Brian Ritchie

Mural: A Formal Development Support System

1General introduction.- 1.1 Formal methods.- 1.2 VDM development.- 1.3 The IPSE 2.5 project.- 1.4 Proof assistant requirements.- 2 Introduction to mural.- 2.1 General introduction.- 2.2 The proof assistant.- 2.3 The VDM support tool.- 2.4 Reasoning about developments.- 3 Instantiation.- 3.1 Symbolic logic in mural.- 3.2 Classical first order predicate calculus.- 3.3 Some common data types.- 3.4 More complicated formulations.- 3.5 The theory of VDM.- 3.6 Some other logics.- 4 Foundation.- 4.1 Preamble.- 4.2 Syntax.- 4.3 Natural Deduction rules.- 4.4 Rule Schemas and instantiation.- 4.5 The mural store.- 4.6 Syntactic contexts and well-formedness.- 4.7 Proofs.- 4.8 Morphisms.- 4.9 Pattern matching.- 4.10 Reading the full specification.- 4.11 Limitations of the mural approach.- 5 The tactic language.- 5.1 Mechanising proof in mural.- 5.2 The language.- 5.3 The implementation of tactics.- 5.4 Examples.- 6 Implementing the mural proof assistant.- 6.1 The process of implementation.- 6.2 The implementation.- 6.3 Lessons learnt and advice to the young.- 6.4 The future.- 6.5 The final word.- 7 Supporting formal software development.- 7.1 Abstract specification.- 7.2 Relating specifications.- 7.3 Support for reasoning about formal developments.- 8 The mural VDM Support Tool.- 8.1 Specifying VDM developments in VDM.- 8.2 Theories from specifications.- 8.3 Scope for growth.- 9 Foundations of specification animation.- 9.1 Approaches to animation.- 9.2 Denotational semantics of symbolic execution.- 9.3 Operational semantics of symbolic execution.- 9.4 Theories to support symbolic execution.- 9.5 Conclusions.- 10 Case Studies.- 10.1 Specifications in VDM.- 10.2 Transformation of VDM into mural -theories.- 10.3 A watchdog for a reactor system.- 10.4 An algorithm for topological sorting.- 10.5 Theories for VDM in mural.- 11 Conclusions.- 11.1 Experimental use of mural.- 11.2 Detailed observations.- 11.3 Further developments.- 11.4 Summary.- Appendices.- A Summary of VDM Notation.- B Glossary of terms.- C The Specification of the Proof Assistant.- C.1 The Raw Syntax.- C.2 Subterm Access and Editing.- C.3 Sequents and Rules.- C.4 Instantiation and Pattern-matching.- C.5 Signatures.- C.6 Theories.- C.7 Morphisms and Theory Morphisms.- C.8 Proofs.- C.9 The Store.- D The specification of the animation tool.- D.1 Data structure and some auxiliary functions.- D.2 Operations.- E The Theorem Provers House.

