Abstract not found

This paper presents a novel approach to unit testing of software components. This approach uses the specification language ADL, that is particularly well-suited for testing, to formally document the intended behavior of software components. Another related language, TDD, is used to systematically describe the test-data on which the software components will be tested. This paper gives a detailed overview of the ADL language, and a brief presentation of the TDD language. Some details of the actual test system are also presented, along with some significant results.

Abstract. We consider modelling indispensable for the development of complex systems. Modelling must be carried out in a formal notation to reason and make meaningful conjectures about a model. But formal modelling of complex systems is a difficult task. Even when theorem provers improve further and get more powerful, modelling will remain difficult. The reason for this that modelling is an exploratory activity that requires ingenuity in order to arrive at a meaningful model. We are aware that automated theorem provers can discharge most of the onerous trivial proof obligations that appear when modelling systems. In this article we present a modelling tool that seamlessly integrates modelling and proving similar to what is offered today in modern integrated development environments for programming. The tool is extensible and configurable so that it can be adapted more easily to different application domains and development methods. 1

Dynamic verification is a new approach to formal verification, applicable to generic algorithms such as those found in the Standard Template Library (STL, part of the Draft ANSI/ISO C++ Standard Library). Using behavioral abstraction and symbolic execution techniques, verifications are carried out at a meta-level such that the results can be used in a variety of instances of the generic algorithms without repeating the proofs. This is achieved by substituting for type parameters of generic algorithms special data types that model generic concepts by accepting symbolic inputs and deducing outputs using inference methods. By itself, this symbolic execution technique supports testing of programs with symbolic values at a meta-level. For formal verification we also need to generate multiple program execution paths and use assertions (to handle while loops, for example), but we show how this can be achieved via directives to a conventional debugger program and an analysis database. The asse...

A state constraint is a new programming construct designed to restrict the domain of definition of a program. It can be used to decompose a program pathwise, i.e., to divide the program into subprograms along the control flow, as opposed to divide the program across the control flow when the program is decomposed into functions and procedures. As the result one can now construct and manipulate a program consisting of one or more execution paths of another program. This paper describes the idea involved, examines the properties of state constraints, establishes a formal basis for pathwise decomposition, and discusses their utilities in program simplification, testing, and verification. Index terms: state constraints, pathwise decomposition, program analysis, program testing, program decomposition, program simplification, program understanding 1. Introduction In many problem areas, such as proving program-correctness, symbolic execution, and program testing, one often needs to deal with...

Abstract. We present the theoretical aspects and a prototype implementation in the Theorema system of a method for the verification of recursive imperative programs. The method is based on forward symbolic execution and functional semantics and generates first order verification conditions for the total correctness which use only the underlying theory of the program. All verification conditions are generated automatically by our prototype implementation in the frame of the Theorema system based on Mathematica. The termination property is expressed as an induction principle depending on the structure of the program with respect to recursion. It turns out that part of the verification conditions (notably the termination condition) are crucial for the existence of the function defined by the program, without which the total correctness formula is trivial due to inconsistency of the assumptions. The formal description of the method is the basis for the implementation and also for the proof of its correctness. 1

This paper suggests a systematic, orderly, process-based approach to stating software quality objectives and knowing if and when they have been achieved. We suggest that quality in software is a complex, multifaceted array of characteristics, and that it is important to establish specific objectives along various software quality dimensions as requirements for software quality assurance determination processes. We propose that process technology be used to design, code, execute, evaluate, and migrate processes that are demonstrably effective in achieving required software product quality objectives. Recently there have been numerous highly visible efforts to codify the assessment of software processes, and to use assessment results to improve them. In this paper we argue that these efforts function as testplans for software processes. We borrow some of the notions proposed in these efforts, and indicate how they can be used to construct a discipline of measuring and evaluating how well...

Abstract—As an extension of our previous work on imperative program verification, we present a formalism for handling the total correctness of While loops in imperative programs, consisting in functional based definitions of the verification conditions for both partial correctness and for termination. A specific feature of our approach is the generation of verification conditions as first order formulae, including the termination condition which is expressed as an induction principle. Keywords-program analysis and verification, symbolic execution, theorem proving I.

We present an effective technique for crosschecking an IEEE 754 floating-point program and its SIMD-vectorized version, implemented in KLEE-FP, an extension to the KLEE symbolic execution tool that supports symbolic reasoning on the equivalence between floating-point values. The key insight behind our approach is that floatingpoint values are only reliably equal if they are essentially built by the same operations. As a result, our technique works by lowering the Intel Streaming SIMD Extension (SSE) instruction set to primitive integer and floating-point operations, and then using an algorithm based on symbolic expression matching augmented with canonicalization rules. Under symbolic execution, we have to verify equivalence along every feasible control-flow path. We reduce the branching factor of this process by aggressively merging conditionals, if-converting branches into select operations via an aggressive phi-node folding transformation. We applied KLEE-FP to OpenCV, a popular open source computer vision library. KLEE-FP was able to successfully crosscheck 51 SIMD/SSE implementations against their corresponding scalar versions, proving the bounded equivalence of 41 of them (i.e., on images up to a certain size), and finding inconsistencies in the other 10.

Deterministic multithreading (DMT) eliminates many pernicious software problems caused by nondeterminism. It works by constraining a program to repeat the same thread interleavings, or schedules, when given same input. Despite much recent research, it remains an open challenge to build both deterministic and efficient DMT systems for general programs on commodity hardware. To deterministically resolve a data race, a DMT system must enforce a deterministic schedule of shared memory accesses, or memschedule, which can incur prohibitive overhead. By using schedules consisting only of synchronization operations, or sync-schedule, this overhead can be avoided. However, a sync-schedule is deterministic only for race-free programs, but most programs have races. Our key insight is that races tend to occur only within minor portions of an execution, and a dominant majority of the execution