6.2.2 Relative Correctness

Implicit in the definition of a fault is the idea that the program would be better off without it. If we are talking about the last remaining fault of a program (how do we ever know that?), then we can characterize it by the fact that with the fault, the

6.2 FAULTS AND RELATIVE CORRECTNESS 105

program is incorrect, and without the fault, the program is correct. But in general, pro- grams have (many) more than one fault, and removing one fault does not make the program correct, but it ought to make it more-correct. Whence the following definition.

Definition: Relative Correctness Let R be a specification on space S and let p and p be two programs on space S, whose functions are P and P . We say that p is more-correct than p with respect to R if and only if

dom R P

dom R P

We say that P is strictly-more-correct than P with respect to R if and only if:

dom R P

dom R P

Interpretation: dom R P represents the set of initial states on which program p delivers an output that specification R considers correct; we refer to this set as the competence domain of program p with respect to specification R. Clearly, the larger the competence domain, the better: when p is more-correct than p with respect to R, then whenever p behaves correctly on an initial state, so does p . The following prop- osition links the novel concept of relative correctness to a well-known property: reliability.

Proposition: Relative Correctness and Reliability Let R be a specification on space S and let p and p be two programs such that p is more-correct than p with respect to R. Then program p is more reliable with respect to R than p.

The proof of this proposition is straightforward: We equate reliability with prob- ability of a successful execution of a program on an arbitrary element of the domain of R; reliability is usually quantified in terms of MTTF, which is clearly monotonic with respect to the said probability. If we consider a probability distribution over the domain of R, which reflects the likelihood of inputs submitted to the programs, then it is clear that the probability of a successful execution of p is larger than the prob- ability of a successful execution of p, since each probability of successful execution is computed as the integral of the probability distribution over the competence domain. See the Figure 6.1; the gain in probability is indicated by the integral (or the sum, for discrete probability distributions) of the probability distribution over the range of inputs in dom R P dom R P .

Given that dom R P is, by construction, a subset of dom(R), the best that a pro- gram p can do is to achieve the equality dom R P = dom R . But we have seen in Chapter 5 that this is the condition under which p is correct with respect to specifi- cation R. Whence the following proposition.

106 FAILURES, ERRORS, AND FAULTS

dom(R ∩ P′) dom(R ∩ P)

dom(R)

Figure 6.1 Relative correctness and relative reliability.

Figure 6.2 To be more-correct without duplicating correct behavior.

Proposition: Maximum Relative Correctness Let R be a specification on space S and let p be a program on space S. If and only if p is correct with respect to R, p is more-correct with respect to R than any program p on space S.

The interest of this proposition is that it presents program correctness as an extreme form of relative correctness: a faulty program can become fault-free by shedding its

6.3 CONTINGENT FAULTS AND DEFINITE FAULTS 107

faults and augmenting its competence domain dom R P until it reaches its maxi- mum value, that is, dom(R), when the program become totally fault-free.

Note that for program p to be more-correct than program p with respect to spec- ification R, p has to behave correctly with respect to R for all initial states for which p behaves correctly. Note that this does not mean that program p and program p behave identically on dom R P . Because R may be non-deterministic, programs p and p may both satisfy specification R on dom R P while being distinct. In particular, several programs may be correct with respect to specification R and still be distinct from each other, even within dom(R). See the Figure 6.2. In this example, program p is more-correct than program p; yet program p does not coincide with program p on dom R P = 4,5 .