Diagrammatic Languages and Formal Verification : A Tool-Based Approach

The importance of software correctness has been accentuated as a growing number of safety-critical systems have been developed relying on software operating these systems. One of the more prominent methods targeting the construction of a correct program is formal verification. Formal verification identifies a correct program as a program that satisfies its specification and is free of defects. While in theory formal verification guarantees a correct implementation with respect to the specification, applying formal verification techniques in practice has shown to be difficult and expensive. In response to these challenges, various support methods and tools have been suggested for all phases from program specification to proving the derived verification conditions. This thesis concerns practical verification methods applied to diagrammatic modeling languages. While diagrammatic languages are widely used in communicating system design (e.g., UML) and behavior (e.g., state charts), most formal verification platforms require the specification to be written in a textual specification language or in the mathematical language of an underlying logical framework. One exception is invariant-based programming, in which programs together with their specifications are drawn as invariant diagrams, a type of state transition diagram annotated with intermediate assertions (preconditions, postconditions, invariants). Even though the allowed program states—called situations—are described diagrammatically, the intermediate assertions defining a situation’s meaning in the domain of the program are still written in conventional textual form. To explore the use of diagrams in expressing the intermediate assertions of invariant diagrams, we designed a pictorial language for expressing array properties. We further developed this notation into a diagrammatic domain-specific language (DSL) and implemented it as an extension to the Why3 platform. The DSL supports expression of array properties. The language is based on Reynolds’s interval and partition diagrams and includes a construct for mapping array intervals to logic predicates. Automated verification of a program is attained by generating the verification conditions and proving that they are true. In practice, full proof automation is not possible except for trivial programs and verifying even simple properties can require significant effort both in specification and proof stages. An animation tool which supports run-time evaluation of the program statements and intermediate assertions given any user-defined input can support this process. In particular, an execution trace leading up to a failed assertion constitutes a refutation of a verification condition that requires immediate attention. As an extension to Socos, a verificion tool for invariant diagrams built on top of the PVS proof system, we have developed an execution model where program statements and assertions can be evaluated in a given program state. A program is represented by an abstract datatype encoding the program state, together with a small-step state transition function encoding the evaluation of a single statement. This allows the program’s runtime behavior to be formally inspected during verification. We also implement animation and interactive debugging support for Socos. The thesis also explores visualization of system development in the context of model decomposition in Event-B. Decomposing a software system becomes increasingly critical as the system grows larger, since the workload on the theorem provers must be distributed effectively. Decomposition techniques have been suggested in several verification platforms to split the models into smaller units, each having fewer verification conditions and therefore imposing a lighter load on automatic theorem provers. In this work, we have investigated a refinement-based decomposition technique that makes the development process more resilient to change in specification and allows parallel development of sub-models by a team. As part of the research, we evaluated the technique on a small case study, a simplified version of a landing gear system verification presented by Boniol and Wiels, within the Event-B specification language.Vikten av programvaras korrekthet har accentuerats då ett växande antal säkerhetskritiska system, vilka är beroende av programvaran som styr dessa, har utvecklas. En av de mer framträdande metoderna som riktar in sig på utveckling av korrekt programvara är formell verifiering. Inom formell verifiering avses med ett korrekt program ett program som uppfyller sina specifikationer och som är fritt från defekter. Medan formell verifiering teoretiskt sett kan garantera ett korrekt program med avseende på specifikationerna, har tillämpligheten av formella verifieringsmetod visat sig i praktiken vara svår och dyr. Till svar på dessa utmaningar har ett stort antal olika stödmetoder och automatiseringsverktyg föreslagits för samtliga faser från specifikationen till bevisningen av de härledda korrekthetsvillkoren. Denna avhandling behandlar praktiska verifieringsmetoder applicerade på diagrambaserade modelleringsspråk. Medan diagrambaserade språk ofta används för kommunikation av programvarudesign (t.ex. UML) samt beteende (t.ex. tillståndsdiagram), kräver de flesta verifieringsplattformar att specifikationen kodas medelst ett textuellt specifikationsspåk eller i språket hos det underliggande logiska ramverket. Ett undantag är invariantbaserad programmering, inom vilken ett program tillsammans med dess specifikation ritas upp som sk. invariantdiagram, en typ av tillståndstransitionsdiagram annoterade med mellanliggande logiska villkor (förvillkor, eftervillkor, invarianter). Även om de tillåtna programtillstånden—sk. situationer—beskrivs diagrammatiskt är de logiska predikaten som beskriver en situations betydelse i programmets domän fortfarande skriven på konventionell textuell form. För att vidare undersöka användningen av diagram vid beskrivningen av mellanliggande villkor inom invariantbaserad programming, har vi konstruerat ett bildbaserat språk för villkor över arrayer. Vi har därefter vidareutvecklat detta språk till ett diagrambaserat domän-specifikt språk (domain-specific language, DSL) och implementerat stöd för det i verifieringsplattformen Why3. Språket låter användaren uttrycka egenskaper hos arrayer, och är baserat på Reynolds intevall- och partitionsdiagram samt inbegriper en konstruktion för mappning av array-intervall till logiska predikat. Automatisk verifiering av ett program uppnås genom generering av korrekthetsvillkor och åtföljande bevisning av dessa. I praktiken kan full automatisering av bevis inte uppnås utom för trivial program, och även bevisning av enkla egenskaper kan kräva betydande ansträngningar både vid specifikations- och bevisfaserna. Ett animeringsverktyg som stöder exekvering av såväl programmets satser som mellanliggande villkor för godtycklig användarinput kan vara till hjälp i denna process. Särskilt ett exekveringspår som leder upp till ett falskt mellanliggande villkor utgör ett direkt vederläggande (refutation) av ett bevisvillkor, vilket kräver omedelbar uppmärksamhet från programmeraren. Som ett tillägg till Socos, ett verifieringsverktyg för invariantdiagram baserat på bevissystemet PVS, har vi utvecklat en exekveringsmodell där programmets satser och villkor kan evalueras i ett givet programtillstånd. Ett program representeras av en abstrakt datatyp för programmets tillstånd tillsammans med en small-step transitionsfunktion för evalueringen av en enskild programsats. Detta möjliggör att ett programs exekvering formellt kan analyseras under verifieringen. Vi har också implementerat animation och interaktiv felsökning i Socos. Avhandlingen undersöker också visualisering av systemutveckling i samband med modelluppdelning inom Event-B. Uppdelning av en systemmodell blir allt mer kritisk då ett systemet växer sig större, emedan belastningen på underliggande teorembe visare måste fördelas effektivt. Uppdelningstekniker har föreslagits inom många olika verifieringsplattformar för att dela in modellerna i mindre enheter, så att varje enhet har färre verifieringsvillkor och därmed innebär en mindre belastning på de automatiska teorembevisarna. I detta arbete har vi undersökt en refinement-baserad uppdelningsteknik som gör utvecklingsprocessen mer kapabel att hantera förändringar hos specifikationen och som tillåter parallell utveckling av delmodellerna inom ett team. Som en del av forskningen har vi utvärderat tekniken på en liten fallstudie: en förenklad modell av automationen hos ett landningsställ av Boniol and Wiels, uttryckt i Event-B-specifikationspråket

