Showing papers in "IEEE Transactions on Software Engineering in 1977"
TL;DR: The inductive assertion method is generalized to permit formal, machine-verifiable proofs of correctness for multiprocess programs, represented by ordinary flowcharts, and no special synchronization mechanisms are assumed.
Abstract: The inductive assertion method is generalized to permit formal, machine-verifiable proofs of correctness for multiprocess programs. Individual processes are represented by ordinary flowcharts, and no special synchronization mechanisms are assumed, so the method can be applied to a large class of multiprocess programs. A correctness proof can be designed together with the program by a hierarchical process of stepwise refinement, making the method practical for larger programs. The resulting proofs tend to be natural formalizations of the informal proofs that are now used.
1,022Â citations
TL;DR: Structured analysis as discussed by the authors combines a blueprint-like graphic language with nouns and verbs of any other language to provide a hierarchic, top-down, gradual exposition of detail in the form of an SA model.
Abstract: Structured analysis (SA) combines blueprint-like graphic language with the nouns and verbs of any other language to provide a hierarchic, top-down, gradual exposition of detail in the form of an SA model. The things and happenings of a subject are expressed in a data decomposition and an activity decomposition, both of which employ the same graphic building block, the SA box, to represent a part of a whole. SA arrows, representing input, output, control, and mechanism, express the relation of each part to the whole. The paper describes the rationalization behind some 40 features of the SA language, and shows how they enable rigorous communication which results frorn disciplined, recursive application of the SA maxim: "Everything worth saying about anything worth saying something about must be expressed in six or fewer pieces."
966Â citations
TL;DR: This paper shows that this program module assignment problem can be solved efficiently by making use of the well-known Ford–Fulkerson algorithm for finding maximum flows in commodity networks as modified by Edmonds and Karp, Dinic, and Karzanov.
Abstract: In a distributed computing system a modular program must have its modules assigned among the processors so as to avoid excessive interprocessor communication while taking advantage of specific efficiencies of some processors in executing some program modules. In this paper we show that this program module assignment problem can be solved efficiently by making use of the well-known Ford–Fulkerson algorithm for finding maximum flows in commodity networks as modified by Edmonds and Karp, Dinic, and Karzanov. A solution to the two-processor problem is given, and extensions to three and n-processors are considered with partial results given without a complete efficient solution.
740Â citations
TL;DR: The needs for requirements definition are examined, and a proposed approach to meeting those objectives with three interrelated subjects: context analysis, functional specification, and design constraints is proposed.
Abstract: Requirements definition encompasses all aspects of system development prior to actual system design. We see the lack of an adequate approach to requirements definition as the source of major difficulties in current systems worlk This paper examines the needs for requirements definition, and proposes meeting those objectives with three interrelated subjects: context analysis, functional specification, and design constraints. Requirements definition replaces the widely used, but never well-defined, term "requirements analysis."
719Â citations
TL;DR: Finite input-output specifications are added to the syntax of programs so that they exercise the control and expression structure of a program as well as any tests can and can be verified at compile time.
Abstract: if finite input-output specifications are added to the syntax of programs, these specifications can be verified at compile time. Programs which carry adequate tests with them in this way should be resistant to maintenance errors. If the specifications are independent of program details they are easy to give, and unlikely to contain errors in common with the program. Furthermore, certain finite specifications are maximal in that they exercise the control and expression structure of a program as well as any tests can.
552Â citations
TL;DR: PSL/PSA as discussed by the authors is a computer-aided structured documentation and analysis technique that was developed for, and is being used for, analysis and documentation of requirements and preparation of functional specifications for information processing systems.
Abstract: PSL/PSA is a computer-aided structured documentation and analysis technique that was developed for, and is being used for, analysis and documentation of requirements and preparation of functional specifications for information processing systems. The present status of requirements definition is outlined as the basis for describing the problem which PSL/PSA is intended to solve. The basic concepts of the Problem Statement Language are introduced and the content and use of a number of standard reports that can be produced by the Problem Statement Analyzer are briefly described.
534Â citations
TL;DR: In this article, a methodology for the generation of software requirements for large, real-time unmanned weapons systems is described, and an example is provided to illustrate the methodology steps and their products and the benefits.
Abstract: This paper describes a methodology for the generation of software requirements for large, real-time unmanned weapons systems. It describes what needs to be done, how to evaluate the intermediate products, and how to use automated aids to improve the quality of the product. An example is provided to illustrate the methodology steps and their products and the benefits. The results of some experimental applications are summarized.
316Â citations
TL;DR: The reliability of symbolic testing in finding bugs is related to the classes of errors and the relationship of symbolic evaluation systems like DISSECT to classes of program errors and to other kinds of program testing and program analysis tools is discussed.
