In search of sofware perfection Xavier Leroy 2019-08-21 Coll` ege de France and Inria 1
A formative experience (Jan 1988) — Your 100 000 lines of code embedded in Ariane 4... Are you sure there are no bugs? — Sir! We tested them very carefully! 2
Second formative experience (Spring 1988) — I’m looking for a summer internship in systems programming or maybe in compilation. — Well, I know a language that could use more compilation work. It’s called CAML. 3
Program proof
Verification of high-assurance sofware Mostly code reviews and lots of tests. Limitations: • Incomplete: cannot explore all possible behaviors of the program. Testing shows the presence, not the absence of bugs. E. W. Dijkstra, 1969 • Expensive: writing and validating the test suite against the specifications is hugely expensive at the highest assurance levels. 4
Formal verification Using computation and deduction, establish properties that hold of all possible executions of the program. Properties range from robustness (no crashes) to full correctness (w.r.t. specifications). 5
An old idea Alan Turing, Checking a large routine , 1949 . Talk given at the inaugural conference of the EDSAC computer, Cambridge University, June 1949. The manuscript was corrected, commented, and republished by F.L. Morris and C.B. Jones in Annals of the History of Computing , 6, 1984. 6
Turing’s “large routine” Compute n ! using additions only. Two nested loops. int fac (int n) { int s, r, u, v; u = 1; for (r = 1; r < n; r++) { v = u; s = 1; do { u = u + v; } while (s++ < r); } return u; } 7
Turing’s “large routine” No structured programming in 1949; just flowcharts. F. L. Morris & C. B. Jones * Turing Proof 0 D STOP I---+ 0 A 0 0 G E - , r’=l \ v’=u +-- TESTr-n + s’=l : :- l/‘=u+v : s’=s+l I u’ = 1 \, /. A 0 F - + TESTS-r I I .p r’=r+l-\ , Figure 1 (Redrawn from Turing’s original) Conference Discussion (from page 70 of the conference at Manchester University, who had played a leading report) part in setting up the Manchester computer project, 8 Prof. Hartree said that he thought that Dr Turing had and D. R. Hartree, then professor of mathematical used the terms “induction” and “inductive variable” in a physics at Cambridge University, who had been a misleading sense since to most mathematicians induction moving force both at the NPL and at Cambridge. would suggest “mathematical induction” whereas the pro- We now turn to a discussion of Turing’s proof cess so called by von Neumann and Turing often consisted method. Present methods might combine Turing’s of repetition without logical connection. Prof. Newman sug- gested that the term “recursive variable” should be used. Dr Figures 1 and 2 into a flowchart that includes the Turing, however, still thought that his original terminology assertions. Figure A is an annotated flowchart in the could be justified. style of Floyd (1967). Two significant differences be- tween Figure A and Turing’s presentation may be Comments observed. The contributors to the conference discussion were 1. In the Floyd style, assertions may be any propo- sitions relating the values of the variables to each M. H. A. Newman, then professor of pure mathematics (INITIAL) (STOP) STORAGE @ @O@O 0 0 LOCATION k=6 k=5 k=4 k=O k=3 k=l k=2 I 27 s+l I S S r r r r r 28 :: n n n n n (s Jl)Lr (s :1,Lf L’ Sk 1L 31 II TO @ TO @ TO @ WITH r’ = 1 IFr=n v WITHY = r + 1 u’ = 1 TO @ IFsrr IFr-cn TO @ WlTHs’=s+l .- (Redrawn from Turing’s original) Figure 2 Annals of the History of Computing, Volume 6, Number 2, April 1984 141 l
F. L. Morris & C. B. Jones * Turing Proof 0 D STOP I---+ 0 A 0 0 G E - , r’=l \ v’=u +-- TESTr-n + s’=l : :- l/‘=u+v : s’=s+l I u’ = 1 \, /. A 0 F - + TESTS-r I I .p r’=r+l-\ , 1 (Redrawn from Turing’s original) Figure Conference Discussion (from page 70 of the conference at Manchester University, who had played a leading report) part in setting up the Manchester computer project, Prof. Hartree said that he thought that Dr Turing had and D. R. Hartree, then professor of mathematical used the terms “induction” and “inductive variable” in a Turing’s genius idea physics at Cambridge University, who had been a misleading sense since to most mathematicians induction moving force both at the NPL and at Cambridge. would suggest “mathematical induction” whereas the pro- We now turn to a discussion of Turing’s proof cess so called by von Neumann and Turing often consisted method. Present methods might combine Turing’s of repetition without logical connection. Prof. Newman sug- gested that the term “recursive variable” should be used. Dr Figures 1 and 2 into a flowchart that includes the Turing, however, still thought that his original terminology assertions. Figure A is an annotated flowchart in the could be justified. style of Floyd (1967). Two significant differences be- tween Figure A and Turing’s presentation may be Every program point is associated with a logical invariant: a Comments observed. 1. In the Floyd style, assertions may be any propo- relation between values of variables that hold in every execution. The contributors to the conference discussion were M. H. A. Newman, then professor of pure mathematics sitions relating the values of the variables to each (INITIAL) (STOP) STORAGE @ @O@O 0 0 LOCATION k=6 k=5 k=4 k=O k=3 k=l k=2 I 27 s+l I S S 28 r r r r r :: n n n n n (s Jl)Lr (s :1,Lf L’ Sk 1L 31 II TO @ TO @ TO @ WITH r’ = 1 IFr=n v WITHY = r + 1 u’ = 1 TO @ IFsrr IFr-cn TO @ WlTHs’=s+l .- Figure 2 (Redrawn from Turing’s original) Annals of the History of Computing, Volume 6, Number 2, April 1984 141 l 9
Recommend
More recommend
