Verifying performance requirements by Cross, Joseph
N89-16358 
VERIFYING PERFORIUWCR REQUIRKKKHTS 
BY 
Dr. Joseph Cross 
Sperry Corporation 
St. Paul, MN 
(612) 456-7316 
INTRODUCZCION 
The thesis presented in this paper is that today, it is in 
general impossible to verify that the performance requirements on 
a software program will be met. A n  approach to a partial 
solution to this problem is presented. 
The next section of this paper, Problem Definition, defines 
the problem to be addressed, and defines related terms as they 
are used below. 
The following section, Obstacles to Verifying Performance 
Requirements, presents the reasons why performance requirements 
are, today, difficult to verify. 
The section on Methods for Verifying Performance Requirements 
briefly presents methods in use today, and proposes an 
alternative approach to overcome some of the remaining 
difficulties. 
P R O B W  DEFINITION 
A "performance requirement" is a requirement on the speed of a 
function performed by software. Much of the following applies 
equally well to requirements on the amount of memory used by a 
software function. An example of a performance requirement is 
"The interval between updates to each track shall be on the 
average at most two seconds, and in no case longer than five 
seconds." Note that while performance requirements are, at the 
user level, generally stated in elapsed time, these requirements 
may be recast at lower levels of design into units of processor 
utilization. 
"Verifying" a specific requirement on a specific software 
development work product refers to determining whether that 
requirement is fulfilled by that work product. The requirements 
on the work products of each phase of software development are 
results of the preceding phase, except for the system 
requirements, which are input to the entire software development 
process. A work product WP is said to satisfy a requirement R if 
system produced according to the requirements set forth in WP 
F.3.1.1 
https://ntrs.nasa.gov/search.jsp?R=19890006987 2020-03-20T03:42:28+00:00Z
(and its sibling work products, if any) will meet the requirement 
R. Verifying a software development work product in its entirety 
also entails checking its completeness, consistency, feasibility, 
and testability [11. 
For example, to verify that a detailed design satisfies a 
requirement, such as the example requirement above, is to 
determine whether any system produced in accord with that 
detailed design could fail to exhibit the required behavior. 
Moreover, verifying the entire detailed design requires 
determining whether there is at least one system that can be 
built in accord with that detailed design. 
Of course, what work products are produced and what are the 
phases of software development depend on the approach to software 
development in use. In the conventional approach, the phases are 
requirements analysis, design (often subdivided into high-level 
design and detailed design). and implementation; the work 
products of which are a requirements specification, a design 
document (or documents), and code, respectively. In the 
operational approach to software development, the first phase 
produces a prototype/executable specification, which is intended 
to satisfyldefine all requirements except performance 
requirements; then a second phase transforms that 
prototype/executable specification into a program with the same 
behavior except that the performance requirements are met [2]. 
In order to minimize the dependence of the following 
discussion on the approach to software development in use, it 
will be assumed below that the work product on which performance 
requirements are to be verified is a body of compiled but 
untested Ada (tm) code. (Ada is a registered trademark of the 
U.S. Government, Ada Joint Program Office.) This body of code 
could represent a detailed design in the conventional approach, 
or an intermediate step in the transformation of a 
prototype/executable specification in the operational approach. 
In order to make the issues involved in the verification of 
performance requirements as simple as possible, it will be 
assumed that a target machine is given and fixed throughout the 
discussion. Here "target machine" refers to the virtual machine 
on which compiled code is to run: one or more processors, 
memories, communication channels, together with run-time support 
software such as operating systems. This target machine is 
assumed to be the target of a valid implementation of the Ada 
language. 
Note that while the assumption of a single, known, target 
machine is reasonable in the Space Station environment, it is not 
reasonable in other environments in which the target machines 
that will execute the software may be unknown. We are fortunate 
in this regard. I 
The term "mapping" will be used to refer to the association 
between design-level objects and run-time objects. For example, 
a subprogram may be mapped onto a segment of memory-resident 
machine code, or it may be mapped into many similar segments of 
~ F. 3.1.. 2 
machine code (as it would be if it were inlined), or it may be 
mapped into nothing (as may be the case for type conversion 
functions). As another example, a data object may be mapped into 
a location in the main memory of one computer, into a register of 
one computer, or into several locations in several computers (as 
would be the case if redundant data were being maintained). 
