Verifying design with proof scores

Abstract: Verifying design instead of code can be an effective and practical approach to obtaining verified software. This paper argues that proof scores are an attractive method for verifying design, in that they achieve a balance in which the respective capabilities of humans and machines are utilized optimally. 1 Verifying Code or Design Although creation of a verifying compiler is a difficult challenge, recent developments suggest that there are ways to make it easier. Systems that generate lexical analyzers and parsers already have a long history (e.g. Lex and Yacc), and recent work of Sorin Lerner [23] shows that the same can be done for compiler backends; there is also work suggesting that code generation modules can be automatically generated (e.g. using intermediate languages). Unfortunately, a great number of different compilers are needed in today’s software world, and the underlying machine architectures are evolving, as are the languages, so it would be difficult to create verifying compilers for all useful combinations of language and platform, and code verification for such tools still remains very difficult. Major impediments include the unsolvability of discovering loop invariants, the potential unsolvability of loop once they are found, and the further difficulties raised by interactivity, nondeterminism, concurrency, distribution, active agents, and unreliable communication. A long term approach is to use high level, application specific source languages, in order to greatly simplify source program verification by eliminating many obscure features of current languages. In the meantime, a currently feasible approach is to verify the design of software, instead of its code; experience shows that design verification often leads to better design, and nearly always leads to greater conceptual clarity. An aditional motivation is that the main sources of errors in software are in areas other than code, namely, requirements, specification, and design.