Abstract: Symbolic testing and a symbolic evaluation system called DISSECT are described. The principle features of DISSECT are outlined. The results of two classes of experiments in the use of symbolic evaluadon are summarized. Several classes of program errors are defined and the reliability of symbolic testing in finding bugs is related to the classes of errors. The relationship of symbolic evaluation systems like DISSECT to classes of program errors and to other kinds of program testing and program analysis tools is also discussed. Desirable improvements in DISSECT, whose importance was revealed by the experiments, are mentioned.
254Â citations
IBM1
TL;DR: This paper describes a series of psychological experiments used to test a new data base query language, aiming to make psychological testing of a language part of the design and development process.
Abstract: This paper describes a series of psychological experiments used to test a new data base query language. The intent is to make psychological testing of a language part of the design and development process. By testing a language while it is still under development, features that require changing can bs identified and the changes made.
187Â citations
IBM1
TL;DR: This paper presents a discussion of mechanical range analysis employing techniques practical for use in a compiler and can also serve as a useful adjunct to the more sophisticated techniques required for program proving.
Abstract: Programs can be analyzed to determine bounds on the ranges of values assumed by variables at various points in the program. This range information can then be used to eliminate redundant tests, verify correct operation, choose data representations, select code to be generated, and provide diagnostic information. Sophisticated analyses involving the proofs of complex assertions are sometimes required to derive accurate range information for the purpose of proving programs correct. The performance of such algorithms may be unacceptable for the routine analysis required during the compilation process. This paper presents a discussion of mechanical range analysis employing techniques practical for use in a compiler. This analysis can also serve as a useful adjunct to the more sophisticated techniques required for program proving.
170Â citations
TL;DR: The Requirements Statement Language (RSL) as discussed by the authors is a flow-oriented language for the expression of software requirements, and the Requirements Engineering and Validation System (REVS) is a software package which includes a translator for RSL, a data base for maintaining the description of system requirements and a collection of tools to analyze the information in the data base.
Abstract: The development of system requirements has been recognized as one of the major problems in the process of developing data processing system software. We have developed a computer-aided system for maintaining and analyzing such requirements. This system includes the Requirements Statement Language (RSL), a flow-oriented language for the expression of software requirements, and the Requirements Engineering and Validation System (REVS), a software package which includes a translator for RSL, a data base for maintaining the description of system requirements, and a collection of tools to analyze the information in the data base. The system emphasizes a balance between the use of the creativity of human thought processes and the rigor and thoroughness of computer analysis. To maintain this balance, two key design principles–extensibility and disciplined thinking–were foliowed throughout the system. Both the language and the software are easily user-extended, but adequate locks are placed on extensions, and limitations are imposed on use, so that discipline is augmented rather than decreased.
TL;DR: The Software Development System (SDS) is a methodology addressing the problems involved in the development of software for ballistic missile defense systems, large real-time, automated systems with a requirement for high reliability.
Abstract: This paper contains a discussion of the Software Development System (SDS), a methodology addressing the problems involved in the development of software for ballistic missile defense systems. These are large real-time, automated systems with a requirement for high reliability. The SDS is a broad approach attacking problems arising in requirements generation, software design, coding, and testing. The approach is highly requirements oriented and has resulted in the formulation of structuring concepts, a requirements statement language, process design language, and support software to be used throughout the development cycle. This methodology represents a significant advance in software technology for the development of software for a class of systems such as BMD. The support software has been implemented and is undergoing evaluation.
TL;DR: There is little or no loss in accuracy using reduced traces for many purposes for a wide range of memory sizes and degrees of reduction.
Abstract: The high cost of analyzing long memory address traces has limited most researchers to short traces and analysis algorithms that are linear in the length of the trace. We suggest two methods that permit a trace to be shortened in length by one to two orders of magnitude (or more) for later further analysis. The Stack Deletion Method eliminates all references in the trace to the top k levels of the LRU stack. The Snapshot Method records the reference bits of the pages in the original tape at discrete intervals and uses these bits to generate a new trace. Extensive measurements are presented, from which we conclude that there is little or no loss in accuracy using reduced traces for many purposes for a wide range of memory sizes and degrees of reduction.
TL;DR: This paper describes four major aspects of software management: development statistics, development process, development objectives, and software maintenance.
Abstract: This paper describes four major aspects of software management: development statistics, development process, development objectives, and software maintenance. The control of both large and smal software projects is included in the analysis.
TL;DR: The Software Hut (a small software house) is a course project designed for a graduate-level course in computer program engineering and the authors' experience using it in graduate courses at the University of Toronto is discussed.
