µCRL [13] is a language for specifying and verifying distributed systems in an algebraic fashion. It targets the specification of system behaviour in a process-algebraic style and of data elements in the form of abstract data types. The µCRL toolset [21] (see

Abstract not found

Abstract. We define a cones and foci proof method, which rephrases the question whether two system specifications are branching bisimilar in terms of proof obligations on relations between data objects. Compared to the original cones and foci method from Groote and Springintveld [22], our method is more generally applicable, and does not require a preprocessing step to eliminate τ-loops. We prove soundness of our approach and give an application. 1

In order to optimise maintenance and increase safety, the Royal Netherlands Navy initiated the development of a multi-channel on-board data acquisition system for its Lynx helicopters. This AIDA (Automatic In-ight Data Acquisition) system records usage and loads data on main rotor, engines and airframe. We used refinement in combination with model checking to arrive at a formally verified prototype implementation of the AIDA system, starting from the functional requirements.

The VoDka server is a video-on-demand system for a Spanish cable company. We look at the distributed scheduler of this system. This scheduler enables that whenever a user agent is asking for a certain movie, this request is transferred through the system and a set of possible play-back qualities is returned to the agent. In case of a non-empty set, the agent selects one and the movie is streamed to the user.

Several years of experience with the functional language Erlang have learned Ericsson that it is highly beneficial to use this language for programming control software for large systems. Systems that could not be built before, have been constructed in less time and with fewer lines of code than one would need with conventional languages. The success of Ericsson in the business area of telephone switches is partly because of their solid fault tolerant architecture, both in hardware and in software. A lot of time and money have been invested in the development of this fault tolerant architecture, all to catch these errors that are overlooked in numerous tests. By using Erlang and its extensive libraries, the number of these uncaught errors decreases; the fault recovery mechanism of the system is used less. One saves on maintenance costs and the overall performance of a system increases. The additional use of formal verifiation aims on reducing even more the number of uncaught errors.

Jackal is a fine-grained distributed shared memory implementation of the Java programming language. It aims to implement Java's memory model and allows multithreaded Java programs to run unmodified on a distributed memory system. It employs a multiple-writer cache coherence protocol. In this paper, we report on our analysis of this protocol. We present its formal specification in CRL, and discuss the abstractions that were made to avoid state explosion. Requirements were formulated and model checked with respect to several configurations. Our analysis revealed two errors in the implementation.