s and compressed postscript files are available from http://svrc.it.uq.edu.au Deadlines are termination Ian J. Hayes Mark Utting y Abstract We have recently extended the sequential refinement calculus to handle real-time programs. A novel deadline command allows execution time limits to be expressed in a high-level language. The calculus allows refinement steps that separate timing constraints from non-timing requirements. Rules are provided for handling timing constraints, but the refinement of components implementing non-timing requirements is essentially the same as in the standard refinement calculus. In this paper, we present a new refinement rule for loops that does not require a variant for termination, but uses a deadline command instead. To illustrate the calculus and the new loop introduction rule, we present an example refinement of a program that calculates the size of a kiwifruit from the time it takes to pass through a light beam. 1 Introduction Formal correctnes...

s and compressed postscript files are available from http://svrc.it.uq.edu.au Separating Timing and Calculation in Real-Time Refinement Ian Hayes Abstract. We consider the specification and refinement of sequential real-time programs. Our realtime specifications describe the allowable behaviours of an implementation in terms of the values of variables over time. Hence within a specification the values of the variables and the times at which they have those values are intertwined. However, in a real-time program some commands are concerned with calculating the right outputs, while other commands, such as delays and deadlines, are concerned with making sure the outputs appear at the right time. During the refinement process we would like to decompose the overall problem into those aspects dealing with time and those that are purely calculation. We need refinement rules that allow us to separate these concerns. Further, given a component that is only concerned with calculation, the co...

s and compressed postscript files are available from http://svrc.it.uq.edu.au Real-Time Program Refinement Using Auxiliary Variables Ian Hayes Abstract Real-time program development can be split into a machine-independent phase, that derives a machine-independent real-time program from a specification, and a machinedependent phase, that checks that the compiled program will meet its deadlines when executed on the target machine. In this paper we extend a machine-independent real-time programming language with auxiliary variables. These are introduced to facilitate both reasoning about the correctness of real-time programs and the expression of timing deadlines, and hence the calculation of timing constraints on paths through a program. The auxiliary variable concept is extended to auxiliary parameters to procedures. Keywords Formal methods; refinement calculus; real-time programming; auxiliary variables; deadline command. 1 Introduction Our overall goal is to provide a ...

Many program verification, testing and performance prediction techniques rely on analysis of statically-identified control-flow paths. However, some such paths may be ‘dead ’ because they can never be followed at run time, and should therefore be excluded from analysis. It is shown how the formal semantics of those statements comprising a path provides a sound theoretical foundation for identification of dead paths.

s and compressed postscript files are available via http://svrc.it.uq.edu.au A Formal Model of Real-Time Program Compilation Karl Lermer and Colin Fidge Software Verification Research Centre, The University of Queensland, Queensland 4072, Australia. Abstract Program compilation can be formally defined as a sequence of equivalence-preserving transformations, or refinements, from high-level language programs to assembler code. Recent models also incorporate timing properties, but the resulting formalisms are intimidatingly complex. Here we take advantage of a new, simple model of realtime refinement, based on predicate transformer semantics, to present a straightforward compilation formalism that incorporates real-time constraints. Key words: Refinement calculus; Program compilation; Program semantics; Real-time programming; Program verification 1 Introduction Compiler correctness is a significant concern for developers of safety-critical systems. However, verifying an indus...

Abstract: System requirements frequently change while the system is still under development. Usually this means going back and revising the requirements speci cation and redoing those development steps already completed. In this article we show how formal requirements can be allowed to evolve while system development is in progress, without the need for costly redevelopment. This is done via a formalism which allows requirements engineering steps to be interleaved with formal development steps in a manageable way. The approach is demonstrated by a signi cant case study, the Light Control System.

. This paper introduces the semantics of a wide spectrum language with a rich compositional structure that is able to represent both temporal specifications and sequential programs. A key feature of the language is the ability to represent partial correctness annotations expressed in temporal logic. A refinement relation is presented that enables refinement steps to make use of these partial correctness assertions. It is argued by means of an example that the approach presented allows for more flexible reasoning using temporal annotations than previous approaches, and that the added flexibility has significant value for program optimization. Keywords: Refinement calculus, temporal logic, temporal refinement calculi 1 Introduction Work on program refinement can be categorised into two classes. One of the most deeply explored approaches [Mor90,BvW98,Mor87] is state-based, premised on the use of predicate transformers and weakest preconditions as a semantic basis. This is natu...

It is common for a real-time system to contain a nonterminating process monitoring an input and controlling an output. Hence a real-time program development method needs to support nonterminating repetitions. In this paper we develop a general proof rule for reasoning about possibly nonterminating repetitions. The rule makes use of a Floyd-Hoare-style loop invariant that is maintained by each iteration of the repetition, a Jones-style relation between the pre- and post-states on each iteration, and a deadline specifying an upper bound on the starting time of each iteration. The general rule is proved correct with respect to a predicative semantics. In the case of a terminating repetition the rule reduces to the standard rule extended to handle real time. Other special cases include repetitions whose bodies are guaranteed to terminate, nonterminating repetitions with the constant true as a guard, and repetitions whose termination is guaranteed by the inclusion of a fixed deadline. 1

s and compressed postscript files are available via http://svrc.it.uq.edu.au State-machine versus trace modelling of real-time reactive systems C. J. Fidge Abstract. Both extended state-machines and trace-based models have been promoted as appropriate specification methods for real-time systems. We present the same real-time specification in both styles, in order to clearly compare the two approaches. 1 Introduction There is currently a great deal of interest in formal methods for developing realtime systems. Numerous specification notations have been suggested. Broadly speaking they can be divided into two groups, those based on extended statemachines and those based on trace, or history, models. State-machine approaches extend familar computing concepts. Typically they add a special `now' variable to the system state to explicitly represent the current time [11]. Timing extensions to action systems [21] and the Temporal Logic of Actions [1] have championed the use of exte...

Hehner's theory of predicative programming is a general-purpose refinement calculus for producing correct sequential, concurrent, real-time, and communicating programs from specifications. However, only limited tool support exists for this theory. We give an overview of an ongoing project on how we are providing support for predicative programming via PVS, particularly for discharging the proof obligations that arise during algorithm refinement, and specifically, in the domain of real-time applications.