Program Verification

J. Autom. Reason. Pub Date : 1900-01-01 DOI:10.1142/9789813229211_0006

R. Kurshan

{"title":"Program Verification","authors":"R. Kurshan","doi":"10.1142/9789813229211_0006","DOIUrl":null,"url":null,"abstract":"534 NOTICES OF THE AMS VOLUME 47, NUMBER 5 H ow can a computer program developer ensure that a program actually implements its intended purpose? This article describes a method for checking the correctness of certain types of computer programs. The method is used commercially in the development of programs implemented as integrated circuits and is applicable to the development of “control-intensive” software programs as well. “Divide-and-conquer” techniques central to this method apply to a broad range of program verification methodologies. Classical methods for testing and quality control no longer are sufficient to protect us from communication network collapses, fatalities from medical machinery malfunction, rocket guidance failure, or a half-billion dollar commercial loss due to incorrect arithmetic in a popular integrated circuit. These sensational examples are only the headline cases. Behind them are multitudes of mundane programs whose failures merely infuriate their users and cause increased costs to their producers. A source of such problems is the growth in program complexity. The more a program controls, the more types of interactions it supports. For example, the telephone “call-forwarding” service (forwarding incoming calls to a customer-designated number) interacts with the “billing” program that must determine whether the forwarding number or the calling number gets charged for the additional connection to the customer-designated number. At the same time, call-forwarding interacts with the “connection” program that deals with the issue of what to do in case the called number is busy, but the ultimate forward destination is free. One property to check is that a call is billed to the customer if and only if the connection is completed. If the call connection and billing programs interact incorrectly, a called number that was busy and then became free could appear busy to one program and free to the other, resulting in an unbilled service or an unwarranted charge, depending upon their order of execution. If a program includes n interrelated control functions with more than one state, the resulting program may need to support 2n distinct combinations of interactions, any of which may harbor a potential unexpected peculiarity. When n is very small, the developer can visualize all the combinations and deal with them individually. Since the size of a program tends to be proportional to the number of functions it includes (one program block per function), the number of program interactions as a function of program size may grow exponentially. As a result, the developer can use only a very small proportion of the possible program interactions to guide the development and testing of the program. When some unconsidered combination produces an eccentric behavior, the result may be a “bug”. While a computer could be programmed to check a program under development for eccentric behavior by searching exhaustively through all combinations of program interactions, the exponential growth could soon cause the computer to exceed available time or memory. On account of the potential for interactions, adding a few functions to a program can substantially alter its testability and thus viability. From the program developer’s perspective, this is unsatisfactory. If the program is developed carefully, however, the correct behavior of each of the n individual control functions of the program can be checked in a way Robert P. Kurshan is Distinguished Member of Technical Staff at Bell Laboratories, Murray Hill, NJ. His e-mail address is k@research.bell-labs.com.","PeriodicalId":380235,"journal":{"name":"J. Autom. Reason.","volume":"41 1","pages":"0"},"PeriodicalIF":0.0000,"publicationDate":"1900-01-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"70","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"J. Autom. Reason.","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.1142/9789813229211_0006","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"","JCRName":"","Score":null,"Total":0}

