Results 1  10
of
38
Using Typed Lambda Calculus to Implement Formal Systems on a Machine
 Journal of Automated Reasoning
, 1992
"... this paper and the LF. In particular the idea of having an operator T : Prop ! Type appears already in De Bruijn's earlier work, as does the idea of having several judgements. The paper [24] describes the basic features of the LF. In this paper we are going to provide a broader illustration of its a ..."
Abstract

Cited by 83 (14 self)
 Add to MetaCart
this paper and the LF. In particular the idea of having an operator T : Prop ! Type appears already in De Bruijn's earlier work, as does the idea of having several judgements. The paper [24] describes the basic features of the LF. In this paper we are going to provide a broader illustration of its applicability and discuss to what extent it is successful. The analysis (of the formal presentation) of a system carried out through encoding often illuminates the system itself. This paper will also deal with this phenomenon.
How the design of JML accommodates both runtime assertion checking and formal verification
 SCIENCE OF COMPUTER PROGRAMMING
, 2003
"... ..."
Reasoning with Logical Bilattices
, 1995
"... . The notion of bilattice was introduced by Ginsberg, and further examined by Fitting, as a general framework for many applications. In the present paper we develop proof systems, which correspond to bilattices in an essential way. For this goal we introduce the notion of logical bilattices. We als ..."
Abstract

Cited by 55 (9 self)
 Add to MetaCart
. The notion of bilattice was introduced by Ginsberg, and further examined by Fitting, as a general framework for many applications. In the present paper we develop proof systems, which correspond to bilattices in an essential way. For this goal we introduce the notion of logical bilattices. We also show how they can be used for efficient inferences from possibly inconsistent data. For this we incorporate certain ideas of Kifer and Lozinskii, which happen to suit well the context of our work. The outcome are paraconsistent logics with a lot of desirable properties 1 . 1. Introduction When using multiplevalued logics, it is usual to order the truth values in a lattice structure. In most cases such a partial order intuitively reflects differences in the "measure of truth" that the lattice elements are supposed to represent. There exist, however, other intuitive criteria of ordering that might be useful. Another reasonable ordering might reflect, for example, differences in the amoun...
Subtypes for Specifications: Predicate Subtyping in PVS
 IEEE Transactions on Software Engineering
, 1998
"... A specification language used in the context of an effective theorem prover can provide novel features that enhance precision and expressiveness. In particular, typechecking for the language can exploit the services of the theorem prover. We describe a feature called "predicate subtyping" that uses ..."
Abstract

Cited by 31 (4 self)
 Add to MetaCart
A specification language used in the context of an effective theorem prover can provide novel features that enhance precision and expressiveness. In particular, typechecking for the language can exploit the services of the theorem prover. We describe a feature called "predicate subtyping" that uses this capability and illustrate its utility as mechanized in PVS.
A Typed Logic of Partial Functions Reconstructed Classically
 ACTA INFORMATICA
, 1994
"... This paper gives a comprehensive description of a typed version of the logic known as LPF. This logic is basic to formal specification and verified design in the software development method VDM. If appropriately extended to deal with recursively defined functions, the data types used in VDM, etc ..."
Abstract

Cited by 31 (3 self)
 Add to MetaCart
This paper gives a comprehensive description of a typed version of the logic known as LPF. This logic is basic to formal specification and verified design in the software development method VDM. If appropriately extended to deal with recursively defined functions, the data types used in VDM, etc., it gives the VDM notation and its associated rules of reasoning. The paper provides an overview of the needed extensions and examines some of them in detail. It is shown how this nonclassical logic  and the extensions  can be reconstructed classically by embeddings into classical infinitary logic.
Synthesizing certified code
 Proc. Intl. Symp. Formal Methods Europe 2002: Formal Methodsâ€”Getting IT Right, LNCS 2391
, 2002
"... Abstract. Code certification is a lightweight approach for formally demonstrating software quality. Its basic idea is to require code producers to provide formal proofs that their code satisfies certain quality properties. These proofs serve as certificates that can be checked independently. Since c ..."
Abstract

Cited by 29 (15 self)
 Add to MetaCart
Abstract. Code certification is a lightweight approach for formally demonstrating software quality. Its basic idea is to require code producers to provide formal proofs that their code satisfies certain quality properties. These proofs serve as certificates that can be checked independently. Since code certification uses the same underlying technology as program verification, it requires detailed annotations (e.g., loop invariants) to make the proofs possible. However, manually adding annotations to the code is timeconsuming and errorprone. We address this problem by combining code certification with automatic program synthesis. Given a highlevel specification, our approach simultaneously generates code and all annotations required to certify the generated code. We describe a certification extension of AutoBayes, a synthesis tool for automatically generating data analysis programs. Based on builtin domain knowledge, proof annotations are added and used to generate proof obligations that are discharged by the automated theorem prover ESETHEO. We demonstrate our approach by certifying operator and memorysafety on a dataclassification program. For this program, our approach was faster and more precise than PolySpace, a commercial static analysis tool.
A structural proof of the soundness of rely/guarantee rules
 Journal of Logic and Computation
, 2007
"... Abstract. Various forms of rely/guarantee conditions have been used to record and reason about interference in ways that provide compositional development methods for concurrent programs. This paper illustrates such a set of rules and proves their soundness. The underlying concurrent language allows ..."
Abstract