Abstract: The Software Hut (a small software house) is a course project designed for a graduate-level course in computer program engineering. This paper describes the Software Hut project and discusses the authors' experience using it in graduate courses at the University of Toronto. Suggestions for improvements in the project are given.
TL;DR: It is shown that, in certain circumstances, the result of n random inserts and m random deletions will be equivalent to n-m random insertions, under various interpretations of the world "random" and under various constraints on the order of insertions and deletions.
Abstract: This paper discusses dynamic properties of data structures under insertions and deletions It is shown that, in certain circumstances, the result of n random insertions and m random deletions will be equivalent to n-m random insertions, under various interpretations of the world "random" and under various constraints on the order of insertions and deletions.
TL;DR: In this article, the authors propose a new type of program component, called a resource manager, to enable dynamic resource allocation in Concurrent Pascal, which can be accomplished both safely and efficiently.
Abstract: In Concurrent Pascal, the syntactic and semantic definition of the language prevents the inadvertent definition of a program that might violate the integrity of a shared data object. However, the language also does not allow the dynamic allocation of reusable resources among processes, and this restriction seems unnecessarily stingent. This paper proposes the addition to Concurrent Pascal of a new type of program component, to be called a resource manager. By this means, dynamic resource allocation can be accomplished both safely and efficiently. The notion that a process holds access rights to a resource is generalized to the notion that it holds capability rights, but the capability to atually make use of a resource is granted dynamically. The anonymity of dynamically allocatable resources is also guaranteed.
TL;DR: By modeling an existing sequential compiler, an understanding of the modifications necessary to transform the sequential structure into a pipeline of processes is gained and the pipelined compiler is evaluated through measurements and simulation.
Abstract: The problem of designing compilers for a multiprocessing environment is approached. We show that by modeling an existing sequential compiler, we gain an understanding of the modifications necessary to transform the sequential structure into a pipeline of processes. The pipelined compiler is then evaluated through measurements and simulation. Properties of the model, a generalized Petri Net, are also discussed.
TL;DR: A program graph is a graph structural model of a program exhibiting the flow relation or connection among the elements (statements) in the program.
Abstract: In recent years, applications of graph theory to computer software have given fruitful results and attracted more and more attention. A program graph is a graph structural model of a program exhibiting the flow relation or connection among the elements (statements) in the program.
TL;DR: The results apply to architectures where jobs may be scheduled to processors on the basis of processor availability, memory availability, and the availability of one other resource used by all jobs.
Abstract: Three different operating system strategies for a parallel processor computer system are compared, and the most effective strategy for given job loads is determined. The three strategies compare uniprogramming versus multiprogramming and distributed operating systems versus dedicated processor operating systems. The level of evaluation includes I/O operations, resource allocation, and interprocess communication. The results apply to architectures where jobs may be scheduled to processors on the basis of processor availability, memory availability, and the availability of one other resource used by all jobs.
TL;DR: The multiple-attribute-tree (MAT) data-base organization is modeled and analyzed and average retrieval time per query is obtained using a statistical estimation procedure and computationally efficient cost equations are presented.
Abstract: The multiple-attribute-tree (MAT) data-base organization is modeled and analyzed. Average retrieval time per query is obtained using a statistical estimation procedure and computationally efficient cost equations are presented. These cost equations are validated using a small experimental data base. Several real-life and generated data bases are used to demonstrate the effectiveness of the multiple-attribute-tree organization in reducing the expected retrieval time per query over conventional methods.
TL;DR: Results of testing the DES as a pseudorandom number generator indicate that the algorithm is more than satisfactory for this purpose.
Abstract: During the next few years a new pseudorandom number generator will become available on many computer systems. A concern for the security of computer data has led to the adoption of a Data Encryption Standard (DES) by the National Bureau of Standards. This standard specifies a nonlinear cryptographic algorithm which can be used inter alia as a source of pseudorandom numbers in software applications, such as those involving order statistics, where the usual linear congruential and generalized feedback shift register generators seem to be inadequate. Results of testing the DES as a pseudorandom number generator indicate that the algorithm is more than satisfactory for this purpose.
TL;DR: The essence of the approach is to find an analogy between the specifications of the given and desired programs, and then to transform the given program accordingly.
Abstract: An attempt is made to formulate techniques of program modification, whereby a given program that achieves one goal can be transformed into a new program that uses the same principles to achieve a different goal. For example, a program that uses the binary search paradigm to calculate the square root of a number may be modified to divide two numbers in a similar manner, or vice versa. The essence of the approach is to find an analogy between the specifications of the given and desired programs, and then to transform the given program accordingly.