The function of mapping a program is generally distributed 
among the compiler, linker, loader, and run-time system. 
Note that one of the goals of the Ada language design was to 
include in the source code all details of the program that define 
its semantics, except f o r  pe rformance iss ues. That is, by 
examination of only the source code of an Ada program, without 
considering other information such as linker directives, it is 
possible to determine (within limits) its behavior as an 
input-output process: however, it is not possible to determine 
its timing. For this reason, it is necessary to use additional 
information, above and beyond the source code, to verify 
performance requirements. 
OBSTACLES To VERIFYING PERFORMANCE REQUIREMENTS 
This section describes several reasons why verification of 
performance requirements is not a straightforward task, even 
given a design that has been carried to the level of compiled Ada 
code, and a well-defined target machine. 
UNSPECIFIED MAPPING ONTO THE TARGET 
Perhaps the major obstacle to verifying performance 
requirements on a design presented as Ada code is that lack of 
information concerning the mapping of the program onto the target 
machine. It is only in the mapping information that 
performance-critical issues such as the following are dealt with: 
* Optimizations. These include low-level optimizations 
such as dead code detection and constraint check 
elimination, and high-level optimizations such as 
subprogram inlining and monitor task optimizations. 
* Target resource allocation. This includes the 
assignment of tasks to processors (whether the 
assignment is static or dynamic), the allocation of 
data to memory (registers or main memory, resident or 
non-resident, and arrangement into memory banks or 
pages), and backup and casualty configurations. 
* Implementation dependencies. These include all the 
implementation dependencies allowed by the Ada 
language definition, such as the number of task 
priorities, task scheduling algorithm within a 
priority, and interrupt handling methods. 
F.3.1.3 
A s  an example of t he  importance of these i s s u e s ,  no te  tha t  it i s  
p o s s i b l e  t o  cons t ruc t  an A d a  program tha t  w i l l  deadlock under one 
legal task scheduling a lgo r i thm,  but not  under another  legal task 
schedul ing a lgor i thm.  
Note t ha t  a large amount of the opt imiza t ion  and target 
resource  a l l o c a t i o n  data can change as a r e s u l t  of an appa ren t ly  
small change i n  the  des ign .  For example, the d e c l a r a t i o n  of a 
small data ob jec t  can cause t he  a l l o c a t i o n  by the compiler of 
s ta t ic  data t o  memory banks t o  be s i g n i f i c a n t l y  r e v i s e d ,  with 
p o t e n t i a l l y  important changes t o  t iming .  T h i s  effect i s  
p a r t i c u l a r l y  pronounced i f  a g l o b a l l y  optimizing compiler i s  
used.  
NON-CATEGORICAL SPECIFICATIONS 
A " c a t e g o r i c a l "  s p e c i f i c a t i o n  i s  one which d e f i n e s  only one 
target system. O f  cou r se ,  des ign  s p e c i f i c a t i o n s  are g e n e r a l l y  
in tended  t o  be non-ca tegor ica l ,  t h a t  i s ,  t o  permit s u b s t a n t i a l  
freedom i n  their  implementation. 
The problem of non-categorical  s p e c i f i c a t i o n s  i s  tha t  i f  t o o  
much freedom of implementation remains, there can be a 
combinatorial explosion in the number of cases requiring 
examination i n  order  t o  v e r i f y  a requirement.  For  example, 
cons ider  a target machine tha t  c o n s i s t s  of 3 dissimilar 
processors  connected by communication channels .  I f  the program 
c o n t a i n s  12 tasks,  and i f  t h e  des ign  does not c o n s t r a i n  the  
power (1?28) c o n f i g u r a t i o n s ,  each of which r e q u i r e s  v e r i f i c a t i o n .  
