In this paper we present a formal model of asynchronous communication as a function in the Boyer-Moore logic. The function transforms the signal stream generated by one processor into the signal stream consumed by an independently clocked processor. This transformation "blurs" edges and "dilates" time due to differences in the phases and rates of the two clocks and the communications delay. The model can be used quantitatively to derive concrete performance bounds on asynchronous communications at ISO protocol level 1 (physical level). We develop part of the reusable formal theory that permits the convenient application of the model. We use the theory to show that a biphase mark protocol can be used to send messages of arbitrary length between two asynchronous processors. We study two versions of the protocol, a conventional one which uses cells of size 32 cycles and an unconventional one which uses cells of size 18. Our proof of the former protocol requires the ratio of the clock rates of the two processors to be within 3% of unity. The unconventional biphase mark protocol permits the ratio to vary by 5%. At nominal clock rates of 20MHz, the unconventional protocol allows transmissions at a burst rate of slightly over 1MHz. These claims are formally stated in terms of our model of asynchrony; the proofs of the claims have been mechanically checked with the Boyer-Moore theorem prover, NQTHM. We conjecture that the protocol can be proved to work under our model for smaller cell sizes and more divergent clock rates but the proofs would be harder. Known inadequacies of our model include that (a) distortion due to the presence of an edge is limited to the time span of the cycle during which the edge was written, (b) both clocks are assumed to be linear functions of time (i....

. Existing methodologies for the verification of concurrent systems are effective for reasoning about global properties of small systems. For large systems, these approaches become expensive both in terms of computational and human effort. A compositional verification methodology can reduce the verification effort by allowing global system properties to be derived from local component properties. For this to work, each component must be viewed as an open system interacting with a well-behaved environment. Much of the emphasis in compositional verification has been on the assume-guarantee paradigm where component properties are verified contingent on properties that are assumed of the environment. We highlight an alternate paradigm called lazy composition where the component properties are proved by composing the component with an abstract environment. We present the main ideas underlying lazy composition along with illustrative examples, and contrast it with the assume-gu...

An important principle of building trustworthy systems is to rigorously analyze the critical requirements early in the development process, even before starting system design. Existing proof methods for systems of communicating processes focus on the bottom-up composition of component-level specifications into system-level specifications. Trustworthy system development requires, instead, the top-down derivation of component requirements from the critical system requirements. This paper describes a formal method for decomposing the requirements of a system into requirements of its component processes and a minimal, possibly empty, set of synchronization requirements. The Trace Model of Hoare's Communicating Sequential Processes (CSP) is the basis for the formal method. We apply the method to an abstract voice transmitter and describe the role that the EHDM verification system plays in the transmitter's decomposition. In combination with other verification techniques, we expect that the ...

this article is taken as the beginning of the "verificationist" movement. In another article [30], Hoare proposed that the program and the proof of correctness could be developed simultaneously. The basic program verification or program correctness concepts are simple to present. Suppose we have program P written in some programming language. This program is supposed to compute some final values, say F, given some initial values, say I. I is called an input specification and F is called an output specification. A program may or may not terminate for a given argument. A program which terminates for every possible input value and always computes the prescribed answer is called totally correct, or just correct. A program which, if it terminates, does indeed compute the correct answer is called partially correct [45]. There have been several approaches to verification proposed. For this paper, we need not delve into these different approaches. There are many texts in this area and several are listed in the bibliography [5, 21, 22, 45]. In principle, it seems that the concepts of program proofs should be straightforward and relatively easy to apply. The hope has been to put programming on some firm, logical basis. Proponents of this approach to programming point to the use of proofs in mathematics. By suitably defining the actions of the programming language (now part of programming language semantics) and proper specification of the input and output (now formal methods of specification), every program would have a proof of correctness.Unfortunately, the verification technology has been disappointing. By 1979, several important advances in verification technology had taken place; e. g., Manna [ 38]and Manna and Pneuli [38] as well as many contributions by Hoare [31]. In 1979...

When considering the correctness of programs, the only absolute demonstration of quality is mathematical proof. Yet the complexity of these proofs makes them all but impossible both to construct and read, and the correctness of the proofs themselves come into question. We take an approach to the creation of these proofs based on specifying an axiomatic semantics for the programming language, and using that semantics to automatically create a Verification Condition Generator, a program that takes a general program written in the language and creates the proof of that program, modulo a set of verification conditions, to be proven by hand. This automates much of the detailed work of creating the proof. Yet even this VCG technique depends on the soundness of the axiomatic semantics, and in fact, many proposed axiomatic semantics have suffered from unsoundness. We take the difficult but secure approach of foundationally defining an operational semantics of the programming language...

this paper in HOARE & JONES [1989, pp. 45-58]). This paper introduced or revealed a number of ideas which originated an evolution of programming from arts and crafts to a science. Hoare logic had a very significant impact on program verification and design methods. It was an essential step in the emergence of "structured programming" in the 1970's. It is also an important contribution to the development of formal semantics of programming languages. Understanding that programs can be a subject of mathematical investigations was also crucial in the development of a theory of programming. This is reflected in the fact that HOARE [1969] is one of the most widely cited papers in computing science (see the bibliography of more than 350 references)