin except of complexity considerations which are given in a separate paper. The new concept of algebraic implementations includes implementations for algorithms in specific programming languages and on the other hand it meets also the requirements for stepwise refinement of structured programs and software systems as introduced by Dijkstra and Wirth. On the syntactical level an algebraic implementation corresponds to a system of recursive programs while the semantical level is defined by algebaic constructions, called synthesis, restriction and identification. Moreover the concept allows composition of implementations and a rigorous study of correctness. The main results of the paper are different kinds of correctness criteria which are applied to a number of illustrating examples including the implementation of sets by hash-tables. Algebraic implementations of larger systems like a histogram or a parts system are given in separate case studies which, however, are not included in this paper.     

On correctness of information models

During the last decade a number of approaches to information modelling, or conceptual modelling, have been presented. In most approaches it is assumed that the correctness of an information model is decided from intuitive considerations, though formal methods may be applied.In this report we discuss three correctness criteria of information models, namely: consistency, satisfiability and completeness. The satisfiability of an information model in a universe of discourse can be formally checked by complementing the information model with a representation of concrete knowledge which is assumed to be complete. A formal basis for such correctness checking is presented. Further, the relationship between an information model and a conceptual schema is discussed, and an observed transformation problem is presented.     

Structuredness and its significance for correctness of process models

Recent research has shown that business process models from practice suffer from several quality problems. In particular, the correctness of control flow has been analyzed for industry-scale collections of process models revealing that error ratios are surprisingly high. In the past the structuredness property has been discussed as a guideline to avoid errors, first in research on programming, and later also in business process modeling. In this paper we investigate the importance of structuredness for process model correctness from an empirical perspective. We introduce definitions of two metrics that quantify the (un)structuredness of a process model, the degree of structuredness and the unmatched connector count. Then, we use the event-driven process chain models of the SAP reference model for validating the capability of these metrics to predict error probability. Our findings clearly support the importance of structuredness as a design principle for achieving correctness in process models.     

Specification and correctness proof of a WAM extension with abstract type constraints

We provide a mathematical specification of an extension of Warren's Abstract Machine (WAM) for executing Prolog to type-constraint logic programming and prove its correctness. Our aim is to provide a full specification and correctness proof of a concrete system, the PROTOS Abstract Machine (PAM), an extension of the WAM by polymorphic order-sorted unification as required by the logic programming language PROTOS-L.In this paper, while leaving the details of the PAM's type constraint representation and solving facilities to a sequel to this work, we keep the notion of types and dynamic type constraints abstract to allow applications to different constraint formalisms like Prolog III or CLP(R). This generality permits us to introduce modular extensions of Börger's and Rosenzweig's formal derivation of the WAM. Since the type constraint handling is orthogonal to the compilation of predicates and clauses, we start from type-constraint Prolog algebras with compiled AND/OR structure that are derived from Börger's and Rosenzweig's corresponding compiled standard Prolog algebras. The specification of the type-constraint WAM extension is then given by a sequence of evolving algebras, each representing a refinement level, and for each refinement step a correctness proof is given. Thus, we obtain the theorem that for every such abstract type-constraint logic programming system L, every compiler to the WAM extension with an abstract notion of types which satisfies the specified conditions, is correct.The first author was partially funded by the German Ministry for Research and Technology (BMFT) in the framework of the WISPRO Project (Grant 01 IW 206). He would also like to thank the Scientific Center of IBM Germany where the work reported here was started.     

Automating correctness verification of artifact-centric business process models

ContextThe artifact-centric methodology has emerged as a new paradigm to support business process management over the last few years. This way, business processes are described from the point of view of the artifacts that are manipulated during the process.ObjectiveOne of the research challenges in this area is the verification of the correctness of this kind of business process models where the model is formed of various artifacts that interact among them.MethodIn this paper, we propose a fully automated approach for verifying correctness of artifact-centric business process models, taking into account that the state (lifecycle) and the values of each artifact (numerical data described by pre and postconditions) influence in the values and the state of the others. The lifecycles of the artifacts and the numerical data managed are modeled by using the Constraint Programming paradigm, an Artificial Intelligence technique.ResultsTwo correctness notions for artifact-centric business process models are distinguished (reachability and weak termination), and novel verification algorithms are developed to check them. The algorithms are complete: neither false positives nor false negatives are generated. Moreover, the algorithms offer precise diagnosis of the detected errors, indicating the execution causing the error where the lifecycle gets stuck.ConclusionTo the best of our knowledge, this paper presents the first verification approach for artifact-centric business process models that integrates pre and postconditions, which define the behavior of the services, and numerical data verification when the model is formed of more than one artifact. The approach can detect errors not detectable with other approaches.     

