A Heuristic Approach to Program Verification

We present various heu r i s t i c techniques fo r use in proving the correctness of computer programs. The techniques are designed to obta in automat ical ly the " induc t i ve asser t ions" attached to the loops of the program which previously required human "understanding" of the program's performance. We d i s t i ngu ish between two general approaches: one in which we obta in the induct ive asser t ion by analyzing predicates which are known to be t rue at the entrances and ex i t s of the loop (top-down approach), and another in which we generate the induct ive asser t ion d i r e c t l y from the statements of the loop (bottom-up approach). I . In t roduc t ion The d e s i r a b i l i t y of proving that a given program is correct has been noted repeatedly in the computer l i t e r a t u r e , Floyd [1967] has provided a proof method for showing p a r t i a l correctness of i t e r a t i v e ( f l ow­ chart ) programs, that i s , i t shows that i f the program terminates, a given input -output r e l a t i o n is s a t i s f i e d . The method involves cu t t i ng each loop of the program, at taching to each cutpoint an " induc t i ve asser t ion" (which Is a predicate in f i r s t o r d e r predicate c a l c u l ­ us ) , and construct ing v e r i f i c a t i o n condit ions for each path from one asser t ion to another (or back to i t s e l f ) . The program is p a r t i a l l y correct i f a l l the v e r i f i c a ­ t i o n condit ions are v a l i d . Elements of these tech­ niques have been shown amenable to mechanization. King [1969], fo r example, has ac tua l l y w r i t t e n a ' v e r i ­ f i e r ' program which, given the proper induct ive asser­ t ions fo r programs w r i t t e n in a s i m p l i f i e d A l g o l l i k e language, can prove p a r t i a l correctness. Thus, i t is f a i r l y c lear that the parts of t h i s method which involve generating v e r i f i c a t i o n condit ions from induct ive assert ions and then proving or d isproving t h e i r v a l i ­ d i t y is a d i f f i c u l t but programmable problem. However, as King puts i t , f i nd ing a set of assert ions to ' c u t ' each loop of the program "depends on our deep under­ standing of the program's performance and requires some sophist icated i n t e l l e c t u a l endeavor". In th i s paper we show some general h e u r i s t i c tech­ niques fo r automat ical ly f i nd ing a set of induct ive assert ions which w i l l al low proving p a r t i a l co r rec t ­ ness of a given program. More p rec i se l y , we are given a f lowchart program w i th input var iab les x (which are not changed during execut ion) , program var iab les y (used as temporary storage during the execution of the program), and output var iab les z (which are assigned values only at the end of the execut ion). In add i t i on , we are given " input pred icate" $ ( x ) , which puts r e ­ s t r i c t i o n s on the input va r iab les , and "output p r e d i ­ cate" <Kx,z) , which ind icates the desired r e l a t i o n be­ tween the input and output va r iab les . Given a set of cutpoints which cut a l l the loops, our task is to a t ­ tach an appropriate induct ive asser t ion Q i to each cutpoint i . We d i s t i ngu i sh between two general approaches: (a) top-down approach in which we obta in the Induct ­ ive asser t ion ins ide a loop by analyzing the predicates which are known to be true at the entrances and ex i t s of the loop, and (b) bottom-up approach in which we generate the i n ­ duct ive asser t ion of a loop d i r e c t l y from the s t a t e ­ ments of the loop. For " toy " examples, having only a s ing le loop, i t is general ly c lear that the top-down approach is the na tura l method to use. However, t h i s is d e f i n i t e l y not the case fo r rea l ( n o n t r i v i a l ) programs wi th more com­ plex loop s t ruc tu re . In t h i s case some bottom-up tech­ niques were found ind ispens ib le . Most commonly we have found it necessary to combine the two techniques, w i t h the bottom-up methods dominant. Prel iminary attempts to a t tack the problem of f i n d ­ ing assert ions have been made by Floyd [p r i va te commun­ i c a t i o n ] , and Cooper [1971]. Heur is t i c ru les bas i ca l l y s im i l a r to some of our top-down ru les have been discov­ ered Independently by Wegbreit [1973]. Elspas, et a l . [1972], used "d i f fe rence equations" derived from the program's statements which i s , in essence, a bottom-up approach. We handle programs w i th arrays separate ly, since generating assert ions invo lv ing q u a n t i f i c a t i o n over the indices of arrays requires spec ia l treatment. Thus in Section I I we discuss heu r i s t i c techniques for f low­ chart programs wi thout a r rays , whi le in Section I I I we extend the treatment to programs w i t h ar rays . In Sec­ t i o n IV (conclusion) we discuss open problems and pos­ s i b l e impl ica t ions of our techniques. Related problems where these approaches seem appl icable include proving terminat ion of programs, and discover ing the input and