Victor L. Winter

High integrity software

Preface. Part I: General Applications of Formal Methods and Systems. 1. Designware: Software Development by Refinement D.R. Smith. 2. B: Towards Zero Defect Software I. Sorensen, D. Neilson. 3. The Use of B to Specify, Design and Verify Hardware W. Ifill, et al. 4. A System for Predictable Component-Based Software Construction M. Aronszajn, et al. 5. Autonomous Decentralized Systems K. Mori. Part II: Case Study. 6. Bay Area Rapid Transit System Case Study V.L. Winter, et al. 7. Using SCR to Specify the BART Requirements C. Heitmeyer. 8. Domain Language for a Class of Reactive Systems D. Kapur, V.L. Winter. 9. Refinement-based Derivation of Train Controllers V.L. Winter, et al. Part III: Verification and Validation. 10. Validation of a Relational Program F.B. Bastani, et al. 11. Verification of a Controller for BART L. King, et al. 12. Using Virtual Reality to Validate System Models V.L. Winter, T.P. Caudell. Index.

The TAMPR program transformation system: simplifying the development of numerical software

Writing correct numerical software is a complex, demanding, and, at times, even a boring, task. In this chapter, we describe an approach to constructing software—program specification and transformation—and allied tools that can help not only to ensure the correctness of numerical computations but also automate much of the drudge-work involved in preparing such software. This approach to software construction holds out the exciting prospect of enabling the numerical analyst or specialist in scientific computing to concentrate on correctly capturing the problem to be solved, while delegating the details of programming the software and adapting it to specialized computing environments to automated tools.

The transient combinator, higher-order strategies, and the distributed data problem

The distributed data problem is characterized by the desire to bring together semantically related data from syntactically unrelated portions of a term. A strategic combinator called transient and a strategic constant called skip are introduced in the context of a higher-order strategic framework. The notion of traversal is lifted to the higher order as well. The resulting framework allows the manipulation of data to be expressed directly in strategic terms. The impact of this dynamic approach to strategy creation is then explored for several instances of the distributed data problem. Problems considered include three strategic benchmarks as well as two transformations that arise within a class loader for the Java virtual machine.

Bay area rapid transit district advance automated train control system case study description

This document contains an informal description of a portion of the Advanced Automatic Train Control (AATC) system being developed for the Bay Area Rapid Transit (BART) system. BART provides commuter rail service for part of California’s San Francisco bay area. Specifically, the informal specification given below focuses on those aspects of BART that are necessary to control the speed and acceleration for the trains in the system. Other aspects of BART control such as (1) communication error recovery, (2) routing (via switches) and (3) right-of-way signaling (via “gates”) are largely ignored. The scope of this case study is narrower than the AATC project as a whole, but within this narrowed scope, enough detail has been supplied to give a sense of the level of complexity involved.

Program transformation using HATS 1.84

This article gives an overview of a transformation system called HATS – a freely available platform independent IDE facilitating experimentation in transformation-oriented software development. Examples are discussed highlighting how the transformational abstractions provided by HATS can be used to solve various problems.

Strategy Construction in the Higher-Order Framework of TL

When viewed from a strategic perspective, a labeled rule base in a rewriting system can be seen as a restricted form of strategic expression (e.g., a collection of rules strictly composed using the left-biased choice combinator). This paper describes higher-order mechanisms capable of dynamically constructing strategic expressions that are similar to rule bases. One notable difference between these strategic expressions and rule bases is that strategic expressions can be constructed using arbitrary binary combinators (e.g., left-biased choice, right-biased choice, sequential composition, or user defined). Furthermore, the data used in these strategic expressions can be obtained through term traversals.A higher-order strategic programming framework called TL is described. In TL it is possible to dynamically construct strategic expression of the kind mentioned in the previous paragraph. A demonstration follows showing how the higher-order constructs available in TL can be used to solve several problems common to the area of program transformation.

An overview of HATS: a language independent high assurance transformation system

Transformations that are based on syntax directed rewriting systems can have a significant impact on the construction of high assurance systems. However, in order for a transformational approach to be useful to a particular problem domain, a (general) transformation system must be adapted to the notation of that particular domain. A transformation system that can be easily adapted to various domain notations has the potential of having a wide range of applicability. We discuss why transformation is attractive from a high assurance perspective, as well as some issues surrounding automated transformation within specific problem domains. We then give an overview of a language independent high assurance transformation system (HATS) that is being developed at Sandia National Laboratories.

Transformation-Oriented Programming: A Development Methodology for High Assurance Software

Abstract A software development paradigm known as Transformation-Oriented Programming (TOP) is introduced. In TOP, software development consists of constructing a sequence of transformations capable of systematically constructing a software implementation from a given formal specification. As such TOP falls under the category of formal methods. The general theory and techniques upon which TOP is built is presented. The High Assurance Transformation System (HATS) is described. The use of the HATS tool to implement a portion of the functionality of a classloader needed by the Sandia Secure Processor (SSP) is described.

Proving refinement transformations for deriving high-assurance software

The construction of a high-assurance system requires some evidence, ideally a proof, that the system as implemented will behave as required. Direct proofs of implementations do not scale up well as systems become more complex and therefore are of limited value. In recent years, refinement-based approaches have been investigated as a means to manage the complexity inherent in the verification process. In a refinement-based approach, a high-level specification is converted into an implementation through a number of refinement steps. The hope is that the proofs of the individual refinement steps will be easier than a direct proof of the implementation. However, if stepwise refinement is performed manually, the number of steps is severly limited, implying that the size of each step is large. If refinement steps are large, then proofs of their correctness will not be much easier than a direct proof of the implementation. We describe an approach to refinement-based software development that is based on automatic application of refinements, expressed as program transformations. This automation has the desirable effect that the refinement steps can be extremely small and, thus, easy to prove correct. We give an overview of the TAMPR transformation system that we use for automated refinement. We then focus on some aspects of the semantic framework that we have been developing to enable proofs that TAMPR transformations are correctness preserving. With this framework proofs of correctness for transformations can be obtained with the assistance of an automated reasoning system.

Aspectual Support for Specifying Requirements in Software Product Lines

We present an aspect-oriented requirements specification system for software product lines. We encapsulate nonfunctional concerns as a set of advices for transforming parameterized requirements to product-specific requirements. We apply our system to the Health Watcher case study to demonstrate our approach. We sort out system requirements, exception handling requirements (alternate flows) and non-functional requirements and represent them as aspects in our framework. We have implemented a prototype transformation tool which takes these aspects along with the basic functional requirements as input and produces a requirements document with all applicable aspects woven in.