Striving for correctness

In developing information technology, you want assurance that systems are secure and reliable, but you cannot have assurance or security without correctness. We discuss methods used to achieve correctness, focusing on weaknesses and approaches that management might take to increase belief in correctness. Formal methods, simulation, testing, and process modeling are addressed in detail. Structured programming, life-cycle modeling like the spiral model, use of CASE tools, use of formal methods, object-oriented design, reuse of existing code are also mentioned. Reliance on these methods involves some element of belief since no validated metrics on the effectiveness of these methods exist. Suggestions for using these methods as the basis for managerial decisions conclude the paper.     

Boolean models and planning methods for parallel abstract programs

For the parallel computer systems, a new formulation of the problem of constructing parallel asynchronous abstract programs of the desired length was proposed. The conditions for the problem of planning were represented as a system of Boolean equations (constraints) whose solutions define the feasible plans for activation of the program modules specified in the planner’s knowledge base. The constraints on the number of processors and time delays arising at execution of the program modules were taken into consideration.     

Two implementation models of abstract data types

This paper compares two implementation models for abstract data types: direct and indirect implementations. Direct implementations offer relatively cheap execution and expensive compilation costs while indirect implementations result in relatively expensive implementations and cheap compilation costs. These two models are both accommodated by Ada, and a small experiment compares their costs for a particular data type.     

Axioms for total correctness

Summary A notation for total correctness of a program with respect to input and output formulas is introduced; and Hoare's loop axiom is rearranged in such a way as to form a good inference system for the total correctness. Its consistency and completeness are shown.     

Algebraic computational models of OR-parallel execution of Prolog

A specification of the OR-parallel execution of Prolog programs, using CHOCS (calculus of higher order communicating systems) [24], is presented in the paper. A translation is defined from Prolog programs and goals to CHOCS processes: the execution of the CHOCS process corresponding to a goal mimics the OR-parallel execution of the original Prolog goal. In the translation, clauses and predicate definitions of a Prolog program correspond to processes. To model OR-parallelism, the processes , corresponding to clauses (having the same head predicate ) start their execution concurrently, but, in order to respect the depth-first search rule, each is guarded by the termination of the executions of processes 's, . The computational model is proved correct with respect to the semantics of Prolog, as given in [4, 5]. Our model, because of its algebraic specification, can be easily used to prove properties of the parallel execution of Prolog programs. Moreover, the model exploits the maximum degree of parallelism, by giving the Prolog solutions in parallel, without any order among them. However, this model, being close to the Prolog semantics definition, contains sources of inefficiency which make it unpractical as a guide for the implementation. To overcome these problems, a new computational model is defined. This model is obtained by modifications of the basic one and thus its correctness can be easily proved. Finally, we show how to obtain models of different real implementations of OR-parallel Prolog by slight modification of the new model. The relations among all these models, in terms of parallelism degree, are studied by using the concepts of bisimulation and simulation, developed for concurrent calculi. Received: 5 May 1995 / 28 May 1996     

Using abstract models for the generation of test data with a complex structure

An approach to the automatic generation of test data having a complex structure (such as XML documents, programs in various programming languages, and the like) is presented. It is based on abstract models that represent various views of the structure of the desired data. The approach enables one to generate small sets of test data for testing the functionality of the target system. The use of abstract models makes configuration of the generation procedure easy and clear; it also facilitates the maintenance and reuse of existing configurations of the test data generator. The approach was implemented in the test data generator called Pinery, which was successfully used in a number of projects including testing commercial C/C++ compilers.     

