Results 1  10
of
207
Seven More Myths of Formal Methods
 IEEE SOFTWARE
, 1995
"... In 1990, Anthony Hall published a seminal article that listed and dispelled seven myths about the nature and application of formal methods. Today  five years and many successful applications later  formal methods remain one of the most contentious areas of softwareengineering practice.
Despite 25 ..."
Abstract

Cited by 119 (18 self)
 Add to MetaCart
In 1990, Anthony Hall published a seminal article that listed and dispelled seven myths about the nature and application of formal methods. Today  five years and many successful applications later  formal methods remain one of the most contentious areas of softwareengineering practice.
Despite 25 years of use, few people understand exactly what formal methods are or how they are applied. Many nonformalists seem to believe that formal methods are merely an academic exercise  a form of mental masturbation that has no relation to realworld problems. The media's portrayal of formal methods does little to help the situation. In many "popular press" science journals, formal methods are subjected to either deep criticism or, worse, extreme hyperbole. Fortunately, today these myths are held more by the public and the computerscience community at large than by system developers. It is our concern, however, that new myths are being propagated, and more alarmingly, are receiving a certain tacit acceptance from the systemdevelopment community.
Following Hall's lead, we address and dispel seven new myths about formal methods: Formal methods delay the development process; formal methods lack tools; formal methods replace traditional engineering design methods; formal methods only apply to software; formal methods are unnecessary; formal methods are not supported; and formalmethods people always use formal methods.
Design of Embedded Systems: Formal Models, Validation, and Synthesis
 PROCEEDINGS OF THE IEEE
, 1999
"... This paper addresses the design of reactive realtime embedded systems. Such systems are often heterogeneous in implementation technologies and design styles, for example by combining hardware ASICs with embedded software. The concurrent design process for such embedded systems involves solving the ..."
Abstract

Cited by 113 (9 self)
 Add to MetaCart
(Show Context)
This paper addresses the design of reactive realtime embedded systems. Such systems are often heterogeneous in implementation technologies and design styles, for example by combining hardware ASICs with embedded software. The concurrent design process for such embedded systems involves solving the specification, validation, and synthesis problems. We review the variety of approaches to these problems that have been taken.
An Industrial Strength Theorem Prover for a Logic Based on Common Lisp
 IEEE Transactions on Software Engineering
, 1997
"... ACL2 is a reimplemented extended version of Boyer and Moore's Nqthm and Kaufmann's PcNqthm, intended for large scale verification projects. This paper deals primarily with how we scaled up Nqthm's logic to an "industrial strength" programming language  namely, a large a ..."
Abstract

Cited by 110 (5 self)
 Add to MetaCart
(Show Context)
ACL2 is a reimplemented extended version of Boyer and Moore's Nqthm and Kaufmann's PcNqthm, intended for large scale verification projects. This paper deals primarily with how we scaled up Nqthm's logic to an "industrial strength" programming language  namely, a large applicative subset of Common Lisp  while preserving the use of total functions within the logic. This makes it possible to run formal models efficiently while keeping the logic simple. We enumerate many other important features of ACL2 and we briefly summarize two industrial applications: a model of the Motorola CAP digital signal processing chip and the proof of the correctness of the kernel of the floating point division algorithm on the AMD5K 86 microprocessor by Advanced Micro Devices, Inc.
Isar  a Generic Interpretative Approach to Readable Formal Proof Documents
, 1999
"... We present a generic approach to readable formal proof documents, called Intelligible semiautomated reasoning (Isar). It addresses the major problem of existing interactive theorem proving systems that there is no appropriate notion of proof available that is suitable for human communication, or ..."
Abstract

Cited by 85 (16 self)
 Add to MetaCart
We present a generic approach to readable formal proof documents, called Intelligible semiautomated reasoning (Isar). It addresses the major problem of existing interactive theorem proving systems that there is no appropriate notion of proof available that is suitable for human communication, or even just maintenance. Isar's main aspect is its formal language for natural deduction proofs, which sets out to bridge the semantic gap between internal notions of proof given by stateoftheart interactive theorem proving systems and an appropriate level of abstraction for userlevel work. The Isar language is both human readable and machinecheckable, by virtue of the Isar/VM interpreter. Compared to existing declarative theorem proving systems, Isar avoids several shortcomings: it is based on a few basic principles only, it is quite independent of the underlying logic, and supports a broad range of automated proof methods. Interactive proof development is supported as well...
Automating the Meta Theory of Deductive Systems
, 2000
"... not be interpreted as representing the o cial policies, either expressed or implied, of NSF or the U.S. Government. This thesis describes the design of a metalogical framework that supports the representation and veri cation of deductive systems, its implementation as an automated theorem prover, a ..."
Abstract