Each choice l e f t  open by t h e  des ign  p o t e n t i a l l y  m u l t i p l i e s  t he  
number of  conf igu ra t ions  tha t  must be dealt w i t h  i n  v e r i f i c a t i o n .  
I a l l o c a t i o n  of tasks t o  p rocesso r s ,  then  there are 12 t o  the  t h i r d  
NON-INVERTIBLE DATA DEPENDENCIES 
The processing t i m e  f o r  some opera t ions  depends on t h e  input  
cond i t ions  t o  t h o s e  ope ra t ions  ( i . e . ,  i npu t  data and r e t a i n e d  
data).  For example, the  t i m e  required by a track processing 
ope ra t ion  may depend on the number of c u r r e n t l y  l i v e  tracks. For 
a given ope ra t ion ,  le t  the func t ion  that  maps inpu t  cond i t ions  t o  
process ing  time of tha t  ope ra t ion  be called i t s  data dependency 
f u n c t i o n .  
Data dependency f u n c t i o n s  are o f t e n  i n v e r t i b l e ,  a t  least i n  
the  rough sense  tha t  the set of i npu t  cond i t ions  that  r e s u l t  i n  
process ing  times less t h a n  some l i m i t  can be determined. For 
example, i t  might be determined that  the time necessary t o  search 
a track f i l e  w i l l  be less the 25 mil l i seconds  i f  there are no 
more the  100 l i v e  tracks t o  be searched. T h i s  s o r t  of i nve r s ion  
of the  data dependency f u n c t i o n  i s  o f t e n  s u f f i c i e n t  t o  v e r i f y  
whether the ope ra t ion  meets i t s  performance requirements.  
Unfortunately,  data dependency func t ions  are found in p r a c t i c e  
that  are not  i n v e r t i b l e .  That i s ,  there are opera t ions  f o r  which 
t h e  processing t i m e  depends on t h e  inpu t  cond i t ions ,  but the  
I 
F.3.1.4 
dependency is too complex to invert. Phrased otherwise, it is 
impossible in practice to define the set of input conditions on 
which the operation will complete within its prescribed time. 
Examples of such non-invertible data dependencies can be found 
in combinatorial algorithms, and in artificial intelligence 
paradigms. Specifically, consider a backtracking algorithm -- 
depth first search for an optimum value using bounding functions. 
It may happen that a long series of nodes will be generated and 
expanded before it is discovered that this series does not lead 
to an optimum, and must be discarded (the "garden path" 
phenomenon). It is not in general possible to give a simple 
condition defining those sets of input data that give rise to 
this phenomenon. In such cases, it is impossible to discriminate 
input conditions for which processing will be fast from input 
conditions for which processing will be slow. 
NON-DETERMINISTIC BEHAVIOR 
Non-deterministic behavior of a program is behavior that 
cannot be predicted from the input conditions. Non-determinism 
can arise from the hardware level, as when two processors race 
for access to a memory word, from the run-time software level, as 
when the operating system takes varying times to respond to a 
service request due to the varying activity of peripherals or to 
the varying activity of other programs under its purview, and 
from the software level, as from the Ada select statement and Ada 
arithmetic, which are defined as (potentially) non-deterministic. 
The property of being non-deterministic differs from being 
non-categorical in that non-determinism may be a property of the 
behavior of a single system, whereas only a specification can be 
non-categorical. The property of being non-deterministic differs 
from having a non-invertible data dependency function in that the 
data dependency function of a non-deterministic process can only 
be defined statistically, and that function may or may not be 
invertible. 
One example will s u f f i c e  t o  demonstrate the d i f f i c u l t i e s  
presented by non-determinism to the verification process. 
Consider a program that is deterministic except that the  select 
statement is implemented non-deterministically. That is, when 
several rendezvous are possible, the choice of which to accept is 
made at random. The state space of such a program branches each 
time a select with two or more open accept branches is executed. 
