This chapter addresses the question how to verify distributed and communicating systems in an e#ective way from an explicit process algebraic standpoint. This means that all calculations are based on the axioms and principles of the process algebras.

The timed automaton model of [LV92, LV93] is a general model for timing-based systems. A notion of timed action transducer is here defined as an automata-theoretic way of representing operations on timed automata. It is shown that two timed trace inclusion relations are substitutive with respect to operations that can be described by timed action transducers. Examples are given of operations that can be described in this way, and a preliminary proposal is given for an appropriate language of operators for describing timing-based systems.

At the Dutch station Hoorn{Kersenboogerd, computer equipment is used for the safe and in time movement of trains. The computer equipment can be divided in two layers. A top layer o ering an interface and means to help a human operator in scheduling train movement. And a bottom layer which checks whether commands issued by the top layer can safely be executed by the rail hardware and which acts appropriately on detection of a hazardous situation. The bottom layer is implemented with a programmable piece of equipment namely a Vital Processor Interlocking1 (VPI). This paper introduces the most important features of the VPI at Hoorn{Kersenboogerd. This particular VPI is modelled in CRL. Furthermore, the paper touches upon correctness criteria and tool support for VPIs, and suggests ways for veri cation of properties of VPIs. Experiments show that it is indeed possible to e ciently verify these correctness criteria. 1991 Mathematics subject classi cation: 68Q40, 68Q45.

We present a strategy for nding algebraic correctness proofs for communication systems. It is described in the setting of CRL [11], which is, roughly, ACP [2, 3] extended with a formal treatment of the interaction between data and processes. The strategy has already been applied successfully in [4] and [10], but was not explicitly identi ed as such. Moreover, the protocols that were veri ed in these papers were rather complex, so that the general picture was obscured by the amount of details. In this paper, the proof strategy is materialised in the form of de nitions and theorems. These results reduce a large part of protocol veri cation to a number of trivial facts concerning data parameters occurring in implementation and speci cation. This greatly simpli es protocol veri cations and makes our approach amenable to mechanical assistance � experiments in this direction seem promising. The strategy is illustrated by several small examples and one larger example, the Concurrent Alternating Bit Protocol (CABP). Although simple, this protocol contains a large amount ofinternal parallelism, so that all relevant issuesmaketheir appearance.

We set up a formal framework to describe transition system specifications in the style of Plotkin. This framework has the power to express many-sortedness, general binding mechanisms and substitutions, among other notions such as negative hypotheses and unary predicates on terms. The framework is used to present a conservativity format in operational semantics, which states sufficient criteria to ensure that the extension of a transition system specification with new transition rules does not affect the semantics of the original terms.

CSP-OZ is a formal method integrating two different specifications formalisms into one: the formalism Object-Z for the description of static aspects, and the process algebra CSP for the description of the dynamic behaviour of systems. The semantics of CSP-OZ is failure divergence taken from the process algebra side. In this paper we propose a method for checking correctness of CSP-OZ specifications via a translation into the CSP dialect of the model checker FDR.

This note describes a protocol for the transmission of data packets that are too large to be transferred in their entirety. Therefore, the protocol splits the data packets and broadcasts it in parts. It is assumed that in case of failure of transmission through data channels, only a limited number of retries are allowed (bounded retransmission). If repeated failure occurs, the protocol stops trying and the sending and receiving protocol users are informed accordingly. The protocol and its external behaviour are specified in ¯CRL. The correspondence between these is shown using the axioms of ¯CRL. The whole proof of this correspondence has been computer checked using the proof checker Coq. This provides an example showing that proof checking of realistic protocols is feasible within the setting of process algebras. The first author is partly supported by the Netherlands Computer Science Research Foundation (SION) with financial support of the Netherlands Organisation for Scientific Re...

This paper reports on the first steps towards the formal verification of correctness proofs of real-life protocols in process algebra. We show that proofs can be verified, and partly constructed, by a general purpose proof checker. The process algebra we use is µCRL, ACP augmented with data, which is small enough to make the verification feasible, and at the same time expressive enough for the specification of real-life protocols. The proof checker we use is Coq, which is based on the Calculus of Constructions, an extension of simply typed lambda calculus. The focus is on the translation of the proof theory of µCRL and µCRL-specifications to Coq. As a case study, we verified the Alternating Bit Protocol.

User-definable strategies for the application of rewrite rules provide a means to construct transformation systems that apply rewrite rules in a controlled way. This paper describes a strategy language and its interpretation. The language is used to control the rewriting of terms using labeled rewrite rules. Rule labels are atomic strategies. Compound strategies are formed by means of sequential composition, nondeterministic choice, left choice, fixed point recursion, and two primitives for expressing term traversal. Several complex strategies such as bottom-up and top-down application and (parallel) innermost and (parallel) outermost reduction can be defined in terms of these primitives. The paper contains two case studies of the application of strategies. 1 Introduction Term rewriting is an ideal technique for program transformation where the transformation of one construct into another is defined by means of rewrite rules. Usually, the rewrite engine contracts redexes according to ...

A general basis for the definition of a finite but unbounded number of parallel processes is the equation S(n; dt) = P (0; get(0; dt))/ eq(n; 0) .(P (n; get(n; dt)) k S(n \Gamma 1; dt)). In this formula eq(n; 0) is an equality test, and get(n; dt) denotes the n-th data element in table dt . We derive a linear process equation with the same behaviour as S(n; dt ), and show that this equation is well-defined, provided one adopts the principle CL-RSP from [4]. In order to demonstrate the strength of our result, we use it for the analysis of a standard example. We show that n + 1 concatenated buffers form a queue of capacity n + 1. 1 Introduction Distributed algorithms are often configured as an arbitrarily large but finite set of processors that run a similar program. Using the formalism CRL (micro Common Representation Language [9]) this can be described, using recursion and operators for parallelism. Several benchmark verifications in CRL and process algebra are therefore based on the...