Lecture Notes in Computer Science 1945 EditedbyG.Goos,J.HartmanisandJ.vanLeeuwen 3 Berlin Heidelberg NewYork Barcelona HongKong London Milan Paris Singapore Tokyo Wolfgang Grieskamp Thomas Santen Bill Stoddart (Eds.) Integrated Formal Methods Second International Conference, IFM 2000 Dagstuhl Castle, Germany, November 1-3, 2000 Proceedings 1 3 SeriesEditors GerhardGoos,KarlsruheUniversity,Germany JurisHartmanis,CornellUniversity,NY,USA JanvanLeeuwen,UtrechtUniversity,TheNetherlands VolumeEditors WolfgangGrieskamp ThomasSanten TUBerlin,Sekr.FR5-13bzw.5-6 Franklinstr.28-29,10587Berlin,Germany E-mail:{wg,santen}@cs.tu-berlin.de BillStoddart UniversityofTeesside SchoolofComputingandMathematics MiddlesbroughTS13BA,UK E-mail:[email protected] Cataloging-in-PublicationDataappliedfor DieDeutscheBibliothek-CIP-Einheitsaufnahme Integratedformalmethods:secondinternationalconference; proceedings/IFM2000,DagstuhlCastle,Germany,November1-3, 2000.WolfgangGrieskamp...(ed.).-Berlin;Heidelberg;NewYork; Barcelona;HongKong;London;Milan;Paris;Singapore;Tokyo: Springer,2000 (Lecturenotesincomputerscience;Vol.1945) ISBN3-540-41196-8 CRSubjectClassification(1998):F.3,D.3,D.2,D.1 ISSN0302-9743 ISBN3-540-41196-8Springer-VerlagBerlinHeidelbergNewYork Thisworkissubjecttocopyright.Allrightsarereserved,whetherthewholeorpartofthematerialis concerned,specificallytherightsoftranslation,reprinting,re-useofillustrations,recitation,broadcasting, reproductiononmicrofilmsorinanyotherway,andstorageindatabanks.Duplicationofthispublication orpartsthereofispermittedonlyundertheprovisionsoftheGermanCopyrightLawofSeptember9,1965, initscurrentversion,andpermissionforusemustalwaysbeobtainedfromSpringer-Verlag.Violationsare liableforprosecutionundertheGermanCopyrightLaw. Springer-VerlagBerlinHeidelbergNewYork amemberofBertelsmannSpringerScience+BusinessMediaGmbH ©Springer-VerlagBerlinHeidelberg2000 PrintedinGermany Typesetting:Camera-readybyauthor,dataconversionbyPTP-Berlin,StefanSossna Printedonacid-freepaper SPIN:10780898 06/3142 543210 Preface IFM 2000, the second in a series of international conferences on Integrated For- mal Methods, was held at the 18th-century chaˆteau of Schloss Dagstuhl, Saar- land, Germany, from the 1st to the 3rd of November 2000. The conference programme consisted of invited talks from Sir Tony Hoare FRS and Wolfram Schulte, along with 22 papers selected from 58 submissions. Applying formal methods may involve the modelling of different aspects of a system that are expressed through different paradigms. This motivates us to research the combination of different viewpoints of a system, either by the creation of hybrid notations, by extending existing notations, by translating between notations, or by incorporating a wider perspective with the innovative use of an existing notation. The integration of formal methods promises great benefits to systems mo- delling and software development. Regardless of the approach taken, however, significant issues can arise in areas such as semantic integration, the tractabi- lity of our notations, the integration of tool support, the integration of proof systems, consistency, and completeness. Issues arise equally in our conceptuali- sation of systems at different levels of abstraction and the development of these conceptualisations through the process of refinement. ThestatedthemeofIFM’99wastheintegrationofstate-basedandbehaviou- ral formalisms. For IFM 2000 this was widened, and the submitted papers have been grouped in five technical sessions, covering the linking and extending of notations, methodology, the foundation of one formalism in another, semantics, and aspects of verification and validation. We hope that these proceedings will be of benefit both to the conference participantsandtothewidercommunityofworkersinthefield.Theproduction of these proceedings would not have been possible without the invaluable help of the programme committee and external referees, and of all the