The need to use partial functions arises frequently in formal descriptions of computer systems. However, most proof assistants are based on logics of total functions. One way to address this mismatch is to invent and mechanize a new logic. Another is to develop practical workarounds in existing settings. In this paper we take the latter course: we survey and compare methods used to support partiality in a mechanization of a higher order logic featuring only total functions. The techniques we discuss are generally applicable and are illustrated by relatively large examples. 1.

. The key to a successful proof often lies within the analysis of failed proof attempts. Motivated by this observation we have developed and evaluated an interface to an inductive theorem prover which supports a collaborative style of failure analysis. Our work builds upon an automatic proof patching mechanism and extends the capabilities of an existing theorem proving interface. Our approach is multi-disciplinary, we draw upon work from both the automated theorem proving and human computer interaction communities. 1. Introduction The benefits of theorem proving are recognized by formal methods practitioners [AF97] and have borne fruit within niche markets [CW96]: "Theorem provers are increasingly being used today in the mechanical verification of safetycritical properties of hardware and software designs." General purpose theorem provers remain, however, primarily the tool of the academic researcher. This is particularly true of provers which support inductive proof [BM88, KM97, B...

Although the formal method VDM has been in existence since the 1970's, there are still no satisfactory tools to support verification in VDM. This paper deals with one possible means of approaching this problem by using the PVS theorem-prover. It describes a translation of a VDM-SL specification into the PVS specification language using, essentially, the very transparent translation methods described in [1]. PVS was used to typecheck the specification and to prove some non-trivial validation conditions. Next, a more abstract specification of the same system was also expressed in PVS, and the original specification was shown to be a refinement of this one. The drawbacks of the translation are that it must be done manually (though automation may be possible), and that the "shallow embedding" technique which is used does not accurately capture the proof rules of VDM-SL. The benefits come from the facts that the portion of VDM-SL which can be represented is substantial and that it is a grea...

. In this paper an extension of the IFAD VDM-SL Toolbox with a proof obligation generator is described. Static type checking in VDM is undecidable in general and therefore the type checker must be incomplete. Hence, for the "difficult" parts introducing undecidability, it is up to the user to verify the consistency of a specification. Instead of providing error messages and warnings, the approach of generating proof obligations for the consistency of VDM-SL specifications is taken. The overall goal of this work is to automate the generation of proof obligations for VDM-SL. Proof obligation generation has already been carried out for a number of related notations, but VDM-SL contains a number of challenging constructs (e.g. patterns, non-disjoint union types, and operations) for which new research is presented in this paper. 1 Introduction During the last few years the interest in formal software development has been growing rapidly. One of the main reasons for this is the availability...

. While CASE tools for formal methods have been relatively successful in industry, the up-take of the theorem proving technology has been quite slow. This suggests that more focus should be put on specification notations and pragmatic features of existing CASE tools in building proof support tools. This paper presents a prototype integrated CASE/TP tool which combines the benefits of a general-purpose theorem prover called Isabelle with those of a commercial CASE tool for the VDM-SL formal specification language---the IFAD VDM-SL Toolbox. The integrated tool supports pragmatic test and rigorous proof at the same time. Moreover, the tool supports proofs in the notation of the CASE tool by handling "difficult" constructs such as patterns and cases expressions in an untraditional way using reversible transformations. 1 Introduction CASE tools for formal software development support the validation of specifications through static checks and animation. Proofs can add rigor to the software ...

. The most powerful tools for analysis of formal specifications are general-purpose theorem provers and model checkers, but these tools provide scant methodological support. Conversely, those approaches that do provide a well-developed method generally have less powerful automation. It is natural, therefore, to try to combine the better-developed methods with the more powerful general-purpose tools. An obstacle is that the methods and the tools often employ very different logics. We argue that methods are separable from their logics and are largely concerned with the structure and organization of specifications. We propose a technique called structural embedding that allows the structural elements of a method to be supported by a general-purpose tool, while substituting the logic of the tool for that of the method. We have found this technique quite effective and we provide some examples of its application. We also suggest how general-purpose systems could be restructured ...

conceptually. In that case these dierences become a challenge and we are obliged to solve theoretical problems before the transformation can be done. We describe in this report some of these problems and how they can be overcome, illustrating the problematic issues using two formal languages: RSL and PVS. Both |PVS and RSL| are formal languages that can be used to do formal speci cations of complex software systems. And although both languages have some similarities they dier in aspects that are crucial |RSL is a much bigger language than PVS and moreover has several constructs that make the languages substantially, and in some cases, conceptually dierent (partial as well as total functions against only total ones, etc.). The description here includes solutions to some of these problems as well as a the details of the design of a tool that automatically translates RSL into PVS. There is an added bene t to this namely the fact that although both methods have a prover tool, PVS's is free, so a translator from RSL to PVS would allow a speci cation written in RSL to be proved in PVS using the freely available PVS prover.

Tool support is known to be one of the success factors in formal specification based analysis and-program development. This paper investigates tool support in the context of a case study where a wide range of tool features is required: For an access control, C++ code has to be developed based on the user's requirements expressed in natural language. The access control has been classified a mixed data-control problem. This paper discusses (1) why VDMTools and PVS have been selected and (2) how they can be used together. Another aspect is the use of VDM as a framework for modeling event based systems. In our approach to tool integration, two specifications are considered to share a common part. For the present application this part consists of the scenario of all possible events. 1 Introduction 1.1 An Access Control as a Case Study CSS is a security system which has been developed by ARCS (the Austrian Research Center at Seibersdorf [32]). CSS includes features from digital vi...

. We show how the convenience and power of term-rewriting can sometimes be obtained in logical systems which do not explicitly have this capability. We consider the Logic of Partial Functions, and show how an undefined term can often be rewritten to a defined term. Although LPF and Display Logic are unrelated, we also show how Display Logic effectively allows rewrite-style simplifications, although the logic has no axiom or rule permitting this (or indeed any notion of equality). We then describe how these "rewrite" procedures are implemented in Isabelle, using HOL-style conversionals. Keywords: term rewriting, logic of partial functions, undefined terms, display logic 1 Introduction The convenience of proof by term-rewriting is demonstrated by the theorem provers which rely wholly or primarily upon it (eg Larch [13]), and by the prominent place that rewriting tactics have in provers such as Isabelle [18] and HOL [9]. The Logic of Partial Functions (LPF) handles undefined terms, and i...

Design and implementation of a digital feedback controller for a flow control experiment was performed. The experiment was conducted in a cryogenic pressurized wind tunnel on a generic separated configuration at a chord Reynolds number of 16 million and a Mach number of 0:25. The model simulates the upper surface of a 20% thick airfoil at zero angle-of-attack. A moderate favorable pressure gradient, up to 55% of the chord, is followed by a severe adverse pressure gradient which is relaxed towards the trailing edge. The turbulent separation bubble, behind the adverse pressure gradient, is then reduced by introducing oscillatory flow excitation just upstream of the point of flow separation. The degree of reduction in the separation region can be controlled by the amplitude of the oscillatory excitation. A feedback controller was designed to track a given trajectory for the desired degree of flow reattachment and to improve the transient behavior of the flow system. Closed-loop experiments demonstrated that the feedback controller was able to track step input commands and improve the transient behavior of the open-loop response.