Cited by 84 (16 self)
 Add to MetaCart
(Show Context)
not be interpreted as representing the o cial policies, either expressed or implied, of NSF or the U.S. Government. This thesis describes the design of a metalogical framework that supports the representation and veri cation of deductive systems, its implementation as an automated theorem prover, and experimental results related to the areas of programming languages, type theory, and logics. Design: The metalogical framework extends the logical framework LF [HHP93] by a metalogic M + 2. This design is novel and unique since it allows higherorder encodings of deductive systems and induction principles to coexist. On the one hand, higherorder representation techniques lead to concise and direct encodings of programming languages and logic calculi. Inductive de nitions on the other hand allow the formalization of properties about deductive systems, such as the proof that an operational semantics preserves types or the proof that a logic is is a proof calculus whose proof terms are recursive functions that may be consistent.M +
Type Classes and Overloading in HigherOrder Logic
 Theorem Proving in Higher Order Logics: TPHOLs ’97, LNCS 1275
, 1997
"... Type classes and overloading are shown to be independent concepts that can both be added to simple higherorder logics in the tradition of Church and Gordon, without demanding more logical expressiveness. In particular, modeltheoretic issues are not affected. Our metalogical results may serve as a ..."
Abstract

Cited by 74 (7 self)
 Add to MetaCart
Type classes and overloading are shown to be independent concepts that can both be added to simple higherorder logics in the tradition of Church and Gordon, without demanding more logical expressiveness. In particular, modeltheoretic issues are not affected. Our metalogical results may serve as a foundation of systems like Isabelle/Pure that offer the user Haskellstyle ordersorted polymorphism as an extended syntactic feature. The latter can be used to describe simple abstract theories with a single carrier type and a fixed signature of operations.
Formal Verification of Standards for Distance Vector Routing Protocols
, 2000
"... We show how to use an interactive theorem prover, HOL, together with a model checker, SPIN, to prove key properties of distance vector routing protocols. We do three case studies: correctness of the RIP standard, a sharp realtime bound on RIP stability, and preservation of loopfreedom in AODV, a di ..."
Abstract

Cited by 71 (3 self)
 Add to MetaCart
(Show Context)
We show how to use an interactive theorem prover, HOL, together with a model checker, SPIN, to prove key properties of distance vector routing protocols. We do three case studies: correctness of the RIP standard, a sharp realtime bound on RIP stability, and preservation of loopfreedom in AODV, a distance vector protocol for wireless networks. We develop verification techniques suited to routing protocols generally. These case studies show significant benefits from automated support in reduced verification workload and assistance in finding new insights and gaps for standard specifications.
Firstorder proof tactics in higherorder logic theorem provers
 Design and Application of Strategies/Tactics in Higher Order Logics, number NASA/CP2003212448 in NASA Technical Reports
, 2003
"... Abstract. In this paper we evaluate the effectiveness of firstorder proof procedures when used as tactics for proving subgoals in a higherorder logic interactive theorem prover. We first motivate why such firstorder proof tactics are useful, and then describe the core integrating technology: an ‘ ..."
Abstract

Cited by 51 (4 self)
 Add to MetaCart
(Show Context)
Abstract. In this paper we evaluate the effectiveness of firstorder proof procedures when used as tactics for proving subgoals in a higherorder logic interactive theorem prover. We first motivate why such firstorder proof tactics are useful, and then describe the core integrating technology: an ‘LCFstyle’ logical kernel for clausal firstorder logic. This allows the choice of different logical mappings between higherorder logic and firstorder logic to be used depending on the subgoal, and also enables several different firstorder proof procedures to cooperate on constructing the proof. This work was carried out using the HOL4 theorem prover; we comment on the ease of transferring the technology to other higherorder logic theorem provers. 1
Inductive datatypes in HOL  lessons learned in FormalLogic Engineering
 Theorem Proving in Higher Order Logics: TPHOLs ’99, LNCS 1690
, 1999
"... Isabelle/HOL has recently acquired new versions of definitional packages for inductive datatypes and primitive recursive functions. In contrast to its predecessors and most other implementations, Isabelle/HOL datatypes may be mutually and indirect recursive, even infinitely branching. We also su ..."
Abstract

Cited by 45 (7 self)
 Add to MetaCart
(Show Context)
Isabelle/HOL has recently acquired new versions of definitional packages for inductive datatypes and primitive recursive functions. In contrast to its predecessors and most other implementations, Isabelle/HOL datatypes may be mutually and indirect recursive, even infinitely branching. We also support inverted datatype definitions for characterizing existing types as being inductive ones later. All our constructions are fully definitional according to established HOL tradition. Stepping back from the logical details, we also see this work as a typical example of what could be called "FormalLogic Engineering". We observe that building realistic theorem proving environments involves further issues rather than pure logic only. 1