Origen, función social e interpretación del aguabajo

and Luckham nevertheless represents the rst major step toward automating the detection of erroneous behavior in concurrent software. Natarajan used some of the ideas of Helmbold and Luckham in the development of a distributed deadlock detection algorithm Nat86].

2.3.3 Formal Verication of Parallel Programs

Formal program verication, or mathematical proof of program correctness, was looked upon for many years as the ultimate solution to the problem of developing software that meets its specications. Today it is considered a powerful complement to program testing. The testing methodology to be described later in this thesis is based on a mixture of both verication and testing, using automatic runtime checking of formal specications as a viable compromise between the two extremes. Since the programmer must have a thorough conception of the purpose and intended behavior of a software system, it is reasonable to require the development of a formal model of what is considered correct behavior so that techniques from verication theory may be applied in testing the software.

Program verication involves reasoning about the behavior of programs based on a for- mal semantics of the source programming language. The development of a formal syntax for ALGOL60 represents one of the most important developments in the formal description of programming languages Nau63]. Since then various models have been suggested for formally describing the semantics of programming languages. For example, a denotational semantics gives a mathematical interpretation of each program construct according to its eect on the global program state SS71,Ten76]. In a similar vein, the Vienna Denition Language (VDL) is used to dene a language semantics by formally describing an abstract interpreter for the language Weg72b]. An attribute grammar is a syntax-directed method of specifying language semantics an attribute grammar associates semantic attributes with nodes in an abstract syntax tree (AST) representation of a program ASU86]. An opera- tional semantics denes a language in terms of an abstract implementation Weg72a].

By far, however, the most popular and most easily understood semantic model for veri- cation is an axiomatic semantics, as rst described in Hoare's landmark paper Hoa69] and as rst illustrated successfully by the full axiomatic denition of Pascal HW73]. An axiomatic semantics denes a programming language by a set of axioms and rules of inference (proof rules) that are satised by the execution of all programs written in the language the axioms and proof rules are usually specied using rst-order predicate calculus MW85]. Such a

description is naturally suited to the theorem-proving orientation of program verication as it has developed over the past two decades.

The origins of axiomatic program verication are usually credited to the papers of Floyd Flo67] and Hoare Hoa69], who described similar approaches to proving program correctness. Floyd's approach is based on dividing a correctness proof into smaller proofs of each linear path in the program, which is usually represented by a owchart. Hoare further formalized this proof process by dening an axiom for each class of language statement, based on a precondition and postcondition for the statement. For example, the axiomatic semantics of an assignment statement is given by the following axiom:

` f

P

xeg

x

:=

e

f

P

g

This axiom says that in order for the above assignment statement to terminate in a state satisfying some arbitrary postcondition

P

, it must begin execution in a state satisfying a precondition which is the predicate that is formed when all free occurrences of the variable

x

in

P

are replaced with the expression

e

.

Given a desired precondition and postcondition for a full program, a correctness proof is carried out using the full set of axioms and proof rules for the programming language. More accurately, a program is proven to be consistent with its given precondition and postcondition from this consistency proof, one may decide that the program is correct. If correctness can be proven within the given axiomatic system, the resulting proof is said to be a proof of partial correctness. That is, the program is correct if it terminates. However, since knowledge about termination is not built into the proof system, one must perform reasoning outside the proof system to conclude that termination takes place. Floyd's paper included techniques for proving termination of possibly non-terminating program constructs (e.g., innite loops) within a partial correctness framework. This is done by introducing counter variables for loops which must monotonically decrease to zero in order to conclude that termination will take place. A system that includes explicit axioms and rules for proving termination is said to support proof of total correctness. Apt has surveyed the large amount of research in verication that was generated by Hoare's initial paper Apt81]. The theory of automatic program verication was pioneered by Luckham et al. ILL75]. The approach they describe requires the programmer to provide assertions at certain places in the program text (e.g., an invariant assertion for each loop). A program enhanced in this way is fed to a verication condition generator (or VCG) along with the desired precondition

2.3. TESTING AND VERIFYING CONCURRENT SOFTWARE 23

In document Los sonidos del pacífico Colombiano Análisis, interpretación e implementación del aguabajo a la guitarra clásica (página 41-48)