A faculty colleague recently asked me to present a short overview of axiomatic semantics as a guest lecture in one of his courses. I have been teaching courses on software verification for a long time (see e.g. here), so I have plenty of material; but instead of just reusing it, I decided to spend a bit of time on explaining why it is good to have a systematic approach to software verification.

Say "software verification" to software professionals, or computer science students outside of a few elite departments, and most of them will think "testing." In a job interview, for example, show a programmer a loop-based algorithm and ask "how would you verify it?": most will start talking about devising clever test cases.

Far from me to berate testing [1]; in fact, I have always thought that the inevitable Dijkstra quote about testing — that it can only show the presence of errors, not their absence [2] — which everyone seems to take as an indictment and dismissal of testing (and which its author probably intended that way) is actually a fantastic advertisement *for *testing: a way to find bugs? Yes! Great! Where do I get it? But that is not the same as verifying the software, which means attempting to ascertain that it has *no *bugs.

Until listeners realize that verification cannot just mean testing, the best course material on axiomatic semantics or other proof techniques will not attract any interest. In fact, there is somewhere a video of a talk by the great testing and public-speaking guru James Whittaker where he starts by telling his audience not to worry, this won’t be a standard boring lecture, he will not start talking about loop invariants [3]! (Loop invariants are coming in this series of posts, in fact they are one of its central concepts, but not today, so don’t bring the sleeping bags yet.) So I decided to start my lecture by giving an example of what happens when you do *not *use proper verification. More than one example, in fact, as you will see.

A warning about this article and its followers: there is nothing new here. I am using an example from my 1990 book *Introduction to the Theory of Programming Languages *(exercise 9.12). Going even further back, a 1983 "Programming Pearls" *Communications of the ACM* article by Jon Bentley [4] addresses the same example with the same basic ideas. Yet almost forty years later these ideas are still not widely known among practitioners. So consider these articles as yet another tutorial on fundamental software engineering stuff.

The tutorial is a quiz. We start with a program text:

**from**

i := 1 ; j := n — **Result **initialized to 0.

**until **i = j **loop**

m := (i + j) // 2 — Integer division

**if **t [m] ≤ x **then **i := m **else **j := m **end**

**end**

**if **x = t [i] **then **Result := i **end**

All variables are of integer type. t is a sorted array of integers, indexed from 1 to n. Let us not let any notation get between friends. A loop **from **p **until **e **loop **q **end **executes p then, repeatedly: stops if e (the exit condition) is true, otherwise executes q. (Like {p ; **while not **e **do** {q}} in some other notations.) ":=" is assignment, "=" equality testing. "//" is integer division, e.g. 6 //3 = 7 //3 = 2. **Result **is the name of a special variable whose final value will be returned by this computation (as part of a function, but we only look at the body). **Result **is automatically initialized to zero like all integer variables, so if execution does not assign anything to **Result **the function will return zero.

First question: what is this program trying to do?

OK, this is not the real quiz. I assume you know the answer: it is an attempt at "binary search", which finds an element in the array, or determines its absence, in a sequence of about log_{2} (n) steps, rather than n if we were using sequential search. (Remember we assume the array is sorted.) **Result **should give us a position where x appears in the array, if it does, and otherwise be zero.

Now for the real quiz: does this program meet this goal?

The answer should be either yes or no. (If no, I am not asking for a correct version, at least not yet, and in any case you can find some in the literature.) The situation is very non-symmetric, we might say Popperian:

- To justify a no answer it suffices of a
*single*example, a particular array t and a particular value x, for which the program fails to set**Result**as it should. - To justify a yes answer we need to provide a credible argument that for
*every*t and x the program sets**Result**as it should.

If you like, you can use the comment section for answers. My own answer comes two days from now (Wednesday).

*Post-publication note*: the announced second article was published here.

## Notes

[1] The TAP conference series (Tests And Proofs), which Yuri Gurevich and I started, explores the complementarity between the two approaches.

[2] Dijkstra first published his observation in 1969. He did not need consider the case of infinite input sets: even for a trivial finite program that multiplies two 32-bit integers, the number of cases to be examined, 2^{64}, is beyond human reach. More so today with 64-bit integers. Looking at this from a 2020 perspective, we may note that exhaustive testing of a finite set of cases, which Dijkstra dismissed as impossible in practice, is in fact exactly what the respected *model checking* verification technique does; not on the original program, but on a simplified — *abstracted *— version precisely designed to keep the number of cases tractable. Dijkstra’s argument remains valid, of course, for the original program if non-trivial. And model-checking does not get us out of the woods: while we are safe if its "testing" finds no bug, if it does find one we have to ensure that the bug is a property of the original program rather than an artifact of the abstraction process.

[3] It is somewhere on YouTube, although I cannot find it right now.

[4] Jon Bentley:* Programming Pearls: Writing Correct Programs*, in *Communications of the ACM*, vol. 26, no. 12, pp. 1040-1045, December 1983, available for example here.

**Bertrand Meyer** is chief technology officer of Eiffel Software (Goleta, CA), professor and provost at the Schaffhausen Institute of Technology (Switzerland), and head of the software engineering lab at Innopolis University (Russia).

## Join the Discussion (0)

## Become a Member or Sign In to Post a Comment