Christie Bolton

On the Refinement and Simulation of Data Types and Processes

This paper presents a behavioural semantics for abstract data types, and thus a correspondence between data types and processes. The value of this correspondence lies in the fact that simulation of the abstract data types is easily verified, and is equivalent to failures refinement of the corresponding processes.

A singleton failures semantics for Communicating Sequential Processes

This paper defines a new denotational semantics for the language of Communicating Sequential Processes (CSP). The semantics lies between the existing traces and failures models of CSP, providing a treatment of non-determinism in terms of singleton failures. Although the semantics does not represent a congruence upon the full language, it is adequate for sequential tests of non-deterministic processes. This semantics corresponds exactly to a commonly used notion of data refinement in Z and Object-Z: an abstract data type is refined when the corresponding process is refined in terms of singleton failures. The semantics is used to explore the relationship between data refinement and process refinement, and to derive a rule for data refinement that is both sound and complete.

Activity Graphs and Processes

The widespread adoption of graphical notations for software design has created a demand for formally-based methods to support and extend their use. A principal focus for this demand is the Unified Modeling Language (UML), and, within UML, the diagrammatic notations for describing dynamic properties. This paper shows how one such notation, that of Activity Graphs, can be given a process semantics in the language of Communicating Sequential Processes (CSP). Such a semantics can be used to demonstrate the consistency of an object model and to provide a link to other methods and tools. A small example is included.

Analyses of the reverse path forwarding routing algorithm

The reverse path forwarding algorithm is a protocol for distributing messages throughout networks. The intention is to preserve correctness - messages sent will eventually be received by all nodes in the originators connected component - whilst minimising the number of propagations of each message. We use a variety of analysis techniques to identify necessary additional constraints, and to prove correctness under these conditions. In particular we present counter examples found by the model-checkers FDR and the Alloy Analyzer, illustrating that the protocol is incorrect if the cost of links is dependent upon the node using that link. We then consider the case where the cost of links is independent of the node using that link; we use a special-purpose network sampling program to increase confidence in the correctness of this stricter protocol, and then perform a hand-proof to verify correctness. We conclude with a discussion of the suitability of these techniques for reasoning about protocols of this complexity.

A Hierarchy of Failures−Based Models

Abstract In this paper we identify the failures class, a class of semantic models for describing concurrent systems. Each such model records all possible sequences of interaction, and gives some information about subsequent availability. Each model is associated with a predicate that determines how much availability information is recorded. The general contribution of the paper is three-fold: we identify the relative strengths of models in terms of their defining predicates; we identify the maximal subset of the language over which each model induces a congruence; and we show how refinement in each model can be automatically tested. More concretely, we apply these general results to specific instances of the class. In particular we construct a spectrum showing the relative strengths of four established models and three interesting new models, and we prove that only Roscoes stable failures and traces models define congruences over the whole language.

A comparison of refinement orderings and their associated simulation rules

Abstract In this paper we compare the refinement orderings, and their associated simulation rules, of state-based specification languages such as Z and Object-Z with the refinement orderings of event-based specification languages such as CSP. We prove with a simple counter-example that data refinement, established using the standard simulation rules for Z, does not imply failures refinement in CSP. This contradicts accepted results. Having explored the differences between the simulation rules for establishing data refinement and those for establishing the refinement of action systems and state-transition systems—models in which refinement is equivalent to failures refinement within CSP—we present a new set of simulation rules for data types. These alternative rules are both sound and jointly complete with respect to the stable failures refinement ordering. Furthermore we present an alternative refinement ordering for CSP, one in which refinement is equivalent to data refinement in Z.

Using relational and behavioural semantics in the verification of object models

This paper shows how a combination of relational and behavioural semantics might be used in the creation and verification of object models. Specifications written in UML may be expressed in terms of abstract data types and processes; different notions of refinement may then be used to establish consistency between diagrams, or to verify that a design is faithful to the specification.

A hierarchy of failures-based models: theory and application

Consistency between a process and its specification expressed in CSP is typically presented as a refinement check. Within the traces model consistency is measured by examining only the traces of the systems, whilst in the finer stable failures model the possibility of subsequently refusing a combination of events is also taken into consideration.In this paper, we begin by motivating the need for alternative measures of consistency. We then identify the failures class-a class of semantic models for describing concurrent systems in which each model is associated with a predicate that determines how much availability information is recorded. We show how refinement within members of this class corresponds to confirmation of non-standard measures of consistency, and identify application areas for these measures of consistency. We show how refinement in each model can be automatically tested.We also carry out a theoretical examination of the failures class. We prove that the class forms a complete lattice, and investigate the positions of particular models within that lattice. We also identify the maximal subset of the language over which each model is compositional.