TL;DR: This paper summarizes the initial experience with the programming language Concurrent Pascal in the design of three model operating systems and emphasizes that the creative aspect of program construction is the initial selection of modules and the connection of them into hierarchical structures.
Abstract: This paper summarizes the initial experience with the programming language Concurrent Pascal in the design of three model operating systems. A Concurrent Pascal program consists of modules called processes, monitors, and classes. The compiler checks that the data structures of each module are accessed only by the operations defined in the module. The author emphasizes that the creative aspect of program construction is the initial selection of modules and the connection of them into hierarchical structures. By comparison the detailed implementation of each module is straightforward. The most important result is that it is possible to build a concurrent program of one thousand lines out of one-page modules that can be comprehended at a glance.
TL;DR: A theory of the structural composition of an algoithm is presented which allows the frequencies of occurrence of the individual operators and operands to be estimated and provides justification for some recent hypotheses which suggest certain functional relationships between properties of algorithms.
Abstract: A theory of the structural composition of an algoithm is presented which allows the frequencies of occurrence of the individual operators and operands to be estimated. It provides justification for some recent hypotheses which suggest certain functional relationships between properties of algorithms.
TL;DR: Aun algorithm to select servers taking both of these characteristics of server costs into account is developed, to discuss the optimization of more general network models with the consideration of more realistic tariffs and more constraints on network behavior than were previously analyzed.
Abstract: This paper considers the selection of capacities, in two classes of open queueing network models of computer communication systems: 1) local-balanced queueing networks with multiple classes of customers and 2) the Reiser-Kobayashi diffusion approximation model. The problem of selecting optimal bandwidths for communication lines and switches and computing machinery is difficult due to 1) the economy of scale exhibited by components (i.e., the bandwidth per dollar increases with the total cost of the component) and 2) the discrete nature of computer/communication components (for instance it is possible to lease communication lines with 2400-Bd or 4800-Bd band-widths but not one with a 2401.3-Bd bandwidth). This paper develops aun algorithm to select servers taking both of these characteristics of server costs into account. The contribution of this paper is to discuss 1) the optimization of more general network models with 2) the consideration of more realistic tariffs and 3) more constraints on network behavior than were previously analyzed.
TL;DR: The time and training required to introduce structured programming techniques will begin paying dividends within six months and further alterations can make the programs still better.
Abstract: Two sets of commercial PL/I programs are studied. One set represents programming practice before the introduction of structured programming techniques and the other set after their introduction. The use of these new methods is found to make a measurable difference on the quality of the programs. A few minor changes in the use of PL/I are noted. Substantial modifications to the control structure of the programs are measured. Also, some improvements in the qualitative aspects of the two sets are discussed. Although, they are much improved, further alterations can make the programs still better. The time and training required to introduce structured programming techniques will begin paying dividends within six months.
PARC1
TL;DR: This paper proposes an alternative approach to program verification: correctness proofs are constructively established by proof justifications written in an algorithmic notation, written as part of the program, along with the executable code and correctness specifications.
Abstract: Most current approaches to mechanical program verification transform a program and its specifications into first-order formulas and try to prove these formulas valid. Since the first-order predicate calculus is not decidable, such approaches are inherently limited. This paper proposes an alternative approach to program verification: correctness proofs are constructively established by proof justifications written in an algorithmic notation. These proof justifications are written as part of the program, along with the executable code and correctness specifications. A notation is presented in which code, specifications, and justifications are interwoven. For example, if a program contains a specification 3x P(x), the program also contains a justification that exhibits the particulat value of x that makes P true. Analogously, justifications may be used to state how universally quantified formulas are to be instantiated when they are used as hypotheses. Programs so justifiled may be verified by proving quantifier-free formulas. Additional classes of justifications serve related ends. Formally, justifications reduce correctness to a decidable theory. Informally, justifications establish the connection between the executable code and correctness specifications, documenting the reasoning on which the correctness is based.
TL;DR: The ESP3 picture patterns, the pattern matching operation, and the experimental implementation of ESP3 are described to test the feasibility of the system.
Abstract: Extended Snobol picture pattern processor (ESP3) is a programming language and pattern recognition system which was designed for generating, recognizing, and manipulating two-dimensional line drawings. An ESP3 picture pattern describes a class of line drawings just as a Snobol pattern describes a class of strings. During pattern matching, a subject picture is searched for the occurrence of a sub-picture which matches a given picture pattern. The search of the subject picture is ordered left-to-right and top-to-bottom, and the search program uses scanner guidance information found in the picture pattern to limit the area of the subject picture to be searched. An experimental implementation of ESP3 has been developed to test the feasibility of the system. This paper describes the ESP3 picture patterns, the pattern matching operation, and the experimental implementation of ESP3.
Journal Article•