TESTING AND VERIFYING CONCURRENT SOFTWARE 23 and postcondition for the program The VCG uses an axiomatic semantics for the program-

ming language to construct a set of verication conditions, which are rst-order formulae that must be satised in order to prove correctness of the program. The verication condi- tions are then fed to a theorem prover which attempts to prove the verication conditions using a rst order reasoning system that may be enhanced with proof rules supplied by the programmer. The various concepts developed in their theory of automatic verication ultimately resulted in the development of the Stanford Pascal Verier LGvH*79].

The work that has been described so far is suitable for the verication of sequential pro- grams. Owicki and Gries pioneered the theory of verication of parallel programs OG76], using the basic Hoare-style axiomatic approach. A proof of partial correctness of a parallel program is begun by constructing local proofs of each program task. In order to demonstrate that the program is consistent with its postcondition, it is necessary to introduce auxiliary variables in order to demonstrate non-interference of the local proofs. That is, although each individual task may be proven consistent with the precondition and postcondition, the computation of one task may interfere with the computation of another task (e.g., in read- ing and writing shared variables). This interference is not taken into account in the local proofs, so the local proofs may be invalid without a demonstration of non-interference. The Owicki-Gries proof system includes axioms for reasoning about auxiliary variables and non- interference. In addition, they described techniques for proving total correctness properties based on a proof of partial correctness.

Since the development of the Owicki-Gries proof theory there have been many other ap- proaches to axiomatic verication of parallel programs. The survey by Barringer is a good summary of the major contributions in this area Bar85]. Apt, Francez and de Roever de- scribe a proof system for CSP which is again based on local proofs of correctness AFdR80]. Cooperation of the local proofs is demonstrated by proving the satisfaction of a global in- variant for the program. Other notable approaches to parallel verication include the CSP proof system of Levin Lev80], and the proof system of Flon and Suzuki FS81], which includes axioms and inference rules for proofs of total correctness properties.

The work of Apt, Francez and de Roever has inspired the development of proof sys- tems for Ada tasking. For example, Gerth describes an axiomatization of the Ada ren- dezvous Ger82]. Gerth and de Roever GdR84], and Barringer and Mearns BM82], both dene a proof system for the \CSP subset" of Ada tasking. All of these systems deal only with programs which activate tasks through CSP-style \splitting". Meldal has developed an

axiomatic basis for \spawning" of tasks, such as through execution of allocators to activate tasks Mel87].

A somewhat dierent approach to verication of parallel programs is based on temporal logic specications of program behavior MP81a]. Temporal logic is a rst-order logic extended with modal operators for describing temporal, or time-based, properties these operators are (\always"),(\eventually"),(\next") andU (\until"). For example, the temporal formula

(

PRODUCE

CONSUME

says that it is always the case that whenever a PRODUCE operation is performed, a corre- sponding CONSUME operation will eventually be performed. Temporal logic is well suited to the specication of total correctness properties of programs. Hailpern developed heuris- tics for temporal-based specication and verication of parallel programs Hai80], and other temporal proof principles have been described by Manna and Pnueli MP81b]. Nguyen et al. described a temporal proof system for a computation model in which interprocess com- munication takes place solely through special communication ports NGO85]. Pnueli and de Roever described a temporal-based approach to reasoning about a small subset of Ada tasking PdR82], based on an operational semantics of the rendezvous.

Many ideas from program verication have been borrowed for the development of prac- tical systems for automated testing of software, often based on automatic runtime checking of formal specications of the intended behavior of the software. Such ideas have been applied to checking the correctness of language implementations. For example, Bird and Mu~noz described a system for automatically generating large, random test programs for testing the correctness of a PL/I compiler BM83]. In addition, the validation of Ada com- pilers is carried out using the Ada Compiler Validation Capability (ACVC), a huge suite of programs for testing the correctness of an Ada implementation Ada87]. Klarund described an extended temporal logic called Temporal Rule Logic (TRL) Kla85] for the specication of Ada tasking programs TRL was developed from a perceived weakness in the power of the ACVC in checking the implementation of Ada tasking. The power and usefulness of the ACVC test suite will be discussed in detail in Chapter 6.

2.3.4 Machine-Processable Specication Languages

In applying formal methods to verication and testing of concurrent programs, formal spec- ications are expressed in a machine-processable specication language. The specications

2.3. TESTING AND VERIFYING CONCURRENT SOFTWARE 25