Reasoning about correctness properties of a coordination programming language

Safety critical systems place additional requirements to the programming language used to implement them with respect to traditional environments. Examples of features that influence the suitability of a programming language in such environments include complexity of definitions, expressive power, bounded space and time and verifiability. Hume is a novel programming language with a design which targets the first three of these, in some ways, contradictory features: fully expressive languages cannot guarantee bounds on time and space, and low-level languages which can guarantee space and time bounds are often complex and thus error-phrone. In Hume, this contradiction is solved by a two layered architecture: a high-level fully expressive language, is built on top of a low-level coordination language which can guarantee space and time bounds. This thesis explores the verification of Hume programs. It targets safety properties, which are the most important type of correctness properties, of the low-level coordination language, which is believed to be the most error-prone. Deductive verification in Lamport’s temporal logic of actions (TLA) is utilised, in turn validated through algorithmic experiments. This deductive verification is mechanised by first embedding TLA in the Isabelle theorem prover, and then embedding Hume on top of this. Verification of temporal invariants is explored in this setting. In Hume, program transformation is a key feature, often required to guarantee space and time bounds of high-level constructs. Verification of transformations is thus an integral part of this thesis. The work with both invariant verification, and in particular, transformation verification, has pinpointed several weaknesses of the Hume language. Motivated and influenced by this, an extension to Hume, called Hierarchical Hume, is developed and embedded in TLA. Several case studies of transformation and invariant verification of Hierarchical Hume in Isabelle are conducted, and an approach towards a calculus for transformations is examined.