Willem-Paul de RoeverKiel University | CAU · Department of Computer Science
Willem-Paul de Roever
Dr. in Applied Mathematics, Vrije Universiteit, Amsterdam
About
160
Publications
7,124
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
3,677
Citations
Publications
Publications (160)
Corinne and I congratulate you warmly with the many successful and fulfilled years you have behind you, and wish you and Hilda dearly a lot of more of such happy years to come!
This is the place to express my admiration for the continued high quality and scientific integrity of your scientific work through all these years. Frank de Boer and I, when speaking about you some while ago, came to the conclusion that you are a light beacon for both of us, you are a true Professors’ Professor, raising and maintaining the high sta...
Despite its maturity and popularity, the C programming language still lacks tool support for reliably performing even simple refactoring, browsing, or analysis operations. This is primarily due to identifier scope complications introduced by the C preprocessor. ...
In their seminal 1991 paper “What is in a Step: On the Semantics of Statecharts”, Pnueli and Shalev showed how, in the presence
of global consistency and while observing causality, the synchronous language Statecharts can be given coinciding operational
and declarative step semantics. Over the past decade, this semantics has been supplemented with...
Besides the features of a class-based object-oriented language, Java integrates concurrency via its thread-classes, allowing for a multithreaded flow of control. Besides that, the language offers a flexible exception mechanism for handling errors or exceptional program conditions. To reason about safety-properties of Java-programs and extending pre...
Software hat sich zu einem zentralen Werkstoff des Informationszeitalters entwickelt. Innova-tive Produkte und Dienstleistungen sind ohne zuverlässige Software nicht mehr denkbar. Dementsprechend hängt die Wettbewerbsfähigkeit der deutschen Wirtschaft entscheidend von der Fähigkeit ab, Software-intensive Produkte und Dienstleistungen mit höchster Q...
We define a compositional operational semantics for state machines and their composition in UML. Each state machine describes the behavior of an object of a class. If a class of a newly generated object is active, a new activity group, which is a singly-threaded collection of objects, is generated. Communication of state machines between activity g...
In this paper we give an operational semantics and introduce an assertional proof system for exceptions in a multithreaded Java sublanguage.
Proofsystems for proving partial correctness of distributed processes which communicate through message-passing are discussed, using CSP as programming language. Of these the methods due to Levin & Gries [LG]; Apt, Francez & de Roever [AFR]; Lamport & Schneider [LS]; Soundararajan & Dahl [SD]; Zwiers, de Roever & van Emde Boas [ZRE] and Misra & Cha...
A general refinement methodology is presented based on ideas of Stark, and it is explained how these can be used for the systematic development of fault-tolerant systems. Highlights are: (1) A detailed and comprehensive exposition of Stark's temporal logic and development methodology. (2) A formalization of a general systematic approach to the deve...
We give a compositional denotational semantics for a real-time distributed language, based on the linear history semantics for CSP of Francez et al. Concurrent execution is not modelled by interleaving but by an extension of the maximal parallelism model of Salwicki, that allows the modelling of transmission time for communications. The importance...
The input-output behaviour of recursive program schemes with parameters called-by-name is expressed as a non-deterministic choice between calls of recursive program schemes with parameters called-by-value, and can therefore be expressed within first-order predicate logic extended with least fixed point operators.
Im Rahmen des Dagstuhl Perspektiven Workshop 05402 "Challenges for Software Engineering Research" haben führende Software Engineering Professoren den derzeitigen Stand der Softwaretechnik in Deutschland charakterisiert und Handlungsempfehlungen für Wirtschaft, Forschung und Politik abgeleitet. Das Manifest fasst die diese Empfehlungen und die...
UML 2.0, which is the standard modeling language for object-oriented systems, has only an informally given semantics. This
is in particular the case for UML 2.0 state machines, which are widely used for modeling the reactive behavior of objects.
In this paper, a list of 29 newly detected trouble spots consisting of ambiguities, inconsistencies, and...
A perspective on program verification is presented from the point of view of a university professor who has been active over a period of 35 years in the development of formal methods and their supporting tools. He has educated until now approx. 25 Ph.D. researchers in those fields and has written two handbooks in the field of program verification,...
Parameterized refinement is a refinement technique for preserving specific linear time temporal logic properties during formal program development. In this paper, we describe a proof method for verifying that one program is a parameterized refinement of another program. Our method combines transduction, due to Jonsson, Pnueli, and Rump, for showing...
