The majority of work carried out in the formal methods community throughout the last three decades has (for good reasons) been devoted to special languages designed to make it easier to experiment with mechanized formal methods such as theorem provers, proof checkers and model checkers. In this paper we will attempt to give convincing arguments for why we believe it is time for the formal methods community to shift some of its attention towards the analysis of programs written in modern programming languages. In keeping with this philosophy we have developed a verification and testing environment for Java, called Java PathFinder (JPF), which integrates model checking, program analysis and testing. Part of this work has consisted of building a new Java Virtual Machine that interprets Java bytecode. JPF uses state compression to handle big states, and partial order and symmetry reduction, slicing, abstraction, and runtime analysis techniques to reduce the state space. JPF has been applied to a real-time avionics operating system developed at Honeywell, illustrating an intricate error, and to a model of a spacecraft controller, illustrating the combination of abstraction, runtime analysis, and slicing with model checking.

. Communication protocols pose interesting and difficult challenges for verification technologies. The state spaces of interesting protocols are either infinite or too large for finite-state verification techniques like model checking and state exploration. Theorem proving is also not effective since the formal correctness proofs of these protocols can be long and complicated. We describe a series of protocol verification experiments culminating in a methodology where theorem proving is used to abstract out the sources of unboundedness in the protocol to yield a skeletal protocol that can be verified using model checking. Our experiments focus on the Philips bounded retransmission protocol originally studied by Groote and van de Pol and by Helmink, Sellink, and Vaandrager. First, a scaled-down version of the protocol is analyzed using the MurOE state exploration tool as a debugging aid and then translated into the PVS specification language. The PVS verification of the generalized prot...

We propose and study a new typing algorithm for dependent type theory. This new algorithm typechecks more terms by using inheritance between classes. This inheritance mechanism turns out to be powerful: it supports multiple inheritance, classes with parameters and uses new abstract classes FUNCLASS and SORTCLASS (respectively classes of functions and sorts). We also defines classes as records, particularily suitable for the formal development of mathematical theories. This mechanism, implemented in the proof checker Coq, can be adapted to all typed -calculus. 1 Introduction In the last years, proof checkers based on type theory appeared as convincing systems to formalize mathematics (especially constructive mathematics) and to prove correctness of software and hardware. In a proof checker, one can interactively build definitions, statements and proofs. The system is then able to check automatically whether the definitions are well-formed and the proofs are correct. Modern systems ar...

We present a strategy for nding algebraic correctness proofs for communication systems. It is described in the setting of CRL [11], which is, roughly, ACP [2, 3] extended with a formal treatment of the interaction between data and processes. The strategy has already been applied successfully in [4] and [10], but was not explicitly identi ed as such. Moreover, the protocols that were veri ed in these papers were rather complex, so that the general picture was obscured by the amount of details. In this paper, the proof strategy is materialised in the form of de nitions and theorems. These results reduce a large part of protocol veri cation to a number of trivial facts concerning data parameters occurring in implementation and speci cation. This greatly simpli es protocol veri cations and makes our approach amenable to mechanical assistance � experiments in this direction seem promising. The strategy is illustrated by several small examples and one larger example, the Concurrent Alternating Bit Protocol (CABP). Although simple, this protocol contains a large amount ofinternal parallelism, so that all relevant issuesmaketheir appearance.

We present a new approach for proving safety properties of reactive systems, based on tight interaction between static analysis, theorem proving and abstraction techniques. The method incrementally constructs a proof or finds a counterexample. Every step consists of applying one of the techniques and makes constructive use of information obtained from failures in previous steps. The amount of user intervention is limited and is highly guided by the system at each step. We demonstrate the method on three simple examples, and show that by using it one can prove more properties than by using each component as a stand-alone.

This paper presents a system for amorphous program slicing which combines slicing and transformation to achieve thinner slices than are possible using conventional syntax-preserving slicing. The approach involves the validation of the transformation and slicing steps using the Coq proof assistant, thereby guaranteeing the correctness of the amorphous slices produced. The combined application of slicing and transformation is illustrated with a simple case study.

In [10] Groote and Springintveld incorporated several model-oriented techniques { such asinvariants, matching criteria, state mappings { in the process-algebraic framework of CRL for structuring and simplifying protocol veri cations. In this paper, we formalise these extensions in Coq, which is a proof development tool based on type theory. In the updated framework, the length of proof constructions is reduced significantly. Moreover, the new approach allows for more automation (proof generation) than was possible in the past. The results are illustrated by an example in which we prove two queue representations equal. 1

Abstract. PVS (Prototype Verification System) is a comprehensive framework for writing formal logical specifications and constructing proofs. An interactive proof checker is a key component of PVS. The capabilities of this proof checker can be extended by defining proof strategies that are similar to LCF-style tactics. Commonly used proof strategies include those for discharging typechecking proof obligations, simplification and rewriting using decision procedures, and various forms of induction. We describe the basic building blocks of PVS proof strategies and provide a pragmatic guide for writing sophisticated strategies. 1

Littlewood [1] introduced the idea that software may be possibly perfect and that we can contemplate its probability of (im)perfection. We review this idea and show how it provides a bridge between correctness, which is the goal of software verification (and especially formal verification), and the probabilistic properties such as reliability that are the targets for system-level assurance. We enumerate the hazards to formal verification, consider how each of these may be countered, and propose relative weightings that an assessor may employ in assigning a probability of perfection.

This paper presents an experiment on computer assisted formal verification of program transformations. The operational semantics of WSL is formalized in the type theoretical proof assistant Coq, which forms the basis, on which the correctness of program transformations can be stated and proved as formul in Coq. A group of program transformations frequently used for software maintenance have been proved correct. The existence of a machine checked formal verification increases significantly the confidence in the correctness of program transformations, which is crucial for the reliability of software maintenance systems.