Decomposing Verification by Features

Practical program verification techniques must align with the software development methodologies that produce the programs. Researchers from several corners of software engineering have proposed similar models of program development in which modules encapsulate units of end-user functionality known as features. These models ameliorate some difficulties with conventional modular verification, such as property decomposition, while creating others, by contradicting assumptions that underlie most modern program verification techniques. This paper motivates the decomposition of systems by features and provides an overview of the challenges this poses to verification. A Notion of Software Development For program verification to thrive, verification methodologies must align with software development methodologies. This means that verification tools should be able to handle program fragments of the style and granularity that programmers produce. In addition, the effort to verify a program increment should bear some reasonable ratio to the effort to develop that increment. An important trend in software development poses particular challenges to conventional methods of program verification. Our understanding of this trend is inspired by the picture in Figure 1 which Michael Jackson used in his presentation at ESEC/FSE 2001 (following his acceptance of the SIGSOFT Outstanding Research Award). The box at the lower-left might be grossly characterized as the province of programming languages, proceeding from specifications to programs that, we hope, properly implement those specifications. This is the realm of solutions, (in Jackson’s words, the solution space). The box at the upper-right is the domain of requirements engineering: the collection of processes, many sociological (and imprecise!), that glean requirements for a system from its users and other stakeholders or, more broadly, from the fuzzy blob that is the “real world”. In Jackson’s terminology, the transactions in this world must remain in the problem space. ? This work is partially funded by NSF grants CCR-0305834, CCR-0132659, CCR0447509 and CCR-0305950. 3 We have transcribed this picture from our notes; a related version is in a paper [1].