Besides the features of a class-based object-oriented language, Java integrates con- currency via its thread classes, allowing for a multithreaded flow of control. The concurrency model includes synchronous message passing, dynamic thread creation, shared-variable concurrency via instance variables, and coordination via reentrant synchronization mo...
We describe a compositional trace logic for behavioural interface specifications and corresponding proof rules for compositional reasoning. The trace logic is defined in terms of axioms in higher-order logic. This trace logic is applicable to any object-oriented programming language. We treat object creation without observing the explicit act of cr...
Hard real-time systems need methods to determine upper bounds for their execution times, usually called worst-case execution times. This paper explains the principles of our Timing-Analysis methods, which use Abstract Interpretation to predict the system’s behavior on the underlying processor’s components and use Integer Linear Programming to deter...
We present a theory for reasoning compositionally about behavioural inter- faces for class-based object-oriented programs. Our contribution is an ax- iomatic characterisation of unbounded object creation in terms of communica- tion traces over the visible operations of a class (its signature). This involves an abstraction from the actual explicit c...
Recently we proposed a mathematical framework offering diverse models of computation and a formal foundation for correct-by-construction deployment of synchronous designs over distributed architecture (such as GALS or LTTA). In this paper, we extend our framework to model explicitly causality relations and scheduling constraints. We show how the fo...
Besides the features of a class-based object-oriented language, Java integrates concurrency via its thread-classes, allowing for a multithreaded flow of control. The concurrency model includes shared-variable concurrency via instance variables, coordination via reentrant synchronization monitors, synchronous message passing, and dynamic thread crea...
Besides the features of a class-based object-oriented language, Java integrates concurrency via its thread classes. The concurrency model includes shared-variable concurrency via instance variables,
coordination via reentrant synchronization monitors, synchronous message passing, and dynamic thread creation.
To reason about safety properties of mu...
The research concerning Java’s semantics and proof theory has mainly focussed on various aspects of sequential sub-languages. Java, however, integrates features of a class-based object-oriented language with the notion of multi-threading, where multiple threads can concurrently execute and exchange information via shared instance variables. Further...
Besides the features of a class-based object-oriented language, Java integrates concurrency via its thread-classes, allowing for a multithreaded flow of control. The concurrency model includes sharedvariable concurrency via instance variables, coordination via reentrant synchronization monitors, synchronous message passing, and dynamic thread creat...
Besides the features of a class-based object-oriented language, Java integrates concurrency via its thread-classes, allowing for a multithreaded flow of control. The concurrency model includes sharedvariable concurrency via instance variables, coordination via reentrant synchronization monitors, synchronous message passing, and dynamic thread creat...
Specifications that are used in detailed design and in the doc-umentation of existing code are primarily written and read by program-mers. However, most formal specification languages either make heavy use of symbolic mathematical operators, which discourages use by pro-grammers, or limit assertions to expressions of the underlying program-ming lan...
Besides the features of a class-based object-oriented language, Java integrates concurrency via its thread-classes, allowing for a multithreaded flow of control. The concurrency model offers coordination via lock-synchronization, and communication by synchronous message passing, including re-entrant method calls, and by instance variables shared am...
Models in Information Processing", Vienna, January 30th - February 1st, 1985, EJ. Neuhold (ed.), NorthLHolland Publ.Comp. Part ]: Concurrency based on shared variables Willem P. de Roever Jr.
This paper introduces a semantic analysis of the Rely-Guarantee (R-G) approach to the compositional verification of shared-variable
concurrency. The main contribution is a new completeness proof.
We investigate the semantic foundations of a compositional proof method for concurrent systems communicating via synchronous
message passing. Basing ourselves on the inductive assertion method for local verification of synchronous transition diagrams
which are composed both sequentially and in parallel, we present a compositional proof system that...
A family of formal semantics is given for the Essential Model of the Transformation Schema of Ward and Mellor1 using recent techniques developed for defining the semantics of Statecharts2 by Pnueli and Huizing. A number of ambiguities and inconsistencies in Ward and Mellor's original definition is resolved. The models developed closely resemble tho...
The goal of this book is to provide a comprehensive and systematic introduction to the important and highly applicable method of data refinement and the simulation methods used for proving its correctness. The authors concentrate in the first part on the general principles needed to prove data refinement correct. They begin with an explanation of t...
