Although formal methods have been successfully applied in various industrial applications, their use in software development is still restricted to individual case studies. To overcome this situation we aim at a methodology for an evolutionary formal software development which allows for a stepwise and incremental development process along the line of rapid prototyping. The approach is based on work on a formal management of change for formal developments which is able to maintain proofs when changing specifications.

In order to obtain a semantic foundation for heterogeneous specification, we extend Diaconescu's morphism-based Grothendieck institutions to the case of comorphisms. This is not just a dualization, because we obtain more general results, especially concerning amalgamation properties. We also introduce a proof calculus for structured heterogeneous speci cations and study its soundness and completeness (where amalgamation properties play a r^ole for obtaining the latter).

For the recently developed specification language Casl, there exist two different kinds of proof support: while HOL-Casl has its strength in proofs about specifications in-the-small, Maya has been designed for management of proofs in (Casl) specifications in-the-large, within an evolutionary formal software development process involving changes of specifications. In this work, we discuss our integration of HOL-Casl and Maya into a powerful system providing tool support for Casl, which will also serve as a basis for the integration of further proof tools.

on in-the-large to exploit the structure of the speci cation, and maintains the veri cation work already done when changing the speci cation. Maya relies on development graphs as a uniform representation of structured speci cations, which enables the use of various (structured) speci cation languages like Casl [3] and Vse-Sl [10] to formalise the software development. To this end Maya provides a generic interface to plug in additional parsers for the support of other speci cation languages. Moreover, Maya allows the integration of dierent theorem provers to deal with the actual proof obligations arising from the speci cation, i.e. to perform veri cation in-the-small. Textual speci cations are translated into a structured logical representation called a development graph [1, 4], which is based on the notions of consequence relations and morphisms and makes arising proof obligations explicit. The user can tackle these proof obligations with the help of theorem provers connecte

Abstract. Development graphs are a tool for dealing with structured specifications in a formal program development in order to ease the management of change and reusing proofs. Often, different aspects of a software system have to be specified in different logics, since the construction of a huge logic covering all needed features would be too complex to be feasible. Therefore, we introduce heterogeneous development graphs as a means to cope with heterogeneous specifications. We cover both the semantics and the proof theory of heterogeneous development graphs. A proof calculus can be obtained either by combining proof calculi for the individual logics, or by representing these in some “universal ” logic like higher-order logic in a coherent way and then “borrowing” its calculus for the heterogeneous language. 1

We provide a semantic basis for heterogeneous specifications that not only involve different logics, but also different kinds of translations between these. We show that Grothendieck institutions based on spans of (co)morphisms can serve as a unifying framework providing a simple but powerful semantics for heterogeneous specification.

Abstract not found

The development of industrial-size software is an evolutionary process based on structured specifications. In a formal setting, specification and verification are intertwined. Specifications are amended either to add new functionality or to fix bugs detected during the verification process. In this paper we propose a system to maintain the verification of formal developments. It exploits the structure of the specification to reveal and eliminate redundant proof obligations and therefore constitutes itself a verification system in-the-large. Proofs in this system are represented as explicit proof objects allowing the system to adjust or reuse them in case the specification is changed.

As the first of two methodological devices aimed at increasing the trust in the `correctness' of a specification, we develop a calculus for proving consistency of Casl specifications. It turns out to be possible to delegate large parts of the proof load to syntactical criteria by structuring consistency proofs along the given specification structure, so that only in rather few remaining focus points, actual theorem proving is required. The practical usability of the resulting calculus is demonstrated by extensive examples taken from the Casl library of basic data types.

The year 2004 marks the fiftieth birthday of the first computer generated proof of a mathematical theorem: “the sum of two even numbers is again an even number” (with Martin Davis’ implementation of Presburger Arithmetic in 1954). While Martin Davis and later the research community of automated deduction used machine oriented calculi to find the proof for a theorem by automatic means, the Automath project of N.G. de Bruijn – more modest in its aims with respect to automation – showed in the late 1960s and early 70s that a complete mathematical textbook could be coded and proof-checked by a computer. Classical theorem proving procedures of today are based on ingenious search techniques to find a proof for a given theorem in very large search spaces – often in the range of several billion clauses. But in spite of many successful attempts to prove even open mathematical problems automatically, their use in everyday mathematical practice is still limited. The shift