% The TRAP manual: How to validate MF --- last updated by D E Knuth on 4 Dec 89 \font\eighttt= cmtt8 \font\eightrm= cmr8 \font\titlefont=cmssdc10 at 40pt \let\mc=\eightrm \font\logo=manfnt % font used for the METAFONT logo \def\MF{{\logo META}\-{\logo FONT}} \rm \let\mainfont=\tenrm \def\.#1{\hbox{\tt#1}} \def\\#1{\hbox{\it#1\/\hskip.05em}} % italic type for identifiers \parskip 2pt plus 1pt \baselineskip 12pt plus .25pt \def\verbatim#1{\begingroup \frenchspacing \def\do##1{\catcode`##1=12 } \dospecials \parskip 0pt \parindent 0pt \catcode`\ =\active \catcode`\^^M=\active \tt \def\par{\ \endgraf} \obeylines \obeyspaces \input #1 \endgroup} % a blank line will be typeset at the end of the file; % if you're unlucky it will appear on a page by itself! {\obeyspaces\global\let =\ } \output{\shipout\box255\global\advance\pageno by 1} % for the title page only \null \vfill \centerline{\titlefont A Torture Test} \vskip8pt \centerline{\titlefont for \logo ()*+,-.*} \vskip 24pt \centerline{by Donald E. Knuth} \centerline{Stanford University} \vskip 6pt \centerline{({\sl Version 2, January 1990\/})} \vfill \centerline{\vbox{\hsize 4in \noindent Programs that claim to be implementations of \MF84 are supposed to be able to process the test routine contained in this report, producing the outputs contained in this report.}} \vskip 24pt {\baselineskip 9pt \eightrm\noindent The preparation of this report was supported in part by the National Science Foundation under grants IST-8201926 and MCS-8300984, and by the System Development Foundation. {\logo opqrstuq} is a trademark of Addison-Wesley Publishing Company. }\pageno=0\eject \output{\shipout\vbox{ % for subsequent pages \baselineskip0pt\lineskip0pt \hbox to\hsize{\strut \ifodd\pageno \hfil\eightrm\firstmark\hfil \mainfont\the\pageno \else\mainfont\the\pageno\hfil \eightrm\firstmark\hfil\fi} \vskip 10pt \box255} \global\advance\pageno by 1} \let\runninghead=\mark \outer\def\section#1.{\noindent{\bf#1.}\quad \runninghead{\uppercase{#1} }\ignorespaces} \section Introduction. People often think that their programs are ``debugged'' when large applications have been run successfully. But system programmers know that a typical large application tends to use at most about 50 per cent of the instructions in a typical compiler. Although the other half of the code---which tends to be the ``harder half''---might be riddled with errors, the system seems to be working quite impressively until an unusual case shows up on the next day. And on the following day another error manifests itself, and so on; months or years go by before certain parts of the compiler are even activated, much less tested in combination with other portions of the system, if user applications provide the only tests. How then shall we go about testing a compiler? Ideally we would like to have a formal proof of correctness, certified by a computer. This would give us a lot of confidence, although of course the formal verification program might itself be incorrect. A more serious drawback of automatic verification is that the formal specifications of the compiler are likely to be wrong, since they aren't much easier to write than the compiler itself. Alternatively, we can substitute an informal proof of correctness: The programmer writes his or her code in a structured manner and checks that appropriate relations remain invariant, etc. This helps greatly to reduce errors, but it cannot be expected to remove them completely; the task of checking a large system is sufficiently formidable that human beings cannot do it without making at least a few slips here and there. Thus, we have seen that test programs are unsatisfactory if they are simply large user applications; yet some sort of test program is needed because proofs of correctness aren't adequate either. People have proposed schemes for constructing test data automatically from a program text, but such approaches run the risk of circularity, since they cannot assume that a given program has the right structure. I have been having good luck with a somewhat different approach, first used in 1960 to debug an {\mc ALGOL} compiler. The idea is to construct a test file that is about as different from a typical user application as could be imagined. Instead of testing things that people normally want to do, the file tests complicated things that people would never dare to think of, and it embeds these complexities in still more arcane constructions. Instead of trying to make the compiler do the right thing, the