This paper focusses on the mathematical theory of state-based reasoning about program constructs solely through specifications of their parts, without any reliance on their implementation mechanism. That is, the semantic foundations of compositional state-based reasoning about concurrency. The main advantages of a purely semantic approach are that:...
This book originates from the International Symposium on Compositionality, COMPOS'97, held in Bad Malente, Germany in September 1997. The 25 chapters presented in revised full version reflect the current state of the art in the area of compositional reasoning about concurrency. The book is a valuable reference for researchers and professionals inte...
This book constitutes the Proceedings of the IFIP Working Conference PRO COMET'98, held 8-12 June 1998 at Shelter Island, N.Y. The conference is organized by the t'wo IFIP TC 2 Working Groups 2.2 Formal Description of Programming Concepts and 2.3 Programming Methodology. WG2.2 and WG2.3 have been organizing these conferences every four years for o...
A new compositional logic for verifying safety properties of shared variable concurrency is presented, in which, in order
to characterize infinite computations, a Hoare-style I/pre/post format is used where I expresses the communication interface,
enabling the characterization of reactive programs. This logic relates to the Rely/Guarantee paradigm...
This paper presents a compositional proof system for sharedvariable concurrency. The proof system is based on an assertion languagewhich describes a computation, i.e. a sequence of state-changes, in termsof a qualitive notion of time represented by a discrete total well-foundedordering.
The IEEE P1394 Serial Bus standard provides high performance connections for data transfer between hardware components and is especially well suited for connecting multimedia devices. To achieve its mechanical verification, a high level specification is developed for the asynchronous part of the P1394 Link layer, using the verification tool PVS. We...
Compositional proof systems for shared variable concurrent programs can be devised by including the interference information in the specifications. The formalism falls into a category calledrely-guarantee (orassumption-commitment), in which a specification is explicitly (syntactically) split into two corresponding parts. This paper summarises exist...
A dense temporal logic specification method for the development of reactive systems is introduced. The two development constructs of this method are refinement and composition. A reactive system is specified by a pair consisting of a machine and a condition on the computations of this machine. In order to compose such systems compositionally, each...
A survey is given of the main issues in compositional reasoning about state-based parallelism and of the history of their evolution, as reflected in the current literature. Compositional proof techniques are presented as the proof-theoretical analogue ...
A survey is given of the main issues in compositional reasoning about state-based parallelism and of the history of their
evolution, as reflected in the current literature. Compositional proof techniques are presented as the proof-theoretical analogue
of Dijkstra’s hierarchically-structured program development. Machine-support for compositional rea...
. Our goal is the presentation of a uniform framework for compositional reasoning about the development of distributed processes and data structures.This framework should be a synthesis because, depending on the structure of the processes involved and the verification steps required, different formalisms are most suitable for carrying out one's rea...
Reuse of correctly specified software is crucial in bottomup program development. Compositional specification formalisms have been designed to reduce the specification of a syntactically composed construct to specifications of its components, and therefore support topdown development methodology. Thus, the integration of reuse of correctly specifie...
Designers of network algorithms often give elegant informal descriptions of the intuition behind their algorithms (see [GHS83, Hum83, MeS79, Seg82, Seg83, ZeS80]). Usually these descriptions are structured as if subtasks are performed one after the other. Although these subtasks are performed sequentially from a logical point of view, they are perf...
A family of formal semantics is given for the Essential Model of the Transformation Schema of Ward & Mellor [WM85] using recent techniques developed for defining the semantics of Statecharts [Har88] by Pnueli and Huizing. The models developed closely resemble those used for synchronous languages [BG92]. Each model has its own application area, e.g....
A family of formal semantics is given for the Essential Model of the Transformation Schema of Ward & Mellor [WM85] using recent techniques developed for defining the semantics of Statecharts [Ha88] by Pnueli and Huizing. The models developed closely resemble those used for synchronous languages [Benveniste and Berry 92]. A number of ambiguities and...
The REX School/Symposium "A Decade of Concurrency - Reflections and Perspectives" was the final event of a ten-year period of cooperation between three Dutch research groups working on the foundations of concurrency.
Ever since its inception in 1983, the goal of the project has been to contribute to the cross-fertilization between formal methods fr...