Proof in VDM: a practitioner's guide

1 Introduction.- 1.1 Background.- 1.2 How proofs arise in practice: an introductory example.- 1.3 A logical framework for proofs.- 1.4 Summary.- I A Logical Basis for Proof in VDM.- 2 Propositional LPF.- 2.1 Introduction.- 2.2 Basic axiomatisation.- 2.3 Derived rules reasoning by cases reasoning using contradiction.- 2.4 Using definitions: conjunction.- 2.5 Implication definedness further defined constructs.- 2.6 Summary.- 2.7 Exercises.- 3 Predicate LPF with Equality.- 3.1 Predicates.- 3.2 Types in predicates.- 3.3 Predicate calculus for LPF: proof strategies for quantifiers.- 3.4 Reasoning about equality: substitution and chains of equality.- 3.5 Extensions to typed predicate LPF with equality.- 3.6 Summary.- 3.7 Exercises.- 4 Basic Type Constructors.- 4.1 Introduction.- 4.2 Union types.- 4.3 Cartesian product types.- 4.4 Optional types.- 4.5 Subtypes.- 4.6 A note on composite types.- 4.7 Summary.- 4.8 Exercises.- 5 Numbers.- 5.1 Introduction.- 5.2 Axiomatising the natural numbers.- 5.3 Axiomatisation of addition and proof by induction.- 5.4 More on proof by induction.- 5.5 Using direct definitions.- 5.6 Summary.- 5.7 Exercises.- 6 Finite Sets.- 6.1 Introduction.- 6.2 Generators for sets set membership set induction.- 6.3 Proof using set induction.- 6.4 Quantification over sets.- 6.5 Subsets set equality cardinality.- 6.6 Other set constructors.- 6.7 Set comprehension.- 6.8 Reasoning about set comprehension.- 6.9 Summary.- 6.10 Exercises.- 7 Finite Maps.- 7.1 Introduction.- 7.2 Basic axiomatisation.- 7.3 Axiomatisation using generators.- 7.4 Extraction and abstraction of lemmas.- 7.5 Using subsidiary definitions.- 7.6 Polymorphic subtypes and associated induction rules.- 7.7 Map comprehension.- 7.8 Summary.- 7.9 Exercises.- 8 Finite Sequences.- 8.1 Introduction.- 8.2 Basic axiomatisation.- 8.3 Destructors.- 8.4 Equality between lists.- 8.5 Operators on lists.- 8.6 An alternative generator set.- 8.7 Summary.- 8.8 Exercises.- 9 Booleans.- 9.1 Introduction.- 9.2 Basic axiomatisation.- 9.3 Formation rules for boolean-valued operators.- 9.4 An example of a well-formedness proof obligation.- 9.5 Summary.- 9.6 Exercises.- II Proof in Practice.- 10 Proofs From Specifications.- 10.1 Introduction.- 10.2 Type definitions.- 10.3 The state.- 10.4 Functions and values.- 10.5 Operations.- 10.6 Validation proofs.- 10.7 Summary.- 10.8 Exercises.- 11 Verifying Reifications.- 11.1 Introduction.- 11.2 Data reification.- 11.3 Operation modelling.- 11.4 An example reification proof.- 11.5 Implementing functions.- 11.6 Implementation bias and unreachable states.- 11.7 Summary.- 11.8 Exercises.- 12 A Case Study in Air-Traffic Control.- 12.1 Introduction.- 12.2 The air-traffic control system.- 12.3 Formalisation of the state model.- 12.4 Top-level operations.- 12.5 First refinement step.- 12.6 Second refinement step.- 12.7 Concluding remarks.- 13 Advanced Topics.- 13.1 Introduction.- 13.2 Functions as a data type.- 13.3 Comparing elements of disjoint types.- 13.4 Recursive type definitions.- 13.5 Enumerated sets, maps and sequences.- 13.6 Patterns.- 13.7 Other expressions.- 13.8 Other types.- III Directory of Theorems.- 14 Directory of Theorems.- 14.1 Propositonal LPF.- 14.2 Predicate LPF with equality.- 14.3 Basic type constructors.- 14.4 Natural numbers.- 14.5 Finite sets.- 14.6 Finite maps.- 14.7 Finite sequences.- 14.8 Booleans.- 14.9 Specifications.- 14.10 Reifications.- 14.11 Case study I: abstract specification.- 14.12 Case study II: refinement.- Index of Symbols.- Index of Rules.

Orchestration and Workflow in a mobile Grid environment

The service orchestration problem is a problem of making multiple services coordinate themselves and communicate in an orderly fashion so as to accomplish a task more complex than the single tasks provided by the individual composing services. By enabling this orchestration in a controlled manner it is possible to create value-added services. The Akogrimo (access to knowledge through the grid in a mobile world) project is aiming to integrate grid infrastructure in a nomadic and mobile world. The context in which users and services are available is a consequence of mobility, and could change very fast. Therefore in such a complex environment the effective orchestration of the available services is essential to the successful delivery of the task. In this paper, we will explain how we envisaged these new challenges and the innovative and original solution that we propose

Invariants, Frames and Postconditions: a Comparison of the VDM and B Notations

VDM and B are two “model-oriented” formal methods. Each gives a notation for the specification of systems as state machines in terms of a set of states with operations defined as relations on that set. Each has a notion of refinement of data and operations based on the principles of reduction of non-determinism and increase in definedness.

Reasoning about VDM Developments using the VDM Support Tool in MURAL

Mural is an interactive mathematical reasoning environment designed to assist the kind of theorem proving tasks that arise when following a formal methods approach to software engineering. It is the result of work carried out at Manchester University and the Rutherford Appleton Laboratory under the Alvey IPSE 2.5 project.

Synthesising Structure from Flat Specifications

Within the design process, a high-level specification is subject to two conflicting tensions. It is used as a vehicle for validating the requirements, and also as a first step of the refinement process. Whilst the structuring mechanisms available in the B method are well-suited for the latter purpose, the rich type constructions of VDM are useful for the former.

Investigating the Integration of two Formal Methods

Abstract. VDM and B are two mature formal methods currently in use by industry and supported by commercial tools. Though the methods are foundationally similar, the coverage of their supporting tools differ significantly. The SPECTRUM project has investigated the feasibility of integrating support for the two methodologies. In this paper, we describe the project and report on some technical results.

A Semantic Approach to Enhance Service Composition in Workflows that use Mobile Services

The successful execution of workflows using mobile services is dependant on the services behaving as expected. The management of this behaviour in Akogrimo is achieved by a context management framework bridging both the network and Grid middleware. The quality of the information that passes over this link is essential to the whole Akogrimo application. In order to ensure relevant and specific context information is used in Akogrimo the development of mechanism to aid network to middleware service to service understanding is essential. In creating such a mechanism the concept of self similarity in creating understanding between services is essential. The challenges and issues when applying this process to Akogrimos unique mix of services are discussed in this paper.