goal is to make it fail (until the bugs have all been found). To write such a fiendish test routine, one simply gets into a nasty frame of mind and tries to do everything in the unexpected way. Parameters that are normally positive are set negative or zero; borderline cases are pushed to the limit; deliberate errors are made in hopes that the compiler will not be able to recover properly from them. A user's application tends to exercise 50\%\ of a compiler's logic, but my first fiendish tests tend to improve this to about 90\%. As the next step I generally make use of frequency-counting software to identify the instructions that have still not been called upon. Then I add ever more fiendishness to the test routine, until more than 99\%\ of the code has been used at least once. (The remaining bits are things that can occur only if the source program is really huge, or if certain fatal errors are detected; or they are cases so similar to other well-tested things that there can be little doubt of their validity.) Of course, this is not guaranteed to work. But my experience in 1960 was that only two bugs were ever found in that {\mc ALGOL} compiler after it correctly translated that original fiendish test. And one of those bugs was actually present in the results of the test; I simply had failed to notice that the output was incorrect. Similar experiences occurred later during the 60s and 70s, with respect to a few assemblers, compilers, and simulators that I wrote. This method of debugging, combined with the methodology of structured programming and informal proofs (otherwise known as careful desk checking), leads to greater reliability of production software than any other method I know. Therefore I have used it in developing \MF84, and the main bulk of this report is simply a presentation of the test program that was used to get the bugs out of \MF. Such a test file is useful also after a program has been debugged, since it can be used to give some assurance that subsequent modifications don't mess things up. The test file is called \.{TRAP.MF}, because of my warped sense of humor: \MF's companion system, \TeX, has a similar test file called \.{TRIP}, and I couldn't help thinking about Billy Goat Gruff and the story of ``trip, trap, trip, trap.'' The contents of this test file are so remote from what people actually do with \MF, I feel apologetic if I have to explain the correct translation of \.{TRAP.MF}; nobody really cares about most of the nitty-gritty rules that are involved. Yet I believe \.{TRAP} exemplifies the sort of test program that has outstanding diagnostic ability, as explained above. If somebody claims to have a correct implementation of \MF, I will not believe it until I see that \.{TRAP.MF} is translated properly. I propose, in fact, that a program must meet two criteria before it can justifiably be called \MF: (1)~The person who wrote it must be happy with the way it works at his or her installation; and (2)~the program must produce the correct results from \.{TRAP.MF}. \MF\ is in the public domain, and its algorithms are published; I've done this since I do not want to discourage its use by placing proprietary restrictions on the software. However, I don't want faulty imitations to masquerade as \MF\ processors, since users want \MF\ to produce identical results on different machines. Hence I am planning to do whatever I can to suppress any systems that call themselves \MF\ without meeting conditions (1) and~(2). I have copyrighted the programs so that I have some chance to forbid unauthorized copies; I explicitly authorize copying of correct \MF\ implementations, and not of incorrect ones! The remainder of this report consists of appendices, whose contents ought to be described briefly here: Appendix A explains in detail how to carry out a test of \MF, given a tape that contains copies of the other appendices. Appendix B is \.{TRAP.MF}, the fiendish test file that has already been mentioned. People who think that they understand \MF\ are challenged to see if they know what \MF\ is supposed to do with this file. People who know only a little about \MF\ might still find it interesting to study Appendix~B, just to get some insights into the methodology advocated here. Appendix C is \.{TRAPIN.LOG}, a correct transcript file \.{TRAP.LOG} that results if \.{INIMF} is applied to \.{TRAP.MF}. (\.{INIMF} is the name of a version of \MF\ that does certain initializations; this run of \.{INIMF} also creates a binary base file called \.