contributors who submitted papers to the conference. November 2000 Wolfgang Grieskamp Thomas Santen Bill Stoddart Organization Wolfgang Grieskamp, Technical University of Berlin, Germany Thomas Santen, Technical University of Berlin, Germany Bill Stoddart, University of Teesside, UK Program Committee Keijiro Araki (Kyushu, Japan) Mike Hinchey (Omaha, USA) Didier Bert (Grenoble, France) Bernd Krieg-Bru¨ckner Egon Bo¨rger (Pisa, Italy) (Bremen, Germany) Jonathan Bowen (London, UK) Michel Lemoine (Toulouse, France) Micheal Butler (Southampton, UK) Shaoying Liu (Hiroshima, Japan) Jim Davies (Oxford, UK) John McDermid (York, UK) John Derrick (Kent, UK) Dominique M´ery (Nancy, France) Jin Song Dong (Singapore) Thomas Santen (Berlin, Germany) Heiko Do¨rr (Berlin, Germany) Steve Schneider (London, UK) John Fitzgerald (Newcastle, UK) Wolfram Schulte (Redmond, USA) Andy Galloway (York, UK) Jane Sinclair (Warwick, UK) Chris George (Macao) Graeme Smith (Brisbane, Australia) Wolfgang Grieskamp Bill Stoddart (Teesside, UK) (Berlin, Germany) Kenji Taguchi (Uppsala, Sweden) Henri Habrias (Nantes, France) W J (Hans) Toetenel (Delft, Holland) Susumu Hayashi (Kobe, Japan) Heike Wehrheim Maritta Heisel (Magdeburg, Germany) (Oldenburg, Germany) Additional Reviewers Richard Banach Dang van Hung Mark Saaltink Christie Bolton Tomasz Janowski Holger Schlingloff Dominique Cansell Markus Lepper Carron Shankland David Carrington Liu Jing Kim Soon-Kyeong Marc Cavazza Brendan Mahony Carsten Su¨hl Michael Cebulla Stephan Merz Ulrich Ultes-Nitsche Steve Dunne Michael Meyer Jacob Wieland Carla Ferreira zu Hoerste Qiwen Xu Dennis Furey Tim Mossakowski Hirokazu Yatsu He Jifeng Steve Paynter Shoji Yuen Monika Heiner Jean-Claude Reynaud Steffen Helke Dean Rosenzweig Table of Contents Invited Talk Assertions......................................................... 1 Tony Hoare Linking and Extending Notations State-Based Extension of CASL...................................... 3 Hubert Baumeister and Alexandre Zamulin Linking DC Together with TRSL .................................... 25 Anne Elisabeth Haxthausen and Xia Yong Formalizing Timing Diagrams as Causal Dependencies for Verification Purposes.......................................................... 45 J¨org Fischer and Stefan Conrad A Process Compensation Language................................... 61 Michael Butler and Carla Ferreira Activity Graphs and Processes....................................... 77 Christie Bolton and Jim Davies Structuring Real-Time Object-Z Specifications......................... 97 Graeme Smith and Ian Hayes ISpec: Towards Practical and Sound Interface Specifications ............ 116 Hans B.M. Jonkers Methodology Cooperation of Formal Methods in an Engineering Based Software Development Process ............................................... 136 Yamine Ait-Ameur Developing Control Systems Components ............................. 156 Luigia Petre and Kaisa Sere Specification and Analysis of Automata-Based Designs.................. 176 Jeremy Bryans, Lynne Blair, Howard Bowman, and John Derrick Structural Refinement in Object-Z / CSP ............................. 194 John Derrick and Graeme Smith X Table of Contents TowardsaUnifiedDevelopmentMethodologyforShared-VariableParallel and Distributed Programs........................................... 214 Ju¨rgen Dingel Foundation of One Formalism by Another Construction of Finite Labelled Transition Systems from B Abstract Systems ..........................................................235 Didier Bert and Francis Cave μ-Charts and Z: Hows, Whys, and Wherefores ......................... 255 Greg Reeve and Steve Reeves Combining Operational Semantics, Logic Programming and Literate Programming in the Specification and Animation of theVerilog Hardware Description Language .............................................. 277 Jonathan P. Bowen Invited Talk Why Doesn’t Anyone Use Formal Methods? ........................... 