## Mechanizing UNITY in Isabelle

### Cached

### Download Links

- [www.cl.cam.ac.uk.]
- [www.cl.cam.ac.uk]
- [www.cl.cam.ac.uk]
- [www.cl.cam.ac.uk]
- [www.cl.cam.ac.uk]
- [www.cl.cam.ac.uk]
- [www.cl.cam.ac.uk]
- [www.cl.cam.ac.uk]
- DBLP

### Other Repositories/Bibliography

Venue: | ACM Transactions on Computational Logic |

Citations: | 25 - 6 self |

### BibTeX

@ARTICLE{Paulson_mechanizingunity,

author = {Lawrence C. Paulson},

title = {Mechanizing UNITY in Isabelle},

journal = {ACM Transactions on Computational Logic},

year = {},

pages = {2000}

}

### OpenURL

### Abstract

UNITY is an abstract formalism for proving properties of concurrent systems, which typically are expressed using guarded assignments [Chandy and Misra 1988]. UNITY has been mechanized in higher-order logic using Isabelle, a proof assistant. Safety and progress primitives, their weak forms (for the substitution axiom) and the program composition operator (union) have been formalized. To give a feel for the concrete syntax, the paper presents a few extracts from the Isabelle definitions and proofs. It discusses a small example, two-process mutual exclusion. A mechanical theory of unions of programs supports a degree of compositional reasoning. Original work on extending program states is presented and then illustrated through a simple example involving an array of processes.

### Citations

846 | The temporal logic of actions
- Lamport
- 1994
(Show Context)
Citation Context ...h has no effect on the state). Commands do not have to be deterministic; they have a simple relational semantics. UNITY includes a small fragment of temporal logic. While primitive compared with TLA [=-=Lamport 1994-=-] for instance, the formalism can express basic safety and progress properties. There is a set of elegant laws for proving such properties. Safety properties are expressed using the constrains operato... |

764 |
Parallel program design : a foundation
- Chandy, Misra
- 1988
(Show Context)
Citation Context ...c methods, which are inherently limited in scope. The present approach is to employ interactive proof while exploiting Isabelle’s automatic tools to minimize the user’s effort. Many classic exampl=-=es [Chandy and Misra 1988-=-] have been done with a modest effort. Elaborate Isabelle programming has not been required, merely the use of the builtin classical reasoner and simplifier. Another novelty is the use of set theory t... |

525 |
Introduction to HOL : a theorem proving environment for higher-order logic
- Gordon, Melham
- 1993
(Show Context)
Citation Context ...ng automatic methods may be, a general treatment requires formal proof. A most impressive effort is HOL-UNITY [Andersen et al. 1994a], which implements classic UNITY and is based upon the HOL system [=-=Gordon and Melham 1993-=-]. It provides a good degree of automation and sports a graphical interface for proving progress properties using Owicki-Gries proof lattices [Andersen et al. 1994b]. Also using HOL, Prasetya [1995] h... |

429 | Isabelle: A Generic Theorem Prover
- Paulson
- 1994
(Show Context)
Citation Context ...e present paper concerns a recent version of the UNITY formalism [Misra 1995a; Misra 1995b]. It describes preliminary experiments in reasoning about UNITY using the interactive proof system Isabelle [=-=Paulson 1994-=-]. A novel aspect of the work is its combination of interactive and automatic theorem-proving. Much recent research concerns fully automatic methods, which are inherently limited in scope. The present... |

426 | The Inductive Approach to Verifying Cryptographic Protocols
- Paulson
- 1998
(Show Context)
Citation Context ...orems proved with 46 tactic calls, and it runs in eight seconds. Mechanizing this example took me four days. UNITY can also be applied to the verification of security protocols. The inductive method [=-=Paulson 1998-=-] maps into UNITY straightforwardly, using the same theory of messages and trace model. The inductive definition is replaced by a UNITY program, replacing the rules by actions. (Thus, the program has ... |

44 | Eliminating the Substitution Axiom from UNITY logic - Sanders - 1991 |

40 | A generic tableau prover and its integration with Isabelle
- Paulson
- 1998
(Show Context)
Citation Context ... 2). Isabelle provides powerful automatic tactics. The simplifier performs conditional, contextual and permutative rewriting. The classical reasoner (Blast tac) proves subgoals using tableau methods [=-=Paulson 1999-=-]. It is generic, applying user-supplied rules such as (1) above and UNITY rules. Auto tac attempts to prove as many subgoals as possible, using both the simplifier and the classical reasoner. An arit... |

32 |
A logic for concurrent programming: Progress
- Misra
- 1995
(Show Context)
Citation Context ...ifficult. Many formalisms have been introduced for this purpose, some involving hand methods and others supported by various tools. The present paper concerns a recent version of the UNITY formalism [=-=Misra 1995-=-a; Misra 1995b]. It describes preliminary experiments in reasoning about UNITY using the interactive proof system Isabelle [Paulson 1994]. A novel aspect of the work is its combination of interactive ... |