{TRAP.BASE}.) Appendix D is a correct transcript file \.{TRAP.LOG} that results if \.{INIMF} or any other version of \MF\ is applied to \.{TRAP.MF} with base file \.{TRAP.BASE}. Appendix E is \.{TRAP.TYP}, the symbolic version of a correct output file \.{TRAP.72270GF} that was produced at the same time as the \.{TRAP.LOG} file of Appendix~D. Appendix F is \.{TRAP.PL}, the symbolic version of a correct output file \.{TRAP.TFM} that was produced at the same time as the \.{TRAP.LOG} file of Appendix~D. Appendix G is \.{TRAP.FOT}, an abbreviated version of Appendix D that appears on the user's terminal during the run that produces \.{TRAP.LOG}, \.{TRAP.72270GF}, and \.{TRAP.TFM}. The debugging of \MF\ and the testing of the adequacy of \.{TRAP.MF} could not have been done nearly as well as reported here except for the magnificent software support provided by my colleague David R. Fuchs. In particular, he extended our local Pascal compiler so that frequency counting and a number of other important features were added to its online debugging abilities. The method of testing advocated here has one chief difficulty that deserves comment: I had to verify by hand that \MF\ did the right things to \.{TRAP.MF}. This took many hours, and perhaps I have missed something (as I did in 1960); I must confess that I have not checked every single number in Appendices D, E, and~F. However, I'm willing to pay $\$$81.92 to the first finder of any remaining bug in \MF, and I will be surprised if that bug doesn't show up also in one of these appendices. \vfill\eject \section Appendix A: How to test \MF. \item{0.} Let's assume that you have a tape containing \.{TRAP.MF}, \.{TRAPIN.LOG}, \.{TRAP.LOG}, \.{TRAP.TYP}, \.{TRAP.PL}, and \.{TRAP.FOT}, as in Appendices B, C, D, E, F, and~G. Furthermore, let's suppose that you have a working \.{WEB} system, and that you have working programs \.{TFtoPL} and \.{GFtype}, as described in the \TeX ware and \MF ware reports. \item{1.} Prepare a version of \.{INIMF}. (This means that your \.{WEB} change file should have {\bf init} and {\bf tini} defined to be null.) The {\bf debug} and {\bf gubed} macros should be null, in order to activate special printouts that occur when $\\{tracingedges}>1.0$. The {\bf stat} and {\bf tats} macros should also be null, so that statistics are kept. Set \\{mem\_top} and \\{mem\_max} to 3000 (or to \\{mem\_min} plus 3000, if \\{mem\_min} isn't zero), for purposes of this test version. Also set $\\{error\_line}=64$, $\\{half\_error\_line}=32$, $\\{max\_print\_line}=72$, $\\{screen\_width}=100$, and $\\{screen\_depth}=200$; these parameters affect many of the lines of the test output, so your job will be much easier if you use the same settings that were used to produce Appendix~E. Also (if possible) set $\\{gf\_buf\_size}=8$, since this tests more parts of the program. You probably should also use the ``normal'' settings of other parameters found in \.{MF.WEB} (e.g., $\\{max\_internal}=100$, $\\{buf\_size}=500$, etc.), since these show up in a few lines of the test output. Finally, change \MF's screen-display routines by putting the following simple lines in the change file: $$\vbox{\halign{\tt#\hfil\cr \char`\@x Screen routines:\cr begin init\char`\_screen:=false;\cr \char`\@y\cr begin init\char`\_screen:=true; \char`\{screen instructions will be logged\char`\}\cr \char`\@z\cr}}$$ None of the other screen routines (\\{update\_screen}, \\{blank\_rectangle}, \\{paint\_row}) should be changed in any way; the effect will be to have \MF's actions recorded in the transcript files instead of on the screen, in a machine-independent way. \item{2.} Run the \.{INIMF} prepared in step 1. In response to the first `\.{**}' prompt, type carriage return (thus getting another `\.{**}'). Then type `\.{\char`\\input trap}'. You should get an output that matches the file \.{TRAPIN.LOG} (Appendix~C). Don't be alarmed by the error messages that you see, unless they are different from those in Appendix~C. \def\sp{{\char'40}} \item{3.} Run \.{INIMF} again. This time type `\.{\sp\&trap\sp\sp trap\sp}'. (The spaces in this input help to check certain parts of \MF\ that aren't otherwise used.) You should get outputs \.{TRAP.LOG}, \.{TRAP.72270GF}, and \.{TRAP.TFM}. Furthermore, your terminal should receive output that matches \.{TRAP.FOT} (Appendix~G). During the middle part of this test, however, the terminal will not be getting output, because \.{batchmode} is being tested; don't worry if nothing seems to be happening for a while---nothing is supposed to. \item{4.