Michel Bidoit

Systems and Software Verification

ion by state merging consists in viewing some states of an automaton as identical. We also speak of folding, or quotient. We can visualize state merging in a very concrete way: the merged states are put together in a kind of super-state. All the transitions leading out of one of the merged states (or into one) now lead out of the super-state (or into it). Figure 11.1 depicts an example obtained from the digicode with error count used in chapter 1. The initial automaton A is shown on the left. We have circled the merged states with dotted lines. The result, A, is shown on the right. A is much more readable than A. Not only has the number of states dropped from 17 to 5, but more importantly, the number of transitions has been reduced as a result of merging. It is clear from A that the error counter must take all the values between 0 and 4 before the error state at the bottom of the diagram can be reached. Of course, in such a simple example, the same property is already easily extracted from the original automaton, especially since we have gone to the trouble of representing the states in a meaningful spatial arrangement. We will later come across several typical situations in which the advantage appears more clearly. The most important question is correctness: some obvious properties of A do not hold for A! For example, all the states of A can be reached through a path using only the letter A, and this does not hold for A. First of all, we tackle the correctness issue. 11.3 What Can Be Proved in the Abstract Automaton? In general, and with some precautions to be spelled out later, we can use state merging to verify safety properties. This principle is explained by a few 11.3 What Can Be Proved in the Abstract Automaton? 111

CASL: the common algebraic specification language

The Common Algebraic Specification Language (CASL) is an expressive language for the formal specification of functional requirements and modular design of software. It has been designed by CoFI, the international Common Framework Initiative for algebraic specification and development. It is based on a critical selection of features that have already been explored in various contexts, including subsorts, partial functions, first-order logic, and structured and architectural specifications. CASL should facilitate interoperability of many existing algebraic prototyping and verification tools.This paper gives an overview of the CASL design. The major issues that had to be resolved in the design process are indicated, and all the main concepts and constructs of CASL are briefly explained and illustrated -- the reader is referred to the CASL Language Summary for further details. Some familiarity with the fundamental concepts of algebraic specification would be advantageous.

Modular correctness proofs of behavioural implementations

Abstract. We introduce a concept of behavioural implementation for algebraic specifications which is based on an indistinguishability relation (called behavioural equality). The central objective of this work is the investigation of proof rules which allow us to establish the correctness of behavioural implementations in a modular (and stepwise) way and, moreover, are practicable enough to induce proof obligations that can be discharged with existing theorem provers. Under certain conditions our proof technique can also be applied for proving the correctness of implementations based on an abstraction equivalence between algebras in the sense of Sannella and Tarlecki. The whole approach is presented in the framework of total algebras and first-order logic with equality.

Observational interpretation of casl specifications

We explore the way in which the refinement of individual ‘local’ components of a specification relates to the development of a ‘global’ system from a specification of requirements. The observational interpretation of specifications and refinements adds expressive power and flexibility, but introduces some subtle problems. Our study of these issues is carried out in the context of Casl architectural specifications. We introduce a definition of observational equivalence for Casl models, leading to an observational semantics for architectural specifications for which we prove important properties. Overall, this fulfills the long-standing goal of complementing the standard semantics of Casl specifications with an observational view that supports observational refinement of specifications in combination with Casl-style architectural design.

Observational specifications and the indistinguishability assumption

Abstract To establish the correctness of some software w.r.t. its formal specification is widely recognized as a difficult task. A first simplification is obtained when the semantics of an algebraic specification is defined as the class of all algebras which correspond to the correct realizations of the specification. A software is then declared correct if some algebra of this class corresponds to it. We approach this goal by defining an observational satisfaction relation which is less restrictive than the usual satisfaction relation. Based on this notion we provide an institution for observational specifications. The idea is that the validity of an equational axiom should depend on an observational equality , instead of the usual equality. We show that it is not reasonable to expect an observational equality to be a congruence. We define an observational algebra as an algebra equipped with an observational equality which is an equivalence relation but not necessarily a congruence. We assume that two values can be declared indistinguishable when it is impossible to establish they are different using some available observations. This is what we call the Indistinguishability Assumption . Since term observation seems sufficient for data type specifications, we define an indistinguishability relation on the carriers of an algebra w.r.t. the observation of an arbitrary set of terms. From a careful case study it follows that this requires to take into account the continuations of suspended evaluations of observation terms. Since our indistinguishability relation is not transitive, it is only an intermediate step to define an observational equality. Our approach is motivated by several examples.

Glass-box and black-box views on object-oriented specifications

We present a logical foundation for object-oriented specifications which supports a rigorous formal development of object-oriented systems. In this setting, we study two different views on a system, the implementors view (glass-box view) and the users view (black-box view) which both are founded on a model-theoretic semantics. We also discuss the hierarchical construction of specifications and realisations. Our approach is abstract in the sense that it can be instantiated by various concrete specification formalisms like OCL or JML.

SMV — Symbolic Model Checking

SMV has been developed by K. L. McMillan under the guidance of E. M. Clarke at Carnegie-Mellon University (Pittsburgh, PA, USA). It performs (BDD-based) symbolic model checking of CTL formulae on networks of automata with shared variables. The tool is available via the Internet 1.

KRONOS — Model Checking of Real-time Systems

Kronos allows us to analyze timed automata. It is developed at VERIMAG 1 by S. Yovine, A. Olivero, C. Daws and S. Tripakis, and is available on the Internet 2.

HYTECH — Linear Hybrid Systems

HyTech allows one to analyze linear hybrid automata. It was developed by T. A. Henzinger, P.-H. Ho and H. Wong-Toi, at Cornell University, and improvements were added at the University of California, Berkeley, and is available on the Internet1.

6 Structuring Specifications

Large and complex specifications are easily built out of simpler ones by means of (a small number of) specification-building operations.