We present a new approach for proving safety properties of reactive systems, based on tight interaction between static analysis, theorem proving and abstraction techniques. The method incrementally constructs a proof or finds a counterexample. Every step consists of applying one of the techniques and makes constructive use of information obtained from failures in previous steps. The amount of user intervention is limited and is highly guided by the system at each step. We demonstrate the method on three simple examples, and show that by using it one can prove more properties than by using each component as a stand-alone.

. In this paper we describe the construction in hol of the inductive type of arbitrarily branching labeled trees. Such a type is characterized by an initiality theorem similar to that for finitely branching labeled trees. We discuss how to use this type to extend the system of simple recursive type specifications automatically definable in hol to ones including a limited class of functional arguments. The work discussed here is a part of a larger project to expand the recursive types package of hol which is nearing completion. All work described in this paper has been completed. 1 A Broader Class of Recursive Type Definitions The work described in this paper forms the foundation of a project to expand the class of recursive type specifications for which hol is capable of automatically defining the types specified and proving the initiality theorem, which acts as an axiomatization for the defined types. The full class of specifications the project aims to handle are those BNF-...

In this paper we propose to combine two software verification approaches, theorem proving and model checking. We focus on the B-method and a theorem proving tool associated with it, and the Alloy specification notation and its model checker “Alloy Constraint Analyser”. We consider how software development in B can be assisted using Alloy and how Alloy can be used for verifying refinement of abstract specifications. We demonstrate our approach with an example. Keywords: B-method, Alloy. 1

This paper presents an experiment on computer assisted formal verification of program transformations. The operational semantics of WSL is formalized in the type theoretical proof assistant Coq, which forms the basis, on which the correctness of program transformations can be stated and proved as formul in Coq. A group of program transformations frequently used for software maintenance have been proved correct. The existence of a machine checked formal verification increases significantly the confidence in the correctness of program transformations, which is crucial for the reliability of software maintenance systems.

. In this article, we describe an approach for the tool-supported development and verification of fault-tolerant systems according to the invent&verify paradigm. Our method is based on the CSP (Communicating Sequential Processes) specification language. It allows the desired properties of a system to be expressed as implicit specifications (assertions about traces and refusals), explicit specifications (CSP process terms), refinement relations or combinations of these three description formalisms. From our experience with industrial verification projects, this possibility to choose between different specification paradigms according to the specific needs of each development step is essential to cope with large-scale formal development and verification projects. Each topdown development step according to the invent&verify paradigm introduces a verification obligation whose type depends on the specification techniques applied for the different components involved in the step. We describe...

Making high quality and reliable software systems remains a difficult problem. One approach to address this problem is automated verification which attempts to demonstrate algorithmically that a software sys-tem meets its specification. However, verification of software systems is not easy: such systems are often modeled using abstractions of infinite structures such as unbounded integers, infinite memory for allocation, unbounded space for call stack, unrestricted queue sizes and so on. It can be shown that for most classes of such systems, the verification problem is actually undecidable (there exists no algorithm which will always give the correct answer for arbitrary inputs). In spite of this negative theoretical result, techniques have been developed which are successful on some practical examples although they are not guaranteed to always work. This dissertation is in a similar spirit and develops a new paradigm for automated verification of large or infinite state systems. We observe that even if the state space of a system is infinite, for practi-cal examples, the set of reachable states (or other fixpoints needed for verification) is often expressible in a simple representation. Based on this observation, we propose an entirely new approach to verification: the idea is to use techniques from computational learning theory to identify the reachable states (or other fixpoints) and then verify the property of interest. To use learning techniques, we solve key problems of

ion of Model Checking Rachel Cardell-Oliver and Chris Southon Department of Computer Science University of Essex October 1995 Abstract This paper presents a new approach to the verification of temporal requirements for real-time systems which combines the benefits of abstraction in theorem proving and automation in model checking. Previous work combining these paradigms has provided a uniform interface to two different methods whereas here model checking is represented by proof rules and procedures within the theorem proving paradigm. Logical expressions are used to represent (possibly infinite) classes of states. Logical deduction and an operational semantics are used to evaluate the possible behaviours of specifications. Sound inductive proof rules evaluate the truth of temporal propositions over these behaviours. The theory has been embedded in the HOL system providing a tool for automatic verification which has been tested on a number of examples. 1 Introduction One way to ma...

Tool interoperability is among the main goals of the international Grand Challenge initiative. In the context of the Verifiable File System mini-challenge put forward by Joshi and Holzmann, our work has been focused on the integration of different formal methods and tools in a tool-chain for modelling and verification. The current paper shows how to adapt such a tool-chain to the task in hands, aiming at reducing tool integration costs. The refinement of an abstract file store model into a journaled (flash) data model catering for wear leveling and recovery from power loss is taken as case study. This shows that refinement steps can be carried out within a shorter, reduced life-cycle where model checking in Alloy goes hand in hand with manual proofs carried out in the (pointfree) algebra of binary relations. This provides ample evidence of the positive impact of Alloy’s lemma ’everything is a relation ’ on software verification, in particular in carrying out induction-free proofs about data structures such as finite maps and lists.

1 Introduction The formal semantics of programming languages forms a foundation on which program transformation can be investigated and proved correct rigorously. However, as observed by DeMillo, Lipton and Perlis [1], such proofs typically consist of lengthy and tedious proofs, containing many detailed cases. This makes the proofs difficult to read and check for a human. Often the proofs are less interesting, less appealing and less elegant than the proofs found in mathematics and so there is an additional `social ' discouragement to the wider community to perform the crucial proofchecking role. It has also been argued [2] that the very idea of program verification is flawed, partly because of the tremendous cost involved in generating and checking proofs.

this paper we show 2ITL as a subset of interval temporal logic. 2ITL is undecidable, but through investigations on verification procedures, we find decidable subset of ITL. Its automatic verification is also presented. 1 Interval Temporal Logic as Second Order Temporal Logic