Permission is hereby granted to make and distribute verbatim copies of this document without royalty or fee. Permission is granted to quote excerpts from this documented provided the original source is properly cited. ii When separately written programs are composed so that they may cooperate, they may instead destructively interfere in unanticipated ways. These hazards limit the scale and functionality of the software systems we can successfully compose. This dissertation presents a framework for enabling those interactions between components needed for the cooperation we intend, while minimizing the hazards of destructive interference. Great progress on the composition problem has been made within the object paradigm, chiefly in the context of sequential, single-machine programming among benign components. We show how to extend this success to support robust composition of concurrent and potentially malicious components distributed over potentially malicious machines. We present E, a distributed, persistent, secure programming language, and CapDesk, a virus-safe desktop built in E, as embodiments of the techniques we explain.

Traditional formal methods and modern agile methods are separated more by limitations of current technology than by fundamental intellectual differences. A mixed interpreter that executes mixed programs, comprising both declarative specification statements and regular imperative statements, might bridge the gap. This paper explores how such an interpreter might be used, showing by example how it might support a variety of development activities.

Semantic models are the basis for specification and verification of software. Operational, denotational, and axiomatic or algebraic methods offer complementary insights and reasoning techniques which are surveyed here. Unifying theories are needed to link models. Also considered are selected programming features for which new models are needed.

We consider reasoning about linear systems expressed as block diagrams in a general relational setting. Using the notion of additive relation borrowed from homological algebra, the theory of weakest pre-conditions for these systems turns out to be very tractable and gives simple Hoarestyle rules for the block diagram constructors. Many natural choices for the logical language used to express properties of linear systems admit a high degree of automation. We show by example how the rules can be used to inform development of a proof while a decision procedure automates the routine work. 1

Abstract. A central objective of the verifying compiler grand challenge is to develop a push-button verifier that generates proofs of correctness in a syntax-driven fashion similar to the way an ordinary compiler generates machine code. The software developer’s role is then to provide suitable specifications and annotated code, but otherwise to have no direct involvement in the verification step. The general mathematical developments and results upon which software correctness is based are established through a separate formal proof process. Current versions of the RESOLVE verifier generate verification conditions (VCs) for the correctness of component-based software in a modular fashion — one component at a time. The VCs are currently verified using automated capabilities of the Isabelle proof assistant and some specialized decision procedures. Initial experiments with the tools and further analytic considerations show both the progress that has been made and the challenges that remain. 2 1

Abstract. The Verifying Compiler (VC) project proposals suggest that mainstream software developers are its targeted end-users. Like other software engineering efforts, the VC project success depends on appropriate end-user consultation. Industrial use of program assertions for the purpose of Run-time Assertion Checking (RAC) is becoming commonplace. A likely next step on the path to VC adoption is the use of assertions in Extended Static Checking (ESC), a fully automated form of Static Program Verification (SPV). Unfortunately, all current VC prototypes supporting SPV, adopt a semantics which is unsound relative to the standard run-time interpretation of assertions. In this article, we report on the results of a survey in which we asked industrial developers what logical semantics they want program assertions to have, and whether consistency across RAC and SPV tools is important. Survey results indicate that developers are in favor of a semantics for assertions that is compatible with their current use in RAC.

The proof obligations generated from many formal methods tend to be simple and can often be discharged by modern automatic theorem provers or SMT systems. However, those proof tasks that need hand-or interactive- intervention present a barrier to the use of formal methods. Theorem proving was one of the earliest challenges addressed by researchers in the area of Artificial Intelligence and enormous progress has been made in the provision of general purpose heuristics. The approach in the recently started AI4FM project is different: we hope to devise a system that will learn from an expert user how they tackle one interactive proof and then apply the discovered highlevel strategy to other related proof tasks. We are fortunate in having access to many such problems through the DEPLOY project but are aware of the dangers of devising an overly specific approach. This short paper appeals for challenge problems from other sources. © 2010 University of Newcastle upon Tyne.