Donald I. Good

Principles of proving concurrent programs in Gypsy

Concurrency in Gypsy is based on a unique, formal approach to specifying and proving systems of concurrent processes. The specification and proof methods are designed so that proofs of individual processes are totally independent, even when operating concurrently. These methods can be applied both to terminating and non-terminating processes, and the proof methods are well suited to automated verification aids. The basic principles of these methods and their interaction with the design of Gypsy are described.

Gypsy: A language for specification and implementation of verifiable programs

An introduction to the Gypsy programming and specification language is given. Gypsy is a high-level programming language with facilities for general programming and also for systems programming that is oriented toward communications processing. This includes facilities for concurrent processes and process synchronization. Gypsy also contains facilities for detecting and processing errors that are due to the actual running of the program in an imperfect environment. The specification facilities give a precise way of expressing the desired properties of the Gypsy programs. All of the features of Gypsy are fully verifiable, either by formal proof or by validation at run time. An overview of the language design and a detailed example program are given.

Computer Interval Arithmetic: Definition and Proof of Correct Implementation

A definition is given of computer interval arithmetic suitable for implementation on a digital computer. Some computational properties and simplifications are derived. An ALGOL code segment is proved to be a correct implementation of the definition on a specified machine environment.

Constructing verified and reliable communications processing systems

A comprehensive methodology that has been developed for constructing verifiably reliable and secure computing systems is summarized. The methodology can be applied to many different kinds of systems, but is specifically oriented toward communications processing systems. The methodology is a system of methods for attaining total system reliability and is based on constructing verified software and highly reliable hardware. The methodology has been formulated by bringing a diversity of advanced research concepts to bear on the real problems of communications systems. This has led to the development and integration of* program specification methods* program proof methods* program validation methods* a program design language* a program design system* hardware designs to support verified software* hardware reliability analysis and enhancement methods into a coherent methodology for constructing verifiably reliable and secure systems. The methodology has been successfully applied to the experimental design of a secure message switching system structured as a packet-switched computer network.

An interactive program verification system

This paper is an initial progress report on the development of an interactive system for verifying that computer programs meet given formal specifications. The system is based on the conventional inductive assertion method: given a program and its specifications, the object is to generate the verification conditions, simplify them, and prove what remains. The important feature of the system is that the human user has the opportunity and obligation to help actively in the simplifying and proving. A general description is given of the overall design philosophy, structure, and functional components of the system, and a simple sorting program is used to illustrate both the behavior of major system components and the type of user interaction the system provides.

Mechanical proofs about computer programs

Publisher Summary This chapter provides an overview of the mechanical proofs about computer programs. One of the major problems with the current practice of software engineering is an absence of predictability. Within current software engineering practice, the only sound way to make a precise, accurate prediction about how a software system will behave is to build it and run it. In contrast to software engineering, mathematical logic provides a sound, objective way to make accurate, precise predictions about the behaviour of mathematical operations. The Gypsy verification environment is a large, interactive computer program that supports the construction of formal, mathematical proofs about the behaviour of software systems. In practice, the use of this mathematical approach to software engineering requires very careful management of large amounts of detailed information. The Gypsy environment is an experimental system that has been developed to explore the viability of applying these methods in actual practice. The environment, therefore, contains tools for supporting the normal software development process and tools for constructing formal proofs.

Provable programming

Techniques are presented for the design of computer programs that are proved to meet stated specifications. The design strategy is the simultaneous step-wise refinement of both the program and its proof so that at each step the program constructed so far is proved. At each step, the specifications for a single program unit are given, the unit is designed, and then proved, by automatically supportable methods, before going on to successive steps. The proof i) shows that the program unit meets its specifications, ii) exhibits any assumptions the unit makes about the problem domain, and iii) defines the specifications for units to be designed in later steps. The design process is based on the refinement of operational and data abstractions in both the program and its specifications. These abstractions are what allow the proof at each step to be supported by automatic, or interactive, program proving systems. The abstractions also keep the proofs of the individual units at an appropriate level of abstraction and also largely independent, thus significantly reducing the size of the complete proof of the entire program. These techniques of provable programming are illustrated by two examples.

Generics and verification in Ada

This paper explores the restrictions a mechanism in the style of the Ada generics facility would have to satisfy in order to be amenable to existing verification techniques. “Generic verification” is defined and defended as the appropriate goal for any such facility. Criteria are developed for generic verification to be possible and then Ada is evaluated with respect to these criteria. An example of the application of these techniques to an Ada unit is presented to show that generic verification is possible at least on a subclass of Ada generic units. Finally some potential applications of verified generic units are presented.

A preliminary evaluation of verifiability in Ada

In this paper we examine Ada with regard to program verification and make certain suggestions towards writing potentially provable Ada programs. We attempt to isolate and discuss those features of Ada which are not susceptible to current verification techniques. From verifiability considerations, the most critical features in Ada appear to be those which deal with data sharing under concurrent processing, direct referencing of non-local variables, access variables, “approximate” data-types, and generic program units. The independence of program units along with well defined interfaces for interactions is presented as desirable not only from software engineering aspects but also from the formal proof considerations. However, the possibility of having a large number of variables, potentially sharable among concurrent processes, is likely to make the proofs of Ada programs unmanageable. It is asserted, however, that with a certain discipline on the programmer verifiable programs can be written in Ada.

Design of a Verifiable Subset for HAL/S

An attempt to evaluate the applicability of program verification techniques to the existing programming language, HAL/S is discussed. HAL/S is a general purpose high level language designed to accommodate the software needs of the NASA Space Shuttle project. A diversity of features for scientific computing, concurrent and real-time programming, and error handling are discussed. The criteria by which features were evaluated for inclusion into the verifiable subset are described. Individual features of HAL/S with respect to these criteria are examined and justification for the omission of various features from the subset is provided. Conclusions drawn from the research are presented along with recommendations made for the use of HAL/S with respect to the area of program verification.