This volume presents the proceedings of the Third International Symposium on Formal Techniques in Real-Time and Fault-Tolerant Systems held jointly with the Working Group Provably Correct Systems (ProCoS) at Lübeck, Germany in September 1994.
The book contains full versions of 5 invited talks and 33 carefully selected refereed contributions as well...
A general refinement methodology is presented based on ideas of E.
Stark, and it is explained how these can be used for the systematic
development of fault-tolerant systems. Highlights are: (1) a
comprehensive exposition of Stark's temporal logic and development
methodology; (2) a formalization of a general systematic approach to the
development of...
By adding a new technique and a simple proof strategy to Abadi & Lamport's 1988 method [1] for proving refinement between specifications of distributed programs correct, the inherent limitation of their method, occurring when the abstract level of specification features so-called infinite invisible nondeterminism or internal discontinuity, can be s...
Statecharts is a behavioural specification language proposed for specifying large real-time, event-driven reactive systems. It is a graphical language based on state-transition diagrams for finite state machines extended with many features like hierarchy, concurrency, broadcast communication and time-out. We supply Statecharts with a compositional...
Formal methods to specify and verify concurrent programs with synchronous message passing are discussed. We stress the development
towards compositional methods, i.e. methods in which the specification of a compound program can be inferred from specifications
of its constituents without reference to the internal structure of those parts. Compositio...
Implementing a (concurrent) program P often requires changing the syntactic structure of P at various levels. We argue and illustrate that in such a situation a natural framework for implementation correctness requires a more general notion of refinement than that of [HHS87], a notion which involves the introduction of separate refinement relations...
The notion of reactive system and the language Statecharts are introduced. For the first time the rationale behind the design decisions of Statecharts is explained in relation to the specific nature of reactive systems.
In this survey we discuss three methods for program development, which incorporate data reification: VDM, Reynolds’ method, and Back’s method and develop a modest predicate transformer based framework to relate them. At first we consider partial correctness only, and discuss Reynolds’ method and a partial correctness version of VDM. Later we also c...
Statecharts is a behavioral specification language proposed for specifying large real-time, event driven, reactive systems. It is a graphical language based on state-transition diagrams for finite state machines extended with many features like hierarchy, concurrency, broadcast communication and time-out. By generating external events symbolically,...
The stepwise refinement method postulates a system construction route that starts with a high-level specification, goes through a number of provably correct development steps, and ends with an executable program. The contributions to this volume survey the state of the art in this extremely active research area. The world's leading specialists in c...
Various principles of proof have been proposed to reason about fairness. The question in what formalism such fairnes arguments can be couched is addressed. To wit: we prove that Park’s monotone first-order μ- calculus, augmented with constants for all recursive ordinals can serve as an assertion-language for proving fair termination of do-loops. In...
Designers of network algorithms give elegant informal descriptions of the intuition behind their algorithms (see [GHS83, Hu83, MS79, Se82, Se83, ZS80]). Usually, these descriptions are structured as if tasks or subtasks are performed sequentially. From an operational point of view, however, they are performed concurrently. Here, we present a design...
An abstract is not available.
We give a compositional denotational semantics for a real-time distributed language, based on the linear history semantics for CSP of Francez et al. Concurrent execution is not modelled by interleaving but by an extension of the maximal parallelism model of Salwicki and Müldner, that allows for the modelling of transmission time for communications....
We present a denotational, strictly syntax-directed, semantics for Statecharts, a graphical, mixed specification/programming language for real-time, developed by Harel [H]. This requires first of all defining a proper syntax for the graphical language. Apart from more conventional syntactical operators and their semantic counterparts, we encounter...
A top down development is presented of a distributed priority queue. The crucial characteristic that enables this development is the compositionality of the formalism used. Actually we argue that a stronger requirement is needed which combines compositionality with the ability to adapt given specifications, called modularity.
We present a fully abstract semantics for real-time distributed computing of the Ada and OCCAM kind in a denotational style. This semantics turns termination, communication along channels, and the time communication takes place, into observables. Yet it is the coarsest semantics to do so which is syntax-directed (this is known as full abstraction)....
The introduction of Hoare Logic made it feasible to supply correctness proofs of small sequential programs. While correctness proofs of larger programs could be given in principle, the increased size of such a proof warranted additional organization. The present paper puts emphasis on the technique of program transformation to show the derivability...