引用次数: 70

Abstract

534 NOTICES OF THE AMS VOLUME 47, NUMBER 5 H ow can a computer program developer ensure that a program actually implements its intended purpose? This article describes a method for checking the correctness of certain types of computer programs. The method is used commercially in the development of programs implemented as integrated circuits and is applicable to the development of “control-intensive” software programs as well. “Divide-and-conquer” techniques central to this method apply to a broad range of program verification methodologies. Classical methods for testing and quality control no longer are sufficient to protect us from communication network collapses, fatalities from medical machinery malfunction, rocket guidance failure, or a half-billion dollar commercial loss due to incorrect arithmetic in a popular integrated circuit. These sensational examples are only the headline cases. Behind them are multitudes of mundane programs whose failures merely infuriate their users and cause increased costs to their producers. A source of such problems is the growth in program complexity. The more a program controls, the more types of interactions it supports. For example, the telephone “call-forwarding” service (forwarding incoming calls to a customer-designated number) interacts with the “billing” program that must determine whether the forwarding number or the calling number gets charged for the additional connection to the customer-designated number. At the same time, call-forwarding interacts with the “connection” program that deals with the issue of what to do in case the called number is busy, but the ultimate forward destination is free. One property to check is that a call is billed to the customer if and only if the connection is completed. If the call connection and billing programs interact incorrectly, a called number that was busy and then became free could appear busy to one program and free to the other, resulting in an unbilled service or an unwarranted charge, depending upon their order of execution. If a program includes n interrelated control functions with more than one state, the resulting program may need to support 2n distinct combinations of interactions, any of which may harbor a potential unexpected peculiarity. When n is very small, the developer can visualize all the combinations and deal with them individually. Since the size of a program tends to be proportional to the number of functions it includes (one program block per function), the number of program interactions as a function of program size may grow exponentially. As a result, the developer can use only a very small proportion of the possible program interactions to guide the development and testing of the program. When some unconsidered combination produces an eccentric behavior, the result may be a “bug”. While a computer could be programmed to check a program under development for eccentric behavior by searching exhaustively through all combinations of program interactions, the exponential growth could soon cause the computer to exceed available time or memory. On account of the potential for interactions, adding a few functions to a program can substantially alter its testability and thus viability. From the program developer’s perspective, this is unsatisfactory. If the program is developed carefully, however, the correct behavior of each of the n individual control functions of the program can be checked in a way Robert P. Kurshan is Distinguished Member of Technical Staff at Bell Laboratories, Murray Hill, NJ. His e-mail address is k@research.bell-labs.com.

查看原文本刊更多论文

程序验证

计算机程序开发人员如何确保程序实际实现其预期目的?这篇文章描述了一种检查某些类型计算机程序正确性的方法。该方法在商业上用于开发作为集成电路实现的程序，也适用于开发“控制密集型”软件程序。该方法的核心“分而治之”技术适用于广泛的程序验证方法。经典的测试和质量控制方法不再足以保护我们免受通信网络崩溃、医疗设备故障造成的死亡、火箭制导故障或由于流行集成电路中的错误计算造成的5亿美元的商业损失。这些耸人听闻的例子只是头条新闻。在它们的背后是大量平凡的程序，这些程序的失败只是激怒了它们的用户，并导致它们的生产者增加了成本。这类问题的一个来源是程序复杂性的增长。一个程序控制的越多，它支持的交互类型就越多。例如，电话“呼叫转接”服务(将来电转接到客户指定的号码)与“计费”程序交互，该程序必须确定转接号码或主叫号码是否因与客户指定号码的额外连接而收费。同时，呼叫前转与“连接”程序交互，该程序处理在被叫号码占线但最终前转目的地是空闲的情况下该怎么办的问题。要检查的一个属性是，当且仅当连接完成时，呼叫将向客户计费。如果呼叫连接和计费程序之间的交互不正确，则一个被呼叫号码在忙后变为空闲，可能对一个程序显示为忙而对另一个程序显示为空闲，从而导致未计费的服务或无端收费，具体取决于它们的执行顺序。如果程序包含n个具有多个状态的相互关联的控制函数，则生成的程序可能需要支持2n种不同的交互组合，其中任何一种都可能包含潜在的意外特性。当n非常小时，开发人员可以可视化所有组合并单独处理它们。由于程序的大小往往与它包含的函数的数量成正比(每个函数一个程序块)，程序交互的数量作为程序大小的函数可能呈指数增长。因此，开发人员只能使用很小一部分可能的程序交互来指导程序的开发和测试。当一些未经考虑的组合产生了古怪的行为时，结果可能是一个“bug”。虽然可以对计算机进行编程，通过穷尽地搜索程序相互作用的所有组合来检查正在开发的程序是否有反常行为，但指数增长可能很快导致计算机超出可用时间或内存。考虑到交互的可能性，在程序中添加一些功能会极大地改变程序的可测试性和可行性。从程序开发人员的角度来看，这是不令人满意的。但是，如果程序开发得很仔细，程序的n个单独控制功能中的每一个的正确行为都可以通过某种方式进行检查。Robert P. Kurshan是新泽西州默里希尔贝尔实验室的杰出技术人员。他的电子邮件地址是k@research.bell-labs.com。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

J. Autom. Reason.

自引率

0.00%

发文量