Therefore the number of distinct possible program behaviors can 
grow rapidly with time, and it must be verified that all these 




Adaptive behavior refers to the aspects of a program's 
behavior that change relatively slowly over time, for the purpose 
of improving its performance. Examples of adaptive behaviors are 
load balancing functions in distributed systems, and programs 
that learn from experience. 
Adaptive behavior can be implemented in a straightforward 
manner, as by changing a vector of locations, and adaptive 
behavior can be implemented by highly sophisticated means, as in 
some learning programs that, in effect, modify the code that 
performs some of their functions. 
If the set of possible behaviors of an adaptive program is 
reasonably small, then adaptation causes no great problems for 
verification: each of the possible behaviors must be verified to 
satisfy the requirements. If, on the other hand, the set of 
possible behaviors is large, then verification may become 
difficult or impossible. 
METHODS FOR VERIFYING PKRFORMANCE REQUIREMENTS 
Substantial work has been done in the area of dealing with 
performance requirements. SREM [31 is a method of expressing 
requirements, including performance requirements. SREM a l s o  
provides a means to simulate the behavior of the specified 
system. Unfortunately for our present purposes, the SREM 
methodology is not well suited to producing Ada programs. 
The Model system 141 generates programs (in PL/1) of a 
restricted form from a specification expressed in an ad hoc 
language. The system then estimates the performance of the 
resulting system, using data generated as a by-product of the 
program generation process together with inputs from the user on 
the times of the target machine for "input, output, arithmetic, 
comparison, and function operations." 
Several methods support performance estimation based on 
queueing theory. Examples are PAISLey [SI and SARA [63, and 
Petri net approaches [ " I .  Such methods are effective when a 
network of queues is an acceptable model of the execution 
behavior of the software, and when statistical estimates of 
timing (as opposed to guaranteed worst-case values) are 
acceptable. 
Note that none of the preceding techniques is intended to 
solve exactly the problem addressed by this paper: validating 
performance requirements on a detailed design expressed as Ada 
code. 
One popular non-method for dealing with performance 
requirements needs to be noted. There is some feeling that any 
concern for performance is improper, almost immoral, during 
program design. This attitude will be called the DEMO 
methodology (for DEliver Me from Optimizations). The DEMO 
F.3.1.6 
methodology cal ls  f o r  programs t o  be designed e x c l u s i v e l y  f o r  
c o r r e c t n e s s ,  m o d i f i a b i l i t y ,  and m a i n t a i n a b i l i t y ,  and tha t  
e f f i c i e n c y  w i l l  taken care of l a te r .  The claim i s  t h a t  whatever 
degree of e f f i c i e n c y  i s  called f o r  can be provided, 
au tomat i ca l ly ,  after the  completion of detailed d e s i g n ,  by one of 
three means: 
* Compiler op t imiza t ions .  "Any decent  implementation" 
of t he  Ada language w i l l  provided e x t e n s i v e ,  g l o b a l ,  
op t imiza t ions ,  r e s u l t i n g  i n  a system tha t  w i l l  be as 
e f f ic ien t  as i f  it had been optimized by hand. 
* Recoding hot-spots  i n t o  low-level code. S ince  most 
of t he  execut ion time i n  many programs i s  taken  up by 
a small propor t ion  of  t he  l i n e s  of code, t h o s e  b locks  
of code may be recoded i n t o  assembly code, and good 
e f f i c i e n c y  thereby  obtained a t  small c o s t .  
* Hardware. I f  t he  program does not run fast  enough, a 
faster computer should be used. It does not  matter i f  
no such computer i s  a v a i l a b l e  today ,  s i n c e  i t  w i l l  be 
a v a i l a b l e  soon. 