} Compare the \.{TRAP.LOG} file from step 3 with the ``master'' \.{TRAP.LOG} file of step~0. (Let's hope you put that master file in a safe place so that it wouldn't be clobbered.) There should be perfect agreement between these files except in the following respects: \itemitem{a)} The dates and possibly the file names will naturally be different. \itemitem{b)} If you had different values for \\{stack\_size}, \\{buf\_size}, etc., the corresponding capacity values will be different when they are printed out at the end. \itemitem{c)} Help messages may be different; indeed, the author encourages non-English help messages in versions of \MF\ for people who don't understand English as well as some other language. \itemitem{d)} The total number and length of strings at the end and/or ``still untouched'' may well be different. \itemitem{e)} If your \MF\ uses a different memory allocation or packing scheme, the memory usage statistics may change. \itemitem{f)} If you use a different storage allocation scheme, the capsule numbers will probably be different, but the order of variables should be unchanged when dependent variables are shown. \MF\ should also choose the same variables to be dependent. \itemitem{g)} If your computer handles integer division of negative operands in a nonstandard way, you may get results that are rounded differently. Although \TeX\ is careful to be machine-independent in this regard, \MF\ is not, because integer divisions are present in so many places. \item{5.} Use \.{GFtype} to convert your file \.{TRAP.72270GF} to a file \.{TRAP.TYP}. (Both of \.{GFtype}'s options, i.e., mnemonic output and image output, should be enabled so that you get the maximum amount of output.) The resulting file should agree with the master \.{TRAP.TYP} file of step~0, assuming that your \.{GFtype} has the ``normal'' values of compile-time constants ($\\{top\_pixel}=69$, etc.). \item{6.} Use \.{TFtoPL} to convert your file \.{TRAP.TFM} to a file \.{TRAP.PL}. The resulting file should agree with the master \.{TRAP.PL} file of step~0. \item{7.} You might also wish to test \.{TRAP} with other versions of \MF\ (i.e., \.{VIRMF} or a production version with another base file preloaded). It should work unless \MF's primitives have been redefined in the base file. However, this step isn't essential, since all the code of \.{VIRMF} appears in \.{INIMF}; you probably won't catch any more errors this way, unless they would already become obvious from normal use of the~system. \vfill\eject \section Appendix B: The \.{TRAP.MF} file. The contents of the test routine are prefixed here with line numbers, for ease in comparing this file with the error messages printed later; the line numbers aren't actually present. \runninghead{APPENDIX B: \.{TRAP.MF} (CONTINUED)} \vskip 8pt \begingroup\count255=0 \everypar{\global\advance\count255 by 1 \hbox to 20pt{\sevenrm\hfil\the\count255\ \ }} \verbatim{trap.mf} \endgroup \vfill\eject \section Appendix C: The \.{TRAPIN.LOG} file. When \.{INIMF} makes the \.{TRAP.BASE} file, it also creates a file called \.{TRAP.LOG} that looks like this. \runninghead{APPENDIX C: \.{TRAPIN.LOG} (CONTINUED)} \vskip8pt \verbatim{trapin.log} \vfill\eject \section Appendix D: The \.{TRAP.LOG} file. Here is the major output of the \.{TRAP} test; it is generated by running \.{INIMF} and loading \.{TRAP.BASE}, then reading \.{TRAP.MF}. \runninghead{APPENDIX D: \.{TRAP.LOG} (CONTINUED)} {\let\tt=\eighttt\leftskip 1in\baselineskip 9pt plus .1pt minus .1pt \vskip8pt \verbatim{trap.log} } \vfill\eject \section Appendix E: The \.{TRAP.TYP} file. Here is another major component of the test. It shows the output of \.{GFtype} applied to the file \.{TRAP.72270GF} that is created at the same time Appendix D was produced. \runninghead{APPENDIX E: \.{TRAP.TYP} (CONTINUED)} {\let\tt=\eighttt\leftskip 1in\baselineskip 9pt plus .1pt minus .1pt \vskip8pt \verbatim{trap.typ} } \vfill\eject \section Appendix F: The \.{TRAP.PL} file. In this case we have the output of \.{TFtoPL} applied to the file \.{TRAP.TFM} that is created at the same time Appendix D was produced. \runninghead{APPENDIX F: \.{TRAP.PL} (CONTINUED)} {\let\tt=\eighttt\leftskip 1in\baselineskip 9pt plus .1pt minus .1pt \vskip8pt \verbatim{trap.pl} } \vfill\eject \section Appendix G: The \.{TRAP.FOT} file. This shows what appeared on the terminal while Appendix D was being produced. \runninghead{APPENDIX G: \.{TRAP.FOT} (CONTINUED)} \vskip8pt \verbatim{trap.fot} \vfill\end