How can a computer program developer ensure that a program actually implements its intended purpose? This article describes a method for checking the correctness of certain types of computer programs. The method is used commercially in the development of programs implemented as integrated circuits and is applicable to the development of “control-intensive ” software programs as well. “Divide-and-conquer ” techniques central to this method apply to a broad range of program verification methodologies. Classical methods for testing and quality control no longer are sufficient to protect us from communication network collapses, fatalities from medical machinery malfunction, rocket guidance failure, or a half-billion dollar commercial loss due to incorrect arithmetic in a popular integrated circuit. These sensational examples are only the headline cases. Behind them are multitudes of mundane programs whose failures merely infuriate their users and cause increased costs to their producers. A source of such problems is the growth in program complexity. The more a program controls, the more types of interactions it supports. For example, the telephone “call-forwarding ” service (forwarding incoming calls to a customer-designated number) interacts with the “billing ” program that must determine whether the forwarding number or the calling number gets charged for the additional connection to the customer-designated number. At the same time, call-forwarding interacts with the “connection ” program that deals with the issue of

Maintenance tends to degrade the structure of software, ultimately making maintenance more costly. At times, then, it is worthwhile to manipulate the structure of a system to make changes easier. However, it is shown that manual restructuring is an error-prone and expensive activity. By separating structural manipulations from other maintenance activities, the semantics of a system can be held constant by a tool, assuring that no errors are introduced by restructuring. To allow the maintenance team to focus on the aspects of restructuring and maintenance requiring human judgment, a transformation-based tool can be provided---based on a model that exploits preserving data flow-dependence and control flow-dependence---to automate the repetitive, errorprone, and computationally demanding aspects of re...

Abstract not found

In this paper I answer the question how evolving algebras can be used for the design and analysis of complex hardware and software systems. I present the salient features of this new method and illustrate them through several examples from my work on specification and verification of programming languages, compilers, protocols and architectures. The definition of a mathematical model for Hennessy and Patterson's RISC architecture DLX serves as a running example; this model is used in [24] to prove the correctness of instruction pipelining. I will point out the yet unexplored potential of the evolving algebra method for large-scale industrial applications.

Abstract not found

Programmers spend considerable time debugging code. Symbolic debuggers provide some help but the task still remains complex and difficult. Other than breakpoints and tracing, these tools provide little high level help. Programmers must perform many tasks manually that the tools could perform automatically, such as finding which statements in the program affect the value of an output variable under a given testcase, what was the value of a given variable when the control last reached a given program location, and what does the program do differently under one testcase it does not do under another. If the debugging tools provided explicit support for such tasks, the whole debugging process would be automated to a large extent.

This paper presents a new unifying theme for design theory by emphasizing the importance of context . We arrive at our conclusions by examining and then criticizing the legitimacy of universal methods in design upon which the critical importance of context emerges. The collaborative aspects of design focuses attention on the conception of shared meaning. We introduce and elaborate the concept of shared memory as the embodiment both of context and of shared meaning. Using the concept of shared memory in vertical and horizontal forms, within and between disciplines respectively, we both account for past observations of design in practice and recommend actions to improve design in the future. We examine several practical implications of the growing importance of shared memory in industrial firms and for design teams. We then consider and recommend specific research programs which will help designers capture and make better use of this critical resource.

Since they often embody compact but mathematically sophisticated algorithms, operations for computing the common transcendental functions in floating point arithmetic seem good targets for formal verification using a mechanical theorem prover. We discuss some of the general issues that arise in verifications of this class, and then present a machine-checked verification of an algorithm for computing the exponential function in IEEE-754 standard binary floating point arithmetic. We confirm (indeed strengthen) the main result of a previously published error analysis, though we uncover a minor error in the hand proof and are forced to confront several subtle issues that might easily be overlooked informally. The development described here includes, apart from the proof itself, a formalization of IEEE arithmetic, a mathematical semantics for the programming language in which the algorithm is expressed, and the body of pure mathematics needed. All this is developed logically from first prin...

We review the various arguments which have been advanced for and against the use of executable specifications. Examples are given of the problems which may arise in applying this technique and of the benefits which may accrue. A case study is reported in which execution is used to validate the published specification of a commercially available package. We conclude that there are circumstances when executable specifications can be of high value but that execution must be used together with, and as a supplement to, other methods of validating specifications such as inspection and proof. 1 Introduction Formal specifications have been accepted as having value in a number of areas, including critical systems. A specification that does not correctly capture requirements, however, is of dubious benefit. Validating a specification, whether formal or informal, is known to be difficult. With a formal specification there are a number of techniques available for validation, including r...

It is generally accepted that in principle it’s possible to formalize completely almost all of present-day mathematics. The practicability of actually doing so is widely doubted, as is the value of the result. But in the computer age we believe that such formalization is possible and desirable. In contrast to the QED Manifesto however, we do not offer polemics in support of such a project. We merely try to place the formalization of mathematics in its historical perspective, as well as looking at existing praxis and identifying what we regard as the most interesting issues, theoretical and practical.