Toward special-purpose program verification

Formal Methods in Software Development Pub Date : 1990-04-01 DOI:10.1145/99569.99807

P. Eggert

{"title":"Toward special-purpose program verification","authors":"P. Eggert","doi":"10.1145/99569.99807","DOIUrl":null,"url":null,"abstract":"Program verification has seen little practical, automated use. How can its good ideas be revived in a practical setting? One way is to lower its sights: instead of checking that a program matches its specification, one can perform less ambitious but more feasible checking. Much recent work has lowered sights by checking only specifications and not programs. By characterizing software failures by their detection method, we have decided instead to try checking only programs and not specifications. Our goal is to integrate run-time checking into a compiler, so that programs never commit common run-time faults like following bad pointers or violating array boundaries. 1 Verification ignored Most work in applying formal methods to software development concentrates on formalizing software designs, because it is a challenging intellectual problem that brings forth fundamental issues in programming methods and notations. Thus program verification, which arose from axiomatic semantics [Ho691, was originally developed in an ambitious attempt to produce programs that “do what we want them to do.” [Lo751 After an burst of enthusiasm, however, researchers found that program verification consumed too many human resources to apply it to practical systems. Although serious work has continued in program verification to this day, many outsiders are skeptical of its utility. For example, of 25 papers in a recent conference on practical software development environments [He881, only two relatively speculative papers [Le88, Re88) even mentioned verification. Another measure of the distance between formal verification and practice is the Gypsy Programming Support Environment [Co88], named by practical workers who were evidently unaware of the Gypsy Verification Environment [Go861! Many workers who remain in the field concentrate on verifying only the most crucial properties of software, notably security in the U.S.A. [Ch81, Go86, vH88, Sc891, where sights axe often lowered by checking only specifications, not programs. This work is not likely to catch on in the broader software community. Worse, software engineering education, at least in the U.S.A., discourages students from formal methods [Gr90]. Permission to copy without fee all or part of this material is granted provided that the copies are not made or distributed for Proceedings of the ACM SIGSOFT International Workshop on Formal Methods in Software Developdirect commercial advantage, the ACM copyright notice and the ment. Napa, California, May 9-11, 1990. title of the publication and its date appear, and notice is given that copying is by permission of the Association for Computing Machinery. To copy otherwise, or to republish, requires a fee and/or specific permission. @ 1990 ACM 089791-4155/90/0010-0025...$1.50","PeriodicalId":429108,"journal":{"name":"Formal Methods in Software Development","volume":"12 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"1990-04-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"3","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Formal Methods in Software Development","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1145/99569.99807","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 3

Abstract

Program verification has seen little practical, automated use. How can its good ideas be revived in a practical setting? One way is to lower its sights: instead of checking that a program matches its specification, one can perform less ambitious but more feasible checking. Much recent work has lowered sights by checking only specifications and not programs. By characterizing software failures by their detection method, we have decided instead to try checking only programs and not specifications. Our goal is to integrate run-time checking into a compiler, so that programs never commit common run-time faults like following bad pointers or violating array boundaries. 1 Verification ignored Most work in applying formal methods to software development concentrates on formalizing software designs, because it is a challenging intellectual problem that brings forth fundamental issues in programming methods and notations. Thus program verification, which arose from axiomatic semantics [Ho691, was originally developed in an ambitious attempt to produce programs that “do what we want them to do.” [Lo751 After an burst of enthusiasm, however, researchers found that program verification consumed too many human resources to apply it to practical systems. Although serious work has continued in program verification to this day, many outsiders are skeptical of its utility. For example, of 25 papers in a recent conference on practical software development environments [He881, only two relatively speculative papers [Le88, Re88) even mentioned verification. Another measure of the distance between formal verification and practice is the Gypsy Programming Support Environment [Co88], named by practical workers who were evidently unaware of the Gypsy Verification Environment [Go861! Many workers who remain in the field concentrate on verifying only the most crucial properties of software, notably security in the U.S.A. [Ch81, Go86, vH88, Sc891, where sights axe often lowered by checking only specifications, not programs. This work is not likely to catch on in the broader software community. Worse, software engineering education, at least in the U.S.A., discourages students from formal methods [Gr90]. Permission to copy without fee all or part of this material is granted provided that the copies are not made or distributed for Proceedings of the ACM SIGSOFT International Workshop on Formal Methods in Software Developdirect commercial advantage, the ACM copyright notice and the ment. Napa, California, May 9-11, 1990. title of the publication and its date appear, and notice is given that copying is by permission of the Association for Computing Machinery. To copy otherwise, or to republish, requires a fee and/or specific permission. @ 1990 ACM 089791-4155/90/0010-0025...$1.50

查看原文本刊更多论文

用于特殊目的的程序验证

程序验证很少有实际的、自动化的使用。它的好思想如何在实际环境中复兴?一种方法是降低其目标:与其检查程序是否符合其规范，不如执行不那么雄心勃勃但更可行的检查。最近的许多工作只检查规格而不检查程序，降低了人们的眼界。通过检测软件故障的方法，我们决定只检查程序而不检查规格说明。我们的目标是将运行时检查集成到编译器中，这样程序就不会犯常见的运行时错误，比如跟随错误的指针或违反数组边界。将形式化方法应用于软件开发的大多数工作都集中在形式化软件设计上，因为这是一个具有挑战性的智力问题，它带来了编程方法和符号的基本问题。因此，起源于公理语义(Ho691)的程序验证，最初是在一个雄心勃勃的尝试中开发出来的，目的是让程序“做我们想让它们做的事情”。[00:751]然而，在一阵热情爆发之后，研究人员发现，程序验证耗费了太多的人力资源，无法将其应用于实际系统。尽管时至今日，在程序验证方面的严肃工作仍在继续，但许多外部人士对其实用性持怀疑态度。例如，在最近一次关于实际软件开发环境的会议[He881]上的25篇论文中，只有两篇相对推测性的论文[Le88, Re88]甚至提到了验证。正式验证与实践之间距离的另一个衡量标准是Gypsy编程支持环境[Co88]，由显然不知道Gypsy验证环境的实践工作者命名[Go861!许多留在这一领域的工作人员只专注于验证软件最关键的特性，特别是美国的安全[Ch81, Go86, vH88, Sc891]，在那里，只检查规格而不检查程序，往往降低了他们的目标。这项工作不太可能在更广泛的软件社区流行起来。更糟糕的是，软件工程教育，至少在美国，不鼓励学生采用正式的方法[Gr90]。允许免费复制全部或部分本材料，前提是这些副本不是为ACM SIGSOFT软件开发正式方法国际研讨会论文集、ACM版权声明和声明而制作或分发的。1990年5月9日至11日，加州纳帕。出版物的标题和出版日期，并注明复制是由计算机协会许可的。以其他方式复制或重新发布需要付费和/或特定许可。@ 1990 acm 089791-4155/90/0010-0025…$1.50

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Formal Methods in Software Development

自引率

0.00%

发文量