Juan Bicarregui

Proof in VDM: a practitioner's guide

1 Introduction.- 1.1 Background.- 1.2 How proofs arise in practice: an introductory example.- 1.3 A logical framework for proofs.- 1.4 Summary.- I A Logical Basis for Proof in VDM.- 2 Propositional LPF.- 2.1 Introduction.- 2.2 Basic axiomatisation.- 2.3 Derived rules reasoning by cases reasoning using contradiction.- 2.4 Using definitions: conjunction.- 2.5 Implication definedness further defined constructs.- 2.6 Summary.- 2.7 Exercises.- 3 Predicate LPF with Equality.- 3.1 Predicates.- 3.2 Types in predicates.- 3.3 Predicate calculus for LPF: proof strategies for quantifiers.- 3.4 Reasoning about equality: substitution and chains of equality.- 3.5 Extensions to typed predicate LPF with equality.- 3.6 Summary.- 3.7 Exercises.- 4 Basic Type Constructors.- 4.1 Introduction.- 4.2 Union types.- 4.3 Cartesian product types.- 4.4 Optional types.- 4.5 Subtypes.- 4.6 A note on composite types.- 4.7 Summary.- 4.8 Exercises.- 5 Numbers.- 5.1 Introduction.- 5.2 Axiomatising the natural numbers.- 5.3 Axiomatisation of addition and proof by induction.- 5.4 More on proof by induction.- 5.5 Using direct definitions.- 5.6 Summary.- 5.7 Exercises.- 6 Finite Sets.- 6.1 Introduction.- 6.2 Generators for sets set membership set induction.- 6.3 Proof using set induction.- 6.4 Quantification over sets.- 6.5 Subsets set equality cardinality.- 6.6 Other set constructors.- 6.7 Set comprehension.- 6.8 Reasoning about set comprehension.- 6.9 Summary.- 6.10 Exercises.- 7 Finite Maps.- 7.1 Introduction.- 7.2 Basic axiomatisation.- 7.3 Axiomatisation using generators.- 7.4 Extraction and abstraction of lemmas.- 7.5 Using subsidiary definitions.- 7.6 Polymorphic subtypes and associated induction rules.- 7.7 Map comprehension.- 7.8 Summary.- 7.9 Exercises.- 8 Finite Sequences.- 8.1 Introduction.- 8.2 Basic axiomatisation.- 8.3 Destructors.- 8.4 Equality between lists.- 8.5 Operators on lists.- 8.6 An alternative generator set.- 8.7 Summary.- 8.8 Exercises.- 9 Booleans.- 9.1 Introduction.- 9.2 Basic axiomatisation.- 9.3 Formation rules for boolean-valued operators.- 9.4 An example of a well-formedness proof obligation.- 9.5 Summary.- 9.6 Exercises.- II Proof in Practice.- 10 Proofs From Specifications.- 10.1 Introduction.- 10.2 Type definitions.- 10.3 The state.- 10.4 Functions and values.- 10.5 Operations.- 10.6 Validation proofs.- 10.7 Summary.- 10.8 Exercises.- 11 Verifying Reifications.- 11.1 Introduction.- 11.2 Data reification.- 11.3 Operation modelling.- 11.4 An example reification proof.- 11.5 Implementing functions.- 11.6 Implementation bias and unreachable states.- 11.7 Summary.- 11.8 Exercises.- 12 A Case Study in Air-Traffic Control.- 12.1 Introduction.- 12.2 The air-traffic control system.- 12.3 Formalisation of the state model.- 12.4 Top-level operations.- 12.5 First refinement step.- 12.6 Second refinement step.- 12.7 Concluding remarks.- 13 Advanced Topics.- 13.1 Introduction.- 13.2 Functions as a data type.- 13.3 Comparing elements of disjoint types.- 13.4 Recursive type definitions.- 13.5 Enumerated sets, maps and sequences.- 13.6 Patterns.- 13.7 Other expressions.- 13.8 Other types.- III Directory of Theorems.- 14 Directory of Theorems.- 14.1 Propositonal LPF.- 14.2 Predicate LPF with equality.- 14.3 Basic type constructors.- 14.4 Natural numbers.- 14.5 Finite sets.- 14.6 Finite maps.- 14.7 Finite sequences.- 14.8 Booleans.- 14.9 Specifications.- 14.10 Reifications.- 14.11 Case study I: abstract specification.- 14.12 Case study II: refinement.- Index of Symbols.- Index of Rules.

