We describe a project to refine the idea of proof-directed debugging. The intention is to clarify the mechanisms by which failed verification attempts can be used to isolate errors in code, in particular by exploiting the ways in which the branching structure of a proof can match the the structure of the functional program being verified. Our intention is to supply tools to support this process. We then further discuss how the proof planning paradigm might be used to supply additional automated support for this and, in particular ways in which the automation of proof-directed debugging with proof planning would allows code patches to by synthesised at the same time that a bug is located and diagnosed. 1

www.jpbowen.com

This note briefly discusses the relationship between program correctness and satisfaction of system requirements. The concept of program correctness assumes the existence of a formal program specification. In software-intensive systems such a specification may be hard to obtain and will unavoidably involve formalisation of the natural, non-formal problem world which can be checked by verification tools. Problem structure in such systems exhibits characteristic patterns that are not commonly found elsewhere—both patterns of individual components and patterns of their composition. These patterns affect the structure of the system development steps and documentation, including software and specification texts, and suggest potentially useful forms of verification and verification output. The inevitably imperfect formalisation of the nonformal problem world poses major difficulties, but here too appropriate verification tools can contribute to system reliability.

The Verifying Compiler (VC) project is a core component of the Dependable Systems Evolution Grand Challenge. The VC offers the promise of automatically proving that a program or component is correct, where correctness is defined by program assertions. While several VC prototypes exist, all adopt a semantics for assertions that is unsound. This paper presents a consolidation of VC requirements analysis activities that, in particular, brought us to ask targeted VC customers what kind of semantics they wanted. Taking into account both practitioners ’ needs and current technological factors, we offer recovery of soundness through an adjusted definition of assertion validity that matches user expectations and can be implemented practically using current prover technology. We describe how support for the new semantics has been added to ESC/Java2, one of the most fully developed VC prototypes. Preliminary results demonstrate the effectiveness of the new semantics at uncovering previously indiscernible specification errors. 1

Abstract. Provably correct compilation is an important aspect in development of high assurance software systems. In this paper we explore approaches to provably correct code generation based on programming language semantics, particularly Horn logical semantics, and partial evaluation. We show that the definite clause grammar (DCG) notation can be used for specifying both the syntax and semantics of imperative languages. We next show that continuation semantics can also be expressed in the Horn logical framework. 1

cousot � mit�edu

In model based formal methods, incompatible tools for different techniques is the norm. However, greater applicability to industrial scale systems increasingly requires combining the strengths of different techniques, in line with the Verification Grand Challenge. The Frog tool embodies a construct-based specification syntax, and its meta-language Frog-CCL allows the generic configuration of both a construct’s syntax and its proof obligations. For a specific system, Frog generates the system’s verification conditions mechanically from the generic ones. Relationships between systems such as refinement and retrenchment can be configured. An example retrenchment between two simple systems illustrates the technique. 1.

Abstract. Many well-established concepts of object-oriented programming work for individual objects, but do not support object structures. The development of a verifying compiler requires enhancements of programming theory to cope with this deficiency. In this paper, we support this position by showing that classical specification and verification techniques support invariants for individual objects whose fields are primitive values, but are unsound for invariants involving more complex object structures. We have developed an ownership model, which allows one to structure the object store and to restrict reference passing and the operations that can be performed on references. We use this model to generalize classical object invariants to cover such object structures. We summarize the state of our work and identify open research challenges. 1

Abstract. In this paper we discuss the application of a range of techniques to the verification of mission critical flight software for a JPL mission. It is clear that for this type of application we want to achieve a higher level of confidence than can be achieved through standard software testing. Unfortunately, given the current state of the art, especially if one has to comply with the tight deadlines and resource limitations of a flight project, it is not feasible to produce a rigorous formal proof of correctness of a flight file system. This means that we must look for a practical alternative in the gray area between traditional testing and proof, trying to optimize rigor and coverage as much as possible. The approach that we describe here is based on a combination of random testing, model checking, and static source code analysis. The results we have obtained are encouraging, and suggest that for more complex properties of programs with complex data structures, it is possibly more beneficial to use constraint solvers to guide execution (i.e., testing, even if performed by a model checking tool) than to translate the program and property into a set of constraints, as in abstraction-based and bounded model checkers.

Submitted for publication