This report describes a new language for distributed programming, the IOA language, together with a high-level design and preliminary implementation for a suite of tools, the IOA toolset, to support the production of high-quality distributed software. The language and tools are based on the I/O automaton model, which has been used to describe and verify distributed algorithms. The toolset supports a development process that begins with a high-level specification, refines that specification via successively more detailed designs, and ends by automatically generating distributed programs. The toolset encourages system decomposition, which helps make distributed programs understandable and easy to modify. It also provides a variety of validation methods (theorem proving, model checking, and simulation), which can be used to ensure that the generated programs are correct, subject to assumptions about externally-provided system services (e.g., communication services), and about the correctness of hand-coded data type implementations.

Abstract not found

We describe a prototype tool for developing programs by stepwise refinement in a weakest precondition framework, based on the HOL theorem proving system. Our work is based on a mechanisation of the refinement calculus, which is a theory of correctness preserving program transformations. We also use a tool for window inference that is part of the HOL system. Our tool permits subcomponents of a program to be refined separately, and the tool keeps track of the overall effects of each individual refinement. In particular, we show how specifications can be refined into code and how data refinements (i.e., replacing an abstract data structure with one that is more concrete) can be handled. All refinements are proved as theorems in the HOL logic, so our system is in fact a secure environment for program development. 1 Introduction Stepwise refinement is a methodology for developing programs from high-level program specifications into efficient implementations. In this approach to program dev...

. HOL-UNITY is an implementation of Chandy and Misra's UNITY theory in the HOL88 and HOL90 theorem provers. This paper shows how to verify safety and progress properties of concurrent programs using HOL-UNITY. As an example it is proved that a lift-control program satisfies a given progress property. The proof is compositional and partly automated. The progress property is decomposed into basic safety and progress properties, which are proved automatically by a developed tactic based on a combination of Gentzen-like proof methods and Pressburger decision procedures. The proof of the decomposition which includes induction is done mechanically using the inference rules of the UNITY logic implemented as theorems in HOL. The paper also contains some empirical results of running the developed tactic in HOL88 and HOL90, respectively. It turns out that HOL90 in average is about 9 times faster than HOL88. Finally, we discuss various ways of improving the tactic. 1 Introduction This paper pres...

. We describe an attempt to formalise the semantics of the

Theorem provers were also called 'proof checkers' because that is what they were in the beginning. They have grown powerful, however, capable in many cases to automatically produce complicated proofs. In particular, higher order logic based theorem provers such as HOL and PVS became popular because the logic is well known and very expressive. They are generally considered to be potential platforms to embed a programming logic for the purpose of formal verification. In this paper we investigate a number of most commonly used methods of embedding programming logics in such theorem provers and expose problems we discover. We will also propose an alternative approach: hybrid embedding.

. The refinement calculus provides a theory for the stepwise refinement

We propose Real-Time Unity in which the Unity operators co and 7! are generalized to the bounded forms cok and 7!k , where k is a time value. This is done in such a way that for k = 1 the bounded forms specialize to the unbounded forms. Hence Real-Time Unity includes Unity as a sub-theory. Real-Time Unity appears to be especially appropriate for reasoning about the interplay of real-time progress and safety properties. We argue that this sort of interplay is fundamental to the development of real-time programs and give a number of examples of the application of the theory to programs which require such an interplay. We then propose topics for further research. Keywords: Real-time, Unity, program refinement, concurrency. 1 Introduction The problem of specifying and proving properties of real-time programs has received much attention over the last ten years. This attention is due to the critical function which many of these programs provide. Since many real-time programs are ...

We address the problem of the automatic verification of reactive systems. For such algorithms, parallelism, non-determinism and distribution, lead to frequent design flaws and make debugging difficult. Proving programs with respect to their specification may solve both these problems. In this framework, we describe the implementation of an algorithm design assistant based upon the UNITY formalism. A theorem prover and a Presburger formulas calculator are used to perform the underlying proofs. We illustrate the main difficulties encountered with representative examples. Key words: Program verification, reactive programs, UNITY formalism, parallelism, distribution, theorem proving. I Introduction Concurrency and distribution generate two further difficulties with respect to sequential programming. Concurrency leads to a drastic increase in program states and distribution results in a knowledge loss of both any global state and time. Therefore, program debugging becomes especia...

Window inference is a method for contextual rewriting and refinement, supported by the HOL Window Inference Library. This paper describes a user-friendly interface for window inference. The interface permits the user to select subexpressions by pointing and clicking and to select transformations from menus. The correctness of each transformation step is proved automatically by the HOL system. The interface can be tailored to particular user-defined theories. One such extension, for program refinement, is described. 1 Introduction Though the original purpose of the HOL system [8] was as a tool for hardware verification, it has become popular also as a basis for software verification (see for example [1, 5, 7]). However, the theories built for supporting the software development process are normally difficult to use, especially if one does not have any previous detailed knowledge of the HOL system. In order to make such theories available to a general audience, it is essential that user...