The DEMO a t t i t u d e  probably developed i n  response t o  the  o lde r ,  
pre-software engineer ing a t t i t u d e  that what makes sof tware good 
was f i rs t ,  being e f f i c i e n t ,  followed c l o s e l y  by meeting spec ,  and 
a l l  o t h e r  va lues ,  such as m a i n t a i n a b i l i t y ,  were of i n s u f f i c i e n t  
importance t o  deserve mention. I f  DEMO i s  a r e a c t i o n  t o  t ha t  
a t t i t u d e ,  i t  i s  l a r g e l y  j u s t i f i e d ,  but neve r the l e s s  it i s  an 
ove r reac t ion .  Consider each of  t he  preceding three p o i n t s :  
While ex tens ive ,  g l o b a l ,  op t imiza t ions  are wi th in  t h e  s ta te  of 
the a r t ,  no A d a  compiler known t o  t h i s  au thor  provides  t he  
fac i l i t i es  previous ly  demanded of "decent implementations" o f  t he  
language. T h i s  i s  due t o  two factors: the demand f o r  reasonably 
fast  compilat ion,  and t h e  sepa ra t e  compilation fac i l i t i es  of  t h e  
language. The r e s u l t  i s  t h a t  l o c a l l y ,  generated code i s  not as 
p a r t i c u l a r l y  good, and g loba l  op t imiza t ions  are not  performed a t  
a l l .  Hence w e  cannot depend on compilers t o  so lve  our eff ic iency 
problems today . 
Recoding of hot-spots  i n t o  low-level code i s  of course a 
va luab le  technique as far as it goes.  It does not  h e l p  i n  two 
important cases: d i s t r i b u t e d  i n e f f i c i e n c y ,  and hot  assembly code. 
The former refers t o  i n e f f i c i e n c i e s  tha t  are widely spread 
throughout a program; f o r  example, a c u r r e n t l y  popular Ada 
compiler emits r e spec tab le  code t o  r e fe rence  a r r a y s  t h a t  have an 
index subtype such as 1..10, and h igh ly  i n e f f i c i e n t  code f o r  
a r r a y s  having the  index subtype 0..9; no l o c a l i z e d  recoding w i l l  
h e l p .  Hot assembly code refers t o  t h e  case i n  which the  
program's hot-spots  are i n  subrout ines  tha t  are a l ready  i n  
assembly code; i n  p a r t i c u l a r ,  when the  hot-spots  are i n  the  
run-time support  code. For example, a program that  i s  bound by 
task suspension and d i s p a t c h  times cannot be helped by recoding 
i n t o  low-level code. 
F.3.1.7 
The hardware s o l u t i o n  depends on cos t - e f f ec t iveness .  There i s  
a balance between the c o s t  of opt imizing sof tware ,  and 
maintaining tha t  optimized sof tware ,  a g a i n s t  the c o s t  of us ing  of 
a faster computers, t ak ing  i n t o  account weight , '  power, and 
l o g i s t i c s  i s s u e s .  That balance cannot be c a s u a l l y  t i p p e d  i n  
ei ther d i r e c t i o n ,  no matter how convenient i t  would be f o r  t h e  
sof tware  v a l i d a t i o n  process .  
The remainder of t h i s  s e c t i o n  concerns a proposed approach t o  
so lv ing  t h e  problem def ined  above. 
The basis of t h i s  approach i s  a change i n  viewpoint of t h e  
meaning of a des ign .  A design i s  convent iona l ly  considered t o  
d e f i n e ,  roughly,  an abstract computation ( i . e . ,  a func t ion  
mapping i n p u t s  i n t o  ou tpu t s )  t oge the r  w i t h  a s t r u c t u r e  for t h e  
sof tware .  Note that  the  meaning of " s t r u c t u r e  of the  sof tware"  
i s  not e n t i r e l y  e v i d e n t :  the  s t r u c t u r e  of the source code -- i t s  
hierarchical decomposition of a program i n t o  packages, tasks and 
subprograms and t h e  s e p a r a t e  compilat ion s t r u c t u r e  -- may be 
q u i t e  d i f f e r e n t  from the  s t r u c t u r e  of the  software a t  run time. 
For example, code of one subprogram may be consol idated i n t o  the 
code of  many o thers  by means of i n l i n i n g ,  and the program's 
s ta t ic  data may be d iv ided  up a r b i t r a r i l y  ac ross  s e v e r a l  
computers, and f u r t h e r  i n t o  r e s i d e n t  and non-resident segments. 
