In 1982 Dolev, Klawe & Rodeh presented an O(n log n) unidirectional distributed algorithm for the circular extrema-finding (or leader-election) problem. At the same time Peterson came up with a nearly identical solution. In this paper, we bring the correctness of this algorithm to a completely formal level. This relatively small protocol, which can be described on half a page, requires a rather involved proof for guaranteeing that it behaves well in all possible circumstances. To our knowledge, this is one of the more advanced case-studies in formal verification based on process algebra. Keywords Formal Methods, Process algebra, Protocol verification. 1 Introduction Experience teaches that distributed protocols are hard to define correctly. This is not only due to the inherent complexity of distributed systems, but it is also caused by the lack of adequate techniques to prove the correctness of such protocols. This means that there are no good ways of validating designs for distribut...

We present an equational verification of Milner's scheduler, which we checked by computer. To our knowledge this is the first time that the scheduler is proof-checked for a general number n of scheduled processes. 1991 Mathematics Subject Classification: 68Q60, 68T15. 1991 CR Categories: F.3.1. Keywords & Phrases: Coq, micro CRL, Milner's Scheduler, proof checking, type theory. Other versions: This report is a more detailed version of [16], brought out at the University of Utrecht. An extended abstract will appear in the LNCS Proceedings of TACS'94 (International Symposium on Theoretical Aspects of Computer Software, Japan, April 1994). Support: The work of the first author took place in the context of EC Basic Research Action 7166 concur 2. The work of the second author is supported by the Netherlands Computer Science Research Foundation (SION) with financial support of the Netherlands Organisation for Scientific Research (NWO). 1

This note describes a protocol for the transmission of data packets that are too large to be transferred in their entirety. Therefore, the protocol splits the data packets and broadcasts it in parts. It is assumed that in case of failure of transmission through data channels, only a limited number of retries are allowed (bounded retransmission). If repeated failure occurs, the protocol stops trying and the sending and receiving protocol users are informed accordingly. The protocol and its external behaviour are specified in ¯CRL. The correspondence between these is shown using the axioms of ¯CRL. The whole proof of this correspondence has been computer checked using the proof checker Coq. This provides an example showing that proof checking of realistic protocols is feasible within the setting of process algebras. The first author is partly supported by the Netherlands Computer Science Research Foundation (SION) with financial support of the Netherlands Organisation for Scientific Re...

This paper reports on the first steps towards the formal verification of correctness proofs of real-life protocols in process algebra. We show that proofs can be verified, and partly constructed, by a general purpose proof checker. The process algebra we use is µCRL, ACP augmented with data, which is small enough to make the verification feasible, and at the same time expressive enough for the specification of real-life protocols. The proof checker we use is Coq, which is based on the Calculus of Constructions, an extension of simply typed lambda calculus. The focus is on the translation of the proof theory of µCRL and µCRL-specifications to Coq. As a case study, we verified the Alternating Bit Protocol.

We report on a formal verification of the Alternating Bit Protocol (ABP) in the Calculus of Constructions. We outline a semi-formal correctness proof of the ABP with sufficient detail to be formalised. Thereafter we show by examples how the formalised proof has been verified by the automated proof checker Coq. This is part of an ongoing project aiming at the mechanisation of reasoning in (extensions of) process algebra, which we think important for the fruitful application of process algebra to concurrent systems. Key Words & Phrases: protocol verification, process algebra, typed lambda calculi. 1985 Mathematics Subject Classification: 68B10. 1987 CR Categories: D.2.4, D.4.5, F.3.1. 1 Introduction We report on a formal verification of the Alternating Bit Protocol [4] in the Calculus of Constructions, as part of an ongoing project aiming at the mechanisation of reasoning in (extensions of) process algebra. Formal verification distinguishes itself from verification in the usual sense...

. This paper deals with termination proofs for Higher-Order Rewrite Systems (HRSs), introduced in [12]. This formalism combines the computational aspects of term rewriting and simply typed lambda calculus. The result is a proof technique for the termination of a HRS, similar to the proof technique "Termination by interpretation in a wellfounded monotone algebra", described in [8, 19]. The resulting technique is as follows: Choose a higher-order algebra with operations for each function symbol in the HRS, equipped with some well-founded partial ordering. The operations must be strictly monotonic in this ordering. This choice generates a model for the HRS. If the choice can be made in such a way that for each rule the interpretation of the left hand side is greater than the interpretation of the right hand side, then the HRS is terminating. At the end of the paper some applications of this technique are given, which show that this technique is natural and can easily be applied. 1 Introdu...

We describe an experience concerning the implementation and use of co-inductive types in the proof editor Coq. Co-inductive types are recursive types which, opposite to inductive ones, may be inhabited by infinite objects. In order to illustrate their use in Coq, we describe an axiomatisation of a calculus of broadcasting systems where recursive processes are represented using infinite objects. This calculus is used for developing a verification proof of the alternating bit protocol. Keywords: Program Verification, Type Theory, Co-Inductive Types, Communicating Processes R'esum'e Dans cet article nous d'ecrivons une exp'erience concernant l'implantation et l'utilisation de types co-inductifs dans l'environnement de preuves Coq. Les types co-inductifs sont des types recursifs qui, `a la diff'erence des types inductifs, peuvent etre habit'es par des objets infinis. Pour illustrer leur utilisation dans Coq nous d'ecrivons comment axiomatiser un calcul de processus qui communiq...

In [10] Groote and Springintveld incorporated several model-oriented techniques { such asinvariants, matching criteria, state mappings { in the process-algebraic framework of CRL for structuring and simplifying protocol veri cations. In this paper, we formalise these extensions in Coq, which is a proof development tool based on type theory. In the updated framework, the length of proof constructions is reduced significantly. Moreover, the new approach allows for more automation (proof generation) than was possible in the past. The results are illustrated by an example in which we prove two queue representations equal. 1

We explore several ways to formalize the algebraic laws of CSP-like languages in HOL. The intent of the paper is to show how HOL can be tailored to acting as a proof assistant. The emphasis is therefore on the consequences of various choices to be made during the formalization for writing tactics. We end up with a proof assistant that allows a user to make steps of the granularity of an algebraic law. It is not the purpose of this paper to show in HOL that the algebraic laws of some CSP-like language are sound; the purpose is to show how HOL can be used to apply the algebraic laws and act as a rewrite system. 0 Introduction We report on our attempts to tailor the automated proof checker HOL [GM93] to the verification of proofs in CSP-like process algebras. Although it is technically feasible to prove the correctness of processes operating in parallel, this is often a long and tedious, and therefore extremely error-prone task. Reliable tools that can assist in proving concurrent progra...

In the process-algebraic verification of systems with three or more components put in parallel, alphabet axioms are considered to be useful. These are rules that exploit the information about the alphabets of the processes involved. The alphabet of a process is the set of actions it can perform. In this paper, we extend CRL (a formal proof system for ACP + data) with such axioms. The alphabet axioms that are added to the proof theory are completely formal and therefore highly suited for computer-checked verification. This is new compared to previous papers where the formulation of alphabet axioms relies for a considerable extend on informal data parameters and implicit (infinite) set theory. 1 Introduction During the proof checking of Milner's Scheduler (see [KS93]), we found out that there was a need for an explicit treatment of the so-called alphabet axioms in a context of data, i.e. a setting where actions and processes are parametrized with data values (possibly ranging ...