General correctness: A unification of partial and total correctness

Summary General correctness, which subsumes partial and total correctness, is defined for both weakest preconditions and strongest postconditions. Healthiness properties for general-correctness predicate transformers are more uniform and complete than those for partial- and total-correctness systems. In fact, the healthiness properties for partial and total correctness are simple restrictions of those for general correctness. General correctness allows simple formulations of the connections between weakest and strongest postconditions and between the notions of weakest precondition under the demonic and angelic interpretations of nondeterminism. A problem that plagues sp-sp(P, C) is undefined if execution of C begun in some state of P may not terminate — disappears with the generalization.This paper is a study of some simple theory underlying predicate transformer semantics, and as yet has little bearing on current programming practices. The theory uses a relational model of programs.This work was supported by the National Science Foundation under grant MCS-81-03605 and by the second author's Guggenheim Fellowship. This paper is based on the first author's Ph.D. thesis at Cornell.     

Generation of correctness conditions for imperative programs

Verification of imperative programs in the sense of Floyd-Hoare is an approach to proving correctness of programs annotated by preconditions, postconditions, and loop invariants. It is based on generation of correctness conditions. In the structured deterministic case, the problem of generation of correctness conditions seems trivial, since it is solved by a syntax-driven algorithm, the complexity of which linearly depends on the number of control constructs. Vice versa, in the unstructured nondeterministic case, it seems a priori clear that the complexity of generation of the correctness conditions exponentially depends on the number of statements in the program. In the paper, an efficient and complete algorithm for the generation of the correctness conditions is presented and justified. It can be used both in the structured deterministic and unstructured nondeterministic cases. The algorithm complexity linearly depends on the number of control constructs and/or program statements.     

A framework for determining design correctness

Quality is one of the main concerns in today's systems and software development and use. One important instrument in verification is the use of formal methods, which means that requirements and designs are analyzed formally to determine their relationships. Furthermore, since professional software design is to an increasing extent a distributed process, the issue of integrating different systems to an entity is of great importance in modern system development and design. Various candidates for formalizing system development and integration have prevailed, but very often, particularly for dynamic conflict detection, these introduce non-standard objects and formalisms, leading to severe confusion, both regarding the semantics and the computability. In contrast to such, we introduce a framework for defining requirement fulfillment by designs, detecting conflicts of various kinds as well as integration of heterogeneous schemata. The framework introduced transcends ordinary logical consequence, as it takes into account static and dynamic aspects of design consistency and, in particular, the specific features of the state space of a specification. Another feature of the approach is that it provides a unifying framework for design conflict analysis and schema integration.     

工作流正确性问题综述*

首先从结构正确性和执行正确性两方面对工作流系统的正确性问题进行了综述。对结构正确性,从模型角度进行了正确性定义、判定依据及判定工具的介绍。对执行正确性,从事务、异常处理两个方面介绍了当前工作流正确性的保障技术。最后,对已有工作流正确性问题的理论和实现技术进行了比较,并总结了这方面的几个研究方向,供研究人员借鉴。     

Constraint-based correctness proofs for logic program transformations

Many approaches proposed in the literature for proving the correctness of unfold/fold transformations of logic programs make use of measures associated with program clauses. When from a program P ₁ we derive a program P ₂ by applying a sequence of transformations, suitable conditions on the measures of the clauses in P ₂ guarantee that the transformation of P ₁ into P ₂ is correct, that is, P ₁ and P ₂ have the same least Herbrand model. In the approaches proposed so far, clause measures are fixed in advance, independently of the transformations to be proved correct. In this paper we propose a method for the automatic generation of clause measures which, instead, takes into account the particular program transformation at hand. During the application of a sequence of transformations we construct a system of linear equalities and inequalities over nonnegative integers whose unknowns are the clause measures to be found, and the correctness of the transformation is guaranteed by the satisfiability of that system. Through some examples we show that our method is more powerful and practical than other methods proposed in the literature. In particular, we are able to establish in a fully automatic way the correctness of program transformations which, by using other methods, are proved correct at the expense of fixing in advance sophisticated clause measures.