The Gypsy verification environment is a large computer program that supports the development of software systems and formal, mathematical proofs about their behavior. The environment provides conventional development tools, such as a parser for the Gypsy language, an editor and a compiler. These are used to evolve a library of components that define both the software and precise specifications about its desired behavior. The environment also has a verification condition generator that automatically transforms a software component and its specification into logical formulas which are sufficient to prove that the component always runs according to specification. Facilities for constructing formal, mechanical proofs of these formulas also are provided. Many of these proofs are completed automatically without human intervention. The capabilities of the Gypsy system and the results of its applications are discussed.

An investigation was made of the characteristics of computer programming languages intended for the implementation of provably correct programs and of the characteristics of programs written in these languages. It was discovered that potential run time exceptions and the necessity of providing a rigorously correct implementation of exception handlers so dominate the potential control paths of programs written in verifiable languages that the usual code optimization techniques are ineffective. It was further discovered that the call intensive control structures of these programs, necessitated by verification constraints, also thwart optimization and lead to inefficient code. It is shown that theorems can be derived at potential exception sites which, if true, guarantee that the exception condition will never arise permitting removal of the exception path from the program’s flow graph. These theorems are proved using the automatic theorem prover which is part of the program verification system. Is is also shown that many of the routine calls contained in verifiable programs may be reduced in expense by converting parameters to global variables or eliminated completely by expanding the called routines at their call sites. Both the exception suppression and call reduction techniques reduce the complexity of the program’s call graph and facilitate conventional optimizations. Several examples are presented and the potential improvements in code size resulting from the application of these techniques are discussed.

The Gypsy methods for specifying, implementing and mechanically proving distributed systems have been used very successfully in their first major trial application. The application was a special interface between a host and an IMP on the ARPANET. The interface contained 4211 lines of executable high level language program. The basic concepts of Gypsy and its methods for distributed systems are described and illustrated on a small example. THE PROOF OF A DISTRIBUTED SYSTEM IN GYPSY 2 Acknowledgements During its eight year existence, well over 50 people have contributed to the Gypsy project, and I will not attempt to name them all. Gypsy, however, has been a true team effort, and the current team consists of Mike