Ian J. Hayes

Laws of programming

A complete set of algebraic laws is given for Dijkstras nondeterministic sequential programming language. Iteration and recursion are explained in terms of Scotts domain theory as fixed points of continuous functionals. A calculus analogous to weakest preconditions is suggested as an aid to deriving programs from their specifications.

FM 2005: Formal Methods

Keynote Talks.- Formal Aids for the Growth of Software Systems.- Formal Methods and Testing: Hypotheses, and Correctness Approximations.- The Natural History of Bugs: Using Formal Methods to Analyse Software Related Failures in Space Missions.- Object Orientation.- Modular Verification of Static Class Invariants.- Decoupling in Object Orientation.- Controlling Object Allocation Using Creation Guards.- Symbolic Animation of JML Specifications.- Resource Analysis and Verification.- Certified Memory Usage Analysis.- Compositional Specification and Analysis of Cost-Based Properties in Probabilistic Programs.- Formally Defining and Verifying Master/Slave Speculative Parallelization.- Timing and Testing.- Systematic Implementation of Real-Time Models.- Timing Tolerances in Safety-Critical Software.- Timed Testing with TorX.- Automatic Verification and Conformance Testing for Validating Safety Properties of Reactive Systems.- CSP, B and Circus.- Adding Conflict and Confusion to CSP.- Combining CSP and B for Specification and Property Verification.- Operational Semantics for Model Checking Circus.- Control Law Diagrams in Circus.- Security.- Verification of a Signature Architecture with HOL-Z.- End-to-End Integrated Security and Performance Analysis on the DEGAS Choreographer Platform.- Formal Verification of Security Properties of Smart Card Embedded Source Code.- Networks and Processes.- A Formal Model of Addressing for Interoperating Networks.- An Approach to Unfolding Asynchronous Communication Protocols.- Semantics of BPEL4WS-Like Fault and Compensation Handling.- Abstraction, Retrenchment and Rewriting.- On Some Galois Connection Based Abstractions for the Mu-Calculus.- Retrenching the Purse: Finite Sequence Numbers, and the Tower Pattern.- Strategic Term Rewriting and Its Application to a Vdm-sl to Sql Conversion.- Scenarios and Modeling Languages.- Synthesis of Distributed Processes from Scenario-Based Specifications.- Verifying Scenario-Based Aspect Specifications.- An MDA Approach Towards Integrating Formal and Informal Modeling Languages.- Model Checking.- Model-Checking of Specifications Integrating Processes, Data and Time.- Automatic Symmetry Detection for Model Checking Using Computational Group Theory.- On Partitioning and Symbolic Model Checking.- Dynamic Component Substitutability Analysis.- Industry Day: Abstracts of Invited Talks.- Floating-Point Verification.- Preliminary Results of a Case Study: Model Checking for Advanced Automotive Applications.- Model-Based Testing in Practice.- Testing Concurrent Object-Oriented Systems with Spec Explorer.- ASD Case Notes: Costs and Benefits of Applying Formal Methods to Industrial Control Software.- The Informal Nature of Systems Engineering.

A case-study in timed refinement: a mine pump

A specification and top-level refinement of a simple mine pump control system, as well as a proof of correctness of the refinement, are presented as an example of the application of a formal method for the development of time-based systems. The overall approach makes use of a refinement calculus for timed systems, similar to the refinement calculi for sequential programs. The specification makes use of topologically continuous functions of time to describe both analog and discrete properties of both the system and its refinements. The basic building block of specifications is a specification statement that gives a clear separation between the specification of the assumptions that the system may make about the environment in which it is to be placed, and the effect the system is guaranteed to achieve if placed in such an environment. The top-level refinement of the system is developed by application of refinement laws that allow design decisions to be made, local state to be introduced, and the decomposition of systems into pipelined and/or parallel processes. >

Specification directed module testing

If a program is developed from a specification in a mathematically rigorous manner, work done in the development can be utilized in the testing of the program. The better understanding afforded by these methods provides a more thorough check on the correct operation of the program under test. This should lead to earlier detection of faults (making it easier to determine their causes), more useful debugging information, and a greater confidence in the correctness of the final product. Overall, a more systematic approach should expedite the task of the program tester and improve software reliability. The testing techniques described here apply to the testing of abstract data types (modulus, packages). The techniques utilize information generated during refinement of a data type, such as the data type invariant and the relationship between the specification and implementation states; this information is used to specify parts of the code to be written for testing.

An Introduction to Real-Time Object-Z

Abstract. This paper presents Real-Time Object-Z: an integration of the object-oriented, state-based specification language Object-Z with the timed trace notation of the timed refinement calculus. This integration provides a method of formally specifying and refining systems involving continuous variables and real-time constraints. The basis of the integration is a mapping of the existing Object-Z history semantics to timed traces.

A sequential real-time refinement calculus

Abstract. We present a comprehensive refinement calculus for the development of sequential, real-time programs from real-time specifications. A specification may include not only execution time limits, but also requirements on the behaviour of outputs over the duration of the execution of the program. The approach allows refinement steps that separate timing constraints and functional requirements. New rules are provided for handling timing constraints, but the refinement of components implementing functional requirements is essentially the same as in the standard refinement calculus. The product of the refinement process is a program in the target programming language extended with timing deadline directives. The extended language is a machine-independent, real-time programming language. To provide valid machine code for a particular model of machine, the machine code produced by a compiler must be analysed to guarantee that it meets the specified timing deadlines.

Applying Formal Specification to Software Development in Industry

This paper reports experience gained in applying formal specification techniques to an existing transaction processing system. The system is the IBM Customer Information Control System (CICS) and the work has concentrated on specifying a number of modules of the CICS application programmers interface.

A timeband framework for modelling real-time systems

Complex real-time systems must integrate physical processes with digital control, human operation and organisational structures. New scientific foundations are required for specifying, designing and implementing these systems. One key challenge is to cope with the wide range of time scales and dynamics inherent in such systems. To exploit the unique properties of time, with the aim of producing more dependable computer-based systems, it is desirable to explicitly identify distinct time bands in which the system is situated. Such a framework enables the temporal properties and associated dynamic behaviour of existing systems to be described and the requirements for new or modified systems to be specified. A system model based on a finite set of distinct time bands is motivated and developed in this paper.

A Set-Theoretic Model for Real-Time Specification and Reasoning

Timed-trace formalisms have emerged as a powerful method for specifying and reasoning about concurrent real-time systems. We present a simple variant which builds methodically on set theory, and is thus suitable for use by programmers with little formal methods experience.

The deadline command

The deadline command is a simple, yet highly flexible, language primitive for real-time programming. Formally, it has a straightforward definition as a constraint on the current time. In practice, it acts as a compiler directive, which can be checked statically, to ensure that the program will always meet its timing requirements. As a concrete example, a way of adding the deadline command to the safety-critical SPARK programming language is described. A detailed comparison is made with other proposed real-time language constructs.