In this paper we briey introduce a Wide Spectrum Language and its transformation theory and describe a recent success of the theory: a general recursion removal theorem. This theorem includes as special cases the two techniques discussed by Knuth [12] and Bird [7]. We describe some applications of the theorem to cascade recursion, binary cascade recursion, Gray codes, the Towers of Hanoi problem, and an inverse engineering problem. 1 Introduction In this paper we briey introduce some of the ideas behind the transformation theory we have developed over the last eight years at Oxford and Durham Universities and describe a recent result: a general recursion removal theorem. We use a Wide Spectrum Language (called WSL), developed in [19,20,21] which includes lowlevel programming constructs and high-level abstract specications within a single language. Working within a single language means that the proof that a program correctly implements a specication, or that a specication correct...

We describe a tool for data refinement based on the Refinement Calculator. The tool supports the calculational approach to data refinement. As a consequence of the program calculation, a refinement theorem is automatically derived. The operation of the tool is illustrated with a case study.

Reverse engineering of interrupt-driven real-time programs with timing constraints is a particularly challenging research area, because the functional behaviour of a program, and the non-functional timing requirements, are implicit and can be very difficult to discover. However, in this paper we present a significant advance in this area, which is achieved by modelling realtime programs with interrupts in the wide spectrum language WSL. A small example program is modelled in this way, and formal program transformations are used to derive various timing constraints and to inverse engineer a formal specification of the program. (We use the term inverse engineering to mean reverse engineering achieved by formal program transformations).

Coping explicitly with failures during the conception and the design of software development complicates signicantly the designer's job. The design complexity leads to software descriptions difficult to understand, which have to undergo many simplifications until their first functioning version. To support the systematic development of complex, fault tolerant software, this paper proposes a layered framework for the analysis of the fault tolerance software properties, where the top-most layer provides the means for specifying the abstract failure semantics expressed in the initial conception stage, and each successive layer is a renement towards an elaborated description of a fault tolerant software architecture. We present the logical vehicle that permits reasoning on the equivalence or the compatibility of the various expressions of fault tolerance properties at various abstraction levels. In addition, we propose a mapping schema, which permits the correct transformation of abstract ent...

Reverse engineering of concurrent real-time programs with timing constraints is a particularly challenging research area, because the functional behaviour of a program, and the non-functional timing requirements, are implicit and can be very difficult to discover. In this paper we present a significant advance in this area, which is achieved by modelling real-time concurrent programs in the wide spectrum language WSL. We show how a sequential program with interrupts can be modelled in WSL, and the method is then extended to model more general concurrent programs. We show how a program modelled in this way may subsequently be "inverse engineered" by the use of formal program transformations, to discover a specification for the program. (We use the term "inverse engineering" to mean "reverse engineering achieved by formal program transformations").

ion Level : : : : : : : : : : : : : : : : : 9 1.3.1 Operations : : : : : : : : : : : : : : : : : : : : : : : : 9 1.3.2 Algorithm : : : : : : : : : : : : : : : : : : : : : : : : : 9 1.3.3 Computing Steps : : : : : : : : : : : : : : : : : : : : : 9 1.4 The Principle of Abstractions : : : : : : : : : : : : : : : : : : 9 1.5 Using Resources : : : : : : : : : : : : : : : : : : : : : : : : : 10 1.6 Using the Evolving Algebra : : : : : : : : : : : : : : : : : : : 11 1.6.1 Computing Medium and the Operations : : : : : : : : 11 1.6.2 The Computing Steps and Transition Steps : : : : : : 11 1.6.3 Using resources when executing Evolving Algebra speci cations : : : : : : : : : : : : : : : : : : : : : : : : : 11 1.7 Understanding and Executing a Specication : : : : : : : : : 12 1.8 How to Maintain a Specication : : : : : : : : : : : : : : : : 12 1.8.1 The Need of Making Modules : : : : : : : : : : : : : : 13 1.8.2 The Need of Controlling and Understanding the Algorithm : : : : : : : : : : : : : : :...

From school physics we got used to a basic problem solving strategy: create a mathematical model, reason on it, calculate a solution. The Camila approach is an attempt to make such a strategy available at the software engineering level. Based on a notion of formal software component it encompasses a settheoretic notation, a prototyping environment, fully connectable to external applications and equipped with communication facilities, and an inequational refinement calculus.

this paper, we presented a part of our work to create B libraries which correspond to some VHDL packages, as the STD_LOGIC_1164 package (see also [5]). This project enables us to take advantage of the power of the B method to develop a secure circuit. We write the speci cation of a desired circuit, then little by little we re ne our speci cations to reach to the implementation of this circuit which depends on the desired libraries. The B method due to J.R Abrial [2] is a formal method for the incremental development of speci cations and their re nements down to an implementation. It is a model-based approach similar to Z [8] and VDM [6]. The software design in B starts from mathematical speci - cations. Little by little, through many re nement steps ([7]), the designer tries to obtain a complete and executable speci cation. This process must be monotonic, that is any re nement has to be proven coherent according to the previous steps of re nement. The B tool can automatically decide which induced proofs are necessary to verify this correctness. Then these proofs are produced either automatically for the simple ones or in cooperation with the designer for the comlex ones. The abstract machine is the basic element of a B development. It encapsulates some state data and o ers some operations. In the B development, the proofs accompany the construction of software. Each time an abstract machine is de ned or modi ed, there are proof obligations related to its mathematical consistency; if the machine is a re nement or an implementation, there are also proofs of its correctness with respect to the previous steps of the development chain. The B tool allow to generate automatically the proof obligations for each abstract machine. Generally speaking, the proof obligations will be...

A refinement calculus for the specification of real-time systems and their refinement to a VHDL behavioural description is set out here. The specification format is alogical triple with the look of a ZorVDM schema. Choices from a short menu of refinement operations gradually convert an initial specification to VHDL code through a series of mixed mode intermediates. The calculus is complete in the sense that if thereisacode of the VHDL subset considered here (unit-delay waits and signal assignments but no delta delays) satisfying the specification, then it can be obtained by applying some sequence of the refinement operations. The result is "correct by construction".