The verified software repository: a step towards the verifying compiler

The verified software repository is dedicated to a long-term vision of a future in which all computer systems justify the trust that society increasingly places in them. This would be accompanied by a substantial reduction in the current high costs of programming error, incurred during the design, development, testing, installation, maintenance, evolution, and retirement of computer software. An important technical contribution to this vision will be a verifying compiler: a tool-set that automatically proves that a program will always meet its specification, insofar as this has been formalised, without even needing to run it. This has been a challenge for computing research for over 30 years, but the current state of the art now gives grounds for hope that it may be implemented in the foreseeable future. Achievement of the overall vision will depend also on continued progress of research into dependability and software evolution, as envisaged by the UKCRC Grand Challenge project in dependable systems evolution. The verified software repository is a first step towards the realisation of this long-term vision. It will maintain and develop an evolving collection of state-of-the-art tools, together with a representative portfolio of real programs and specifications on which to test, evaluate, and develop the tools. It will contribute initially to the inter-working of tools, and eventually to their integration. It will promote transfer of the relevant technology to industrial tools and into software engineering practice. It will build on the recognised achievements of practical formal development of safety-critical computer applications, and contribute to an international initiative in verified software, covering theory, tools, and experimental validation.

Making the most of formal specification through animation, testing and proof

Abstract The use of formality in software development enables formal manipulation at the symbolic level and hence can yield new perspectives on the design which can be submitted to inspection and interactive or automatic analysis. We describe the experience of an industrial pilot project which undertook a formal development using VDM and B and employed a number of techniques for the analysis of the formal texts by animation, test case generation and proof. We assess the effectiveness of methodology and techniques adopted by measuring the introduction and detection of faults.

Objects, associations and subsystems: A hierarchical approach to encapsulation

We describe a compositional approach to the formal interpretation of type view diagrams and statecharts. We define theories for object instances and classes, and theories for associations between them. These theories are combined with categorical constructions to yield a formalisation of the entire system.

Towards Modelling Obligations in Event-B

We propose a syntactic extension of Event-B incorporating a limited notion of obligation described by triggers. The trigger of an event is the dual of the guard: when a guard is not true, an event must not occur, whereas when a trigger is true, the event must occur. The obligation imposed by a trigger is interpreted as a constraint on when the other events are permitted. For example, the simplest trigger next, which states that the event must be the next one to be executed when the trigger becomes true, is modelled as an extra guard on each of the other events which prohibits their execution at this time. In this paper we describe the modelling of triggers in Event-B, and analyse refinement and abstract scheduling of triggered events.

ICAT: Integrating Data Infrastructure for Facilities Based Science

Scientific facilities, in particular large-scale photon and neutron sources, have demanding requirements to manage the increasing quantities of experimental data they generate in a systematic and secure way. In this paper, we describe the ICAT infrastructure for cataloguing facility-generated experimental data which has been in development within STFC and DLS for several years. We consider the factors which have influenced its design and describe its architecture and metadata model, a key tool in the management of data. We go on to give an outline of its current implementation and use, with plans for its future development.

Interpolation in practical formal development

Interpolation (together with completeness and decidability) has become one of the standard properties that logicians investigate when designing a logic. In this paper, we provide strong evidence that the presence of interpolants is not only cogent for scientific reasoning but has also important practical implications in computer science. We illustrate that interpolation in general, and uniform splitting interpolants, in particular, play an important role in applications where formality and modularity are invoked. In recognition of the fact that common logical formalisms often lack uniform interpolants, we advocate the need for developing general methods to (re)engineer a specification logic so that (at least) some critical uniform interpolants become available.

Industrial Practice in Formal Methods: A Review

We examine the the industrial application of formal methods using data gathered in a review of 62 projects taking place over the last 25 years. The review suggests that formal methods are being applied in a wide range of application domains, with increasingly strong tool support. Significant challenges remain in providing usable tools that can be integrated into established development processes; in education and training; in taking formal methods from first use to second use, and in gathering and evidence to support informed selection of methods and tools.

Policy-driven access control over a distributed firewall architecture

Motivated by a scientific application, where virtual organisations are dynamically created to achieve specific goals by sharing resources and information, we propose the synthesis of two lines of research: policy-based access control and distributed firewalls. Through this fusion we expect to deliver a scalable method of setting up security infrastructures for Grid computing infrastructures.

Towards a compositional interpretation of object diagrams

We develop a compositional interpretation of object model and statechart diagrams as used in the “Syntropy” method of Object-Oriented Analysis and Design. Separate theories are constructed for object instances, class managers and associations which are then combined with categorical constructions to yield a formal interpretation of the complete system.