Decomposing Verification Around End-User Features

Practical program verification techniques must align with the software development methodologies that produce the programs. Numerous researchers have independently proposed models of program development in which modules encapsulate units of end-user functionality known as features. Such encapsulation reflects user concerns into a program’s modular structure, which in turn promises to simplify program maintenance in the face of requirements evolution. The interplay between feature-oriented modules and verification raises some interesting challenges and opportunities. Such modules ameliorate some difficulties with conventional modular verification, such as property decomposition, while creating others, by contradicting assumptions that underlie most modular program verification techniques. This paper motivates the decomposition of systems by features and provides an overview of the promises and challenges it poses to verification. A Notion of Software Development For program verification to thrive, verification methodologies must align with software development methodologies. This goal imposes several requirements. First, verification tools should be able to handle program fragments of the style and granularity that programmers produce. Second, the effort to verify a program increment should bear some reasonable ratio to the effort to develop that increment. Third, the effort needed to reverify a program or fragment as it evolves should be proportional to the effort required to make the modification. Today’s verification techniques fail to meet these goals, partly due to a misalignment between the models of software development and programming on which the techniques are built. Our understanding of this problem is inspired by the picture in Figure 1 which Michael Jackson used in his presentation at ESEC/FSE 2001 (following his acceptance of the SIGSOFT Outstanding Research Award). The box at ? This work is partially funded by NSF grants CCR-0305834, CCR-0132659, CCR0447509 and CCR-0305950. 3 We have transcribed this picture from our notes; a related version is in a paper [1].