32 | A logic for concurrent programming: Safety
- Misra
- 1995
(Show Context)
Citation Context ...ifficult. Many formalisms have been introduced for this purpose, some involving hand methods and others supported by various tools. The present paper concerns a recent version of the UNITY formalism [=-=Misra 1995-=-a; Misra 1995b]. It describes preliminary experiments in reasoning about UNITY using the interactive proof system Isabelle [Paulson 1994]. A novel aspect of the work is its combination of interactive ... |

19 | Chandy. Towards a compositional approach to the design and verification of distributed systems - Charpentier, Mani - 1999 |

17 | Program verification using HOL-UNITY
- Andersen, Pertersen, et al.
(Show Context)
Citation Context ...ams automatically, using decision procedures for example [Thirioux 1998]. However promising automatic methods may be, a general treatment requires formal proof. A most impressive effort is HOL-UNITY [=-=Andersen et al. 1994-=-a], which implements classic UNITY and is based upon the HOL system [Gordon and Melham 1993]. It provides a good degree of automation and sports a graphical interface for proving progress properties u... |

16 | abczewski. Mechanizing set theory. Cardinal arithmetic and the axiom of choice - Paulson, Gr - 1996 |

9 |
A modular coding of UNITY in Coq
- Cregut
(Show Context)
Citation Context ...s satisfied. Classic UNITY [Chandy and Misra 1988] includes only deterministic actions, with nondeterminism arising only in the choice of action. Accordingly, some researchers [Andersen et al. 1994a; =-=Heyd and Crégut 1996-=-] model actions as total functions over the state space. If there is a guard, then the function behaves as the identity unless the guard is satisfied. Thus we have the odd situation that the following... |

6 | Interactive Verification Exploiting Program Design Knowledge: A Model-Checker for UNITY - Kaltenbach - 1996 |

5 | A family of 2-process mutual exclusion algorithms - Misra - 1990 |

4 |
A Graphical Tool for Proving UNITY Progress
- Andersen, Petersen, et al.
- 1994
(Show Context)
Citation Context ...ams automatically, using decision procedures for example [Thirioux 1998]. However promising automatic methods may be, a general treatment requires formal proof. A most impressive effort is HOL-UNITY [=-=Andersen et al. 1994-=-a], which implements classic UNITY and is based upon the HOL system [Gordon and Melham 1993]. It provides a good degree of automation and sports a graphical interface for proving progress properties u... |

3 |
Asynchronous compositions of programs. At URL ftp://ftp.cs.utexas. edu/pub/psp/unity/new unity/composition.ps.Z
- Misra
- 1994
(Show Context)
Citation Context .... (9) i∈I Fi I have also proved some of Misra’s laws relating safety and progress, such as F ∈ stable(A) G ∈ A ensures B F ⊔ G ∈ A ensures B, and used them in a small example, the handshak=-=e protocol [Misra 1994, -=-§5.3.2]. Section 11 will present a small example of inheritance of a progress property. 10. PROGRAM STATES As mentioned in §5, the formalization does not specify a particular representation of progr... |

2 | Program composition in COQ-UNITY - Marques |

2 | Mechanically supported design of self-stabiliting algorithms - PRASETYA - 1995 |

1 | Reasoning about program composition. preprint - Chandy, Sanders - 1998 |

1 | A correction on “a family of 2-process mutual exclusion algorithms - Dappert-Farquhar - 1990 |

1 |
A modular coding of unity in coq. InJ. von
- Heyd, Crégut
- 1996
(Show Context)
Citation Context ...s satisfied. Classic UNITY [Chandy and Misra 1988] includes only deterministic actions, with nondeterminism arising only in the choice of action. Accordingly, some researchers [Andersen et al. 1994a; =-=Heyd and Crégut 1996-=-] model actions as total functions over the state space. If there is a guard, then the function behaves as the identity unless the guard is satisfied. Thus we have the odd situation that the following... |

1 | Mechanizing UNITY in Isabelle · 27 - Misra - 1990 |

1 | Automatically proving Unity safety properties with arrays and quantifiers
- Thirioux
- 1998
(Show Context)
Citation Context ...ese objections, Kaltenbach [1996] has developed a model checker for UNITY. Others have investigated alternative means of verifying UNITY programs automatically, using decision procedures for example [=-=Thirioux 1998-=-]. However promising automatic methods may be, a general treatment requires formal proof. A most impressive effort is HOL-UNITY [Andersen et al. 1994a], which implements classic UNITY and is based upo... |

1 | Reasoning about program composition. available via http://www.cise.ufl.edu/ ∼ sanders/pubs/composition.ps - Chandy, Sanders - 1998 |