Ben Wegbreit

Mechanical program analysis

One means of analyzing program performance is by deriving closed-form expressions for their execution behavior. This paper discusses the mechanization of such analysis, and describes a system, Metric, which is able to analyze simple Lisp programs and produce, for example, closed-form expressions for their running time expressed in terms of size of input. This paper presents the reasons for mechanizing program analysis, describes the operation of Metric, explains its implementation, and discusses its limitations.

The synthesis of loop predicates

Current methods for mechanical program verification require a complete predicate specification on each loop. Because this is tedious and error prone, producing a program with complete, correct predicates is reasonably difficult and would be facilitated by machine assistance. This paper discusses techniques for mechanically synthesizing loop predicates. Two classes of techniques are considered: (1) heuristic methods which derive loop predicates from boundary conditions and/or partially specified inductive assertions: (2) extraction methods which use input predicates and appropriate weak interpretations to obtain certain classes of loop predicates by an evaluation on the weak interpretation.

Property extraction in well-founded property sets

To carry out significant program optimization, it is necessary to know what properties hold at each program unit. Frequently the properties of interest form a partially ordered set with a minimum condition (i.e., well-founded). When this occurs, it is possible to directly compute the properties that can be attached to program units and, optionally, to expand the program text to obtain a strong assignment of properties. Techniques are presented for property computation in iterative and recursive programs. Application to a variety of property sets is discussed.

Goal-Directed Program Transformation

Program development often proceeds by transforming simple, clear programs into complex, involuted, but more efficient ones. This paper examines ways this process can be rendered more systematic. We show how analysis of program performance, partial evaluation of functions, and abstraction of recursive function definitions from recurring subgoals can be combined to yield many global transformations in a methodical fashion. Examples are drawn from compiler optimization, list processing, very high-evel languages, and APL execution.

The treatment of data types in EL1

In constructing a general purpose programming language, a key issue is providing a sufficient set of data types and associated operations in a manner that permits both natural problem-oriented notation and efficient implementation. The EL1 language contains a number of features specifically designed to simultaneously satisfy both requirements. The resulting treatment of data types includes provision for programmer-defined data types and generaic routines, programmer control over type conversion, and very flexible data type behavior, in a context that allows efficient compiled code and compact data representation.

Subgoal induction

A proof method, subgoal induction, is presented as an alternative or supplement to the commonly used inductive assertion method. Its major virtue is that it can often be used to prove a loops correctness directly from its input-output specification without the use of an invariant. The relation between subgoal induction and other commonly used induction rules is explored and, in particular, it is shown that subgoal induction can be viewed as a specialized form of computation induction. A set of sufficient conditions are presented which guarantee that an input-output specification is strong enough for the induction step of a proof by subgoal induction to be valid.

The verification and synthesis of data structures

SummaryThe concept of machine extension is a commonly used technique for implementing complex software: sets of object classes and operations on these objects are defined and used, often in a layered fashion, to construct the system. This paper addresses the adaptation of this technique to automatic programming. It discusses how such sets of data structures may be precisely specified, presents an axiomatization of a programming language suitable for machine verification, and shows how programs which realize these data structures may be proved correct. A range of data type classes is treated—including arrays, records, and pointers. Some new verification rules are presented to handle programs which use assignments and structured objects.

Proving Properties of Complex Data Structures

This paper is concerned with proving properties of programs which use data structures. The goal is to be able to prove that all instances of a class (e.g. as defined in Simula) satisfy some property. A method of proof which achieves this goal, generator induction, is studied and compared to other proof rules and methods: inductive assertions, recursion induction, computation induction, and, in some detail, structural induction. The paper concludes by using generator induction to prove a characteristic property of an implementation of hashtables.

Verifying Program Performance

It is shown that specifications of program performance can be formally verified. Formal verification techniques, in particular, the method of inductive assertions, can be adapted to show that a programs maximum or mean execution time is correctly described by specifications supplied with the program. To formally establish the mean execution time, branching probabilities are expressed using inductive assertions which involve probability distributions. Verification conditions are formed and proved which establish that if the input distribution is correctly described by the input specifications, then the inductive assertions correctly describe the probability distributions of the data during execution. Once the inductive assertions are shown to be correct, branching probabilities are obtained and mean computation time is computed.

Complexity of Synthesizing Inductive Assertions

As an adlunct to mechamcal program verification, it is desirable to partmlly mechamze mductwe assertion synthesis. It is generally beheved that mechanical synthesis must be confined to simple assertions or simple extensions to programmer supphed assertions since the general problem of synthesis reqmres deep insight into the programs operation This paper confirms and quantifies this behef A class {R} of programs Is described for which the inductive assertions can be produced directly Then, by extending this class, a new class is obtained for which assertion synthesis reqmres at least nondetermlnlSUC polynomial t~me In fact a specific subset is shown to be NP-complete This yields two results, First, since nondetermimstlc polynomial ume ~s strongly conlectured to require determlmstlc exponenual time, it appears that the general problem of asserUon synthesis Is at least exponentml. Second, the extension from the class {R} is thus shown to be a cause of this time complexity The result is a better understanding of the difficulty of assertion synthesis and its cause