Cited by 16 (8 self)
 Add to MetaCart
Abstract. Various forms of rely/guarantee conditions have been used to record and reason about interference in ways that provide compositional development methods for concurrent programs. This paper illustrates such a set of rules and proves their soundness. The underlying concurrent language allows finegrained interleaving and nested concurrency; it is defined by an operational semantics; the proof that the rely/guarantee rules are consistent with that semantics (including termination) is by a structural induction. A key lemma which relates the states which can arise from the extra interference that results from taking a portion of the program out of context makes it possible to do the proofs without having to perform induction over the computation history. This lemma also offers a way to think about expressibility issues around auxiliary variables in rely/guarantee conditions. 1
The Early Search for Tractable Ways of Reasoning About Programs
 IEEE Annals of the History of Computing
, 2003
"... This paper traces the important steps in the history up to around 1990 of research on reasoning about programs. The main focus is on sequential imperative programs but some comments are made on concurrency. Initially, researchers focussed on ways of verifying that a program satisfies its specifi ..."
Abstract

Cited by 15 (2 self)
 Add to MetaCart
This paper traces the important steps in the history up to around 1990 of research on reasoning about programs. The main focus is on sequential imperative programs but some comments are made on concurrency. Initially, researchers focussed on ways of verifying that a program satisfies its specification (or that two programs were equivalent). Over time it became clear that post facto verification is only practical for small programs and attention turned to verification methods which support the development of programs; for larger programs it is necessary to exploit a notation of compositionality. Coping with concurrent algorithms is much more challenging  this and other extensions are considered briefly. The main thesis of this paper is that the idea of reasoning about programs has been around since they were first written; the search has been to find tractable methods.
Understanding the differences between VDM and Z
, 1993
"... This paper attempts to provide an understanding of the interesting differences between two wellknown specification languages. Copyright c fl1993. All rights reserved. Reproduction of all or part of this work is permitted for educational or research purposes on condition that (1) this copyright no ..."
Abstract

Cited by 14 (0 self)
 Add to MetaCart
This paper attempts to provide an understanding of the interesting differences between two wellknown specification languages. Copyright c fl1993. All rights reserved. Reproduction of all or part of this work is permitted for educational or research purposes on condition that (1) this copyright notice is included, (2) proper attribution to the author or authors is made and (3) no commercial gain is involved. Technical Reports issued by the Department of Computer Science, Manchester University, are available by anonymous ftp from ftp.cs.man.ac.uk in the directory /pub/TR. The files are stored as PostScript, in compressed form, with the report number as filename. Alternatively, reports are available by post from The Computer Library, Department of Computer Science, The University, Oxford Road, Manchester M13 9PL, U.K. The main ideas are presented in the form of a discussion. This was partly prompted by Lakatos' book `Proof and Refutations' but, since this paper is less profound, char...
An Isabellebased Theorem Prover for VDMSL
 In Proceedings of the 10th International Conference on Theorem Proving in Higher Order Logics (TPHOLs'97), LNCS
, 1997
"... . This paper describes the theorem proving component of a larger software development environment for the ISO standardized specification language VDMSL. This component is constructed as an instantiation of the generic theorem prover Isabelle with a VDMSL variant of the Logic of Partial Functions ( ..."
Abstract

Cited by 11 (1 self)
 Add to MetaCart
. This paper describes the theorem proving component of a larger software development environment for the ISO standardized specification language VDMSL. This component is constructed as an instantiation of the generic theorem prover Isabelle with a VDMSL variant of the Logic of Partial Functions (LPF). We describe the development of this instantiation, focusing on both the embedding of syntax and the automation of proof support, which is a challenge due to the threevalued nature of LPF. 1 Introduction This paper is about mechanizing proof support for VDMSL, which is a formal notation for writing modeloriented specifications of software systems [13]. The history of VDMSL dates back to the late 70's, and it is now one of the most widely used specification languages in industry and academia [15, 8]. Moreover, it has an ISO standard [16] and is supported by a tool, the IFAD VDMSL Toolbox [9, 12], which is essential for the industrial adoption of a formal method. Currently the VDMS...