Convent ional ly ,  a "des ign"  may spec i fy  any o r  a l l  of these 
sof tware  s t r u c t u r e s .  
For t he  purposes of v e r i f y i n g  performance requirements,  l e t  u s  
adopt the  fol lowing viewpoint on t h e  meaning of "design" : 
A DESIGN IS A CONSTRAIHT ON THE 
INITIAL STATE OF THE TARGET MACHIHE 
That is, of t he  very large number of p o s s i b l e  i n i t i a l  states f o r  
t h e  target machine, a des ign  selects a subse t  of those states,  
a l l  of which presumably d e f i n e  programs that  w i l l  perform 
according t o  t h e  program's requirements.  The word design w i l l  be 
used only i n  t h i s  sense  below. 
A des ign  may be expressed as Ada code w i t h  anno ta t ions ,  o r  as 
Ada code wi th  a s e p a r a t e  data s t r u c t u r e  that  c o n s t r a i n s  t h e  
mapping of the  program onto the  target machine. Examples of 
data that  may reasonably be included i n  a design inc lude  the  
t y p e  and c o n f i g u r a t i o n  of t h e  target computer processors ,  
memories, and communication channels ,  the mapping of s ta t ic  data 
onto memories, the  mapping of tasks (or task types)  t o  
p rocesso r s ,  and the  i d e n t i f i c a t i o n  of the run-time support  code 
and parameters  (such as task scheduling a lgo r i thm) .  
Even after the  human des igne r s  have expressed a l l  t h e  
informat ion  t h e y  have concerning the  mapping of t h e  program onto 
t he  target machine, a d d i t i o n a l  information i s  requi red  from t h e  
compiler concerning i t s  mapping d e c i s i o n s .  A form i n  which t h i s  
informat ion  could be expressed w i l l  be presented s h o r t l y .  T h i s  
information inc ludes  data on the compi le r ' s  choices of 
op t imiza t ions ,  such as upmerging. i n l i n i n g ,  and code motion. 
F.3.1.0 
. 
When all of the available information on the source code and 
its mapping onto the target machine is available, then the 
verification of performance requirements can proceed. The 
essence of verifying performance requirements is to prove certain 
statements about the program behavior correct. The statements to 
be proven correct are the requirements ("The interval between 
updates to each track shall be on the average at most two 
seconds, and in no case longer than five seconds"), and the 
hypotheses are the available rules about the program and its 
mapping onto the target machine, together with some rules 
defining the behavior of the target machine itself. 
Since the verification of a requirement is likely to be a 
long, but not particularly subtle, chain of reasoning, such 
verifications are likely candidates for automation. For this to 
be feasible, the data on the program will have to be expressed in 
a form acceptable to a theorem-proving system, such as a Prolog 
implementation [81 o r  a rule-based system [91. For example, part 
of one set of rules presented to the verifier, which expresses 
the run-time structure of a subroutine, might have a semantic 
content (but not a form) such as 
1) Subroutine S117 is completed when Block249 is 
2) Loop98 is completed when Boolean4276 is false. 
completed and Loop98 is completed. 
3) Block249 requires 79 milliseconds to complete. 
4) Each iteration of Loop98 requires 182 milliseconds. 
It is to be expected that attempts to verify requirements by 
this method will initially fail, simply because the conclusion is 
not justified by the available information. That is, 
requirements will not be validated because there is not 
sufficient data to establish that those requirements will be 
satisfied by the final system. 
When requirements cannot be validated due to the lack of 
sufficient data, additional information must be made available. 
Examples of such information would be a conclusion that is 
justified by the available information but is too deep for the 
verifier to discover (such as that some iterative process must 
converge within a fixed number of iterations), o r  information 
that is added to the design in order to meet the performance 
requirement (such as that when Condition equals Red, then the 
availability of Processor Alpha to Program Zeta will be 10096.) 