297 Wolfram Schulte Semantics How to Write a Healthiness Condition ................................ 299 Yifeng Chen A Concurrent and Compositional Petri Net Semantics of Preemption ..... 318 Hanna Klaudel and Franck Pommereau Verification and Validation An Approach to Symbolic Test Generation ............................ 338 Vlad Rusu, Lydie du Bousquet, and Thierry J´eron Behavioral Conformance Verification in an Integrated Approach Using UML and B ....................................................... 358 Eric Meyer and Thomas Santen Predicate Diagrams for the Verification of Reactive Systems ............ 380 Dominique Cansell, Dominique M´ery, and Stephan Merz Modular Verification for a Class of PLTL Properties ................... 398 Pierre-Alain Masson, Hassan Mountassir, and Jacques Julliand Towards Model Checking Stochastic Process Algebra ................... 420 Holger Hermanns, Joost-Pieter Katoen, Joachim Meyer-Kayser, and Markus Siegle Author Index................................................... 441 Assertions Tony Hoare Senior Researcher Microsoft Research Ltd. 1 Guildhall St., Cambridge, CB2 3NH [email protected] An assertion is a Boolean formula written in the text of a program, which the programmer asserts will always be true when that part of the program is executed. It specifies an internal interface between that part of the program that comes before it and all that follows it. In the software industry today, assertions are conditionally compiled in test runs of a program, and help in the detection and diagnosis of errors. Alan Turing first proposed assertions as a means of checking a large routine. They were rediscovered independently by Naurasgeneralisedsnapshots,andbyFloyd,whousedthemtoassignmeanings toprograms. Floyd suggested that if theinternal assertionswerestrongenough, they would constitute a formal proof of the correctness of a complete program. In this lecture, I will summarise the subsequent development of the idea, and describe some of its practical impact. In the early seventies, I developed an axiomatic approach for proofs of pro- grams that use all the main constructions of a high-level programming langu- age - iterations, local variables, procedures and parameters, recursion, and even jumps.FollowingDijkstra,Ialwaystookatop-downviewofthetaskofsoftware construction, with assertions formulated as part of program specification, and with proofs conducted as part of program design. I hoped that this research would help to reduce the high costs of programming error, and the high risks of using computers in critical applications. But the real attraction for me was that the axioms underlying program proofs would provide an objective and scientific test of the quality of programming language design: a language described by a small collection of obvious rules, easily applied, would be better than one that required many rules with complex side-conditions. In collaboration with Wirth, we tried out the idea on the Pascal language; and later it inspired the design of Euclid by a team in Xerox PARC. In scaling proof methods from small sequential algorithms to large software systems, it was necessary to extend the power of the assertion language. The Z specification language was developed by Abrial on the basis of Zermelo’s set theory, which Frankel showed to be essentially adequate for expression of all concepts known to mathematics. It should therefore be adequate to express all the abstractions useful to computing, and prove the correctness of their repre- sentations. Dijkstra dealt with non-determinism, by imagining the choice to be exercised maliciously by a demon. Jones and his fellow designers of VDM in- cluded initial as well as final values of program variables. All these ideas were successfullytestedbyIBMinspecifyingtheinternalinterfacesofalargesystem, CICS. W.Grieskamp,T.Santen,andB.Stoddart(Eds.):IFM2000,LNCS1945,pp.1–2,2000. (cid:2)c Springer-VerlagBerlinHeidelberg2000