If such additional information does not permit the truth of the 
requirement to be deduced, then that requirement must be reported 
as not satisfied. 
This is as it ought to be. 
This rule-based verification approach has the following 
strengths: 
F.3.1.9 
* Accuracy. If a requirement is verified by rule-based 
verification, it is highly probable that any system 
produced according to the design will satisfy the 
requirement. Also, if a requirement is not verified 
by this method, it is highly probable that some 
system can be produced according to the design that 
will not satisfy the requirement. The method is well 
suited to handling worst-case requirements. 
* Ability to handle non-determinism. In contrast to 
simulation-based approaches, the rule-based 
verification approach does not require that state 
transitions be uniquely defined: a rule stating that 
under certain conditions, either Process Alpha or 
Process Beta will be dispatched is perfectly 
accept able. 
* Ability to accept non-categorical specifications. A 
rule-based verification process is well suited to 
handle non-categorical specifications. 
* Ability to repeat a validation following a 
modification. After a change to a design, such as 
specifying pragma inline for a function, validation 
may be repeated for only the cost of computer time. 
This rule-based verification approach has the following 
weaknesses: 
* Required tool support. The major tool support 
required to use rule-based verification is the 
rule-based system processor, and the additional 
function required of the Ada compiler (m. emission 
of information on mapping decisions). Rule-based 
system processors are commercially available, but the 
modification to the Ada compiler is not trivial. 
* Required human effort. Substantially more effort 
than is traditionally expended will be required on 
the part of the verifiers and the designers to 
achieve verification under this approach. 
* Inability to handle non-invertible data dependencies. 
The use of a rule-based system will not solve the 
problem of unpredictable processing time. 
* Inability to handle adaptive behavior. The use of a 
rule-based system will not solve the problem of 
unpredictable processing. 
F. 3.1.10 
Today, it is impossible to verify performance requirements on 
Ada software, except in a very approximate sense. There are 
several reasons for this difficulty, of which the main reason is 
the lack of use of information on the mapping of the program onto 
the target machine. 
An approach to a partial solution to the verification of 
performance requirements on Ada software is here proposed, called 
the rule-based verification approach. This approach is suitable 
when the target machine is well-defined and when additional 
effort and expense are justified in order to guarantee that the 
performance requirements will be met by the final system. 
REFERENCES 
[ll B. W. Boehm, "Verifying and Validating Software Requirements 
and Design Specifications," IEEE Software, pp. 75-88, Jan. 
1984. 
[21 P. Zave,"The operational versus the conventional approach to 
software development," Communications of the ACM, pp. 
104-118, Feb. 1984. 
[31 M. W. Alford, "A requirements engineering methodology for 
real-time processing requirements," IEEE Transactions on 
Software Engineering, vol. SE-3, pp. 60-69, Jan. 1977. 
[41 J. S. Tseng &., "Real-Time Software Life Cycle with the 
Model System," IEEE Transactions on Software Engineering, 
vol. SE-12, pp. 358-373, Feb. 1986. 
[SI P. Zave, "An operational approach to requirements 
specification for embedded systems," IEEE Transactions on 
Software Engineering, vol. SE-8, pp. 250-269, May 1982. 
[SI G. Estrin g& d., "SARA (System ARchitects Apprentice): 
Modeling, Analysis, and Simulation Support for Design of 
Concurrent Systems, I' IEEE Transactions on Software 
Engineering, vol. SE-12, pp. 293-311, Feb. 1986. 
[7] M. K. Molloy, "Discrete time stochastic Petri nets," IEEE 
Transactions on Software Engineering, v o l  SE-11, pp. 
417-423, Apr. 1985. 
[81 M. R. Genesereth and M. L. Ginsberg, "Logic Programming," 
Communications of the ACM, vol. 28, pp. 933-941, Sept. 1985. 
[91 F. Hayes-Roth, "Rule-Based Systems," Communications of the 
ACM, vOl. 28, pp. 921-932, Sept. 1985. 
F.3.1.11 