Affording illusions? Natural Information and the Problem of Misperception

There are two related points at which J.J. Gibson’s ecological theory of visual perception remains remarkably underspecified: Firstly, the notion of information for perception is not explicated in much detail beyond the claim that it “specifies” the environment for perception, and, thus being an objective affair, enables an organism to perceive action possibilities or “affordances.” Secondly, misperceptions of affordances and perceptual illusions are not clearly distinguished from each other. Although the first claim seems to suggest that any perceptual illusion amounts to the misperception of affordances, there might be some relevant differences between various ways of getting things wrong. In this essay, Gibson’s notion of “specifying” information shall be reconstructed along the lines of Fred Dretske’s relational theory of information. This refined notion of information for perception will then be used to carve out the distinction between perceptual illusions and the misperception of affordances, with some help from the “Empirical Strategy” (developed by Purves et al.). It will be maintained that there are cases where perceptual illusions actually help an organism to correctly perceive an affordance. In such cases, the prima facie misrendered informational relations involved are kept intact by a set of appropriate transformation rules. Two of Gibson’s intuitions shall thus be preserved: the objectivity of informational relations and the empowerment of the organism as an active perceiver who uses those objective relations to his specific ends

Photography, perception and language: towards a theoretical groundwork for image education

The aim of this thesis is to examine the status and nature of photography in relation to two basic approaches: one derived from theories of perception and the other from analogies with verbal language. The implications and conclusions drawn from this critical survey are assessed in terms of their relevance and value for education in photography and as the basis for a possible curriculum in image education. The fact that the position of photography is not firmly established in school highlights the need for a fundamental re-appraisal of the medium and the part that it can play in education. Section One deals with the two main justifications for photography in education, following categories derived from Eisner: the contextualist and the essentialist. While the former provides a very strong case, the latter is also regarded as critical and concerns the value of photography as a medium in its own right. Issues regarding the criteria for photography, particularly as an art form, are then raised, and lead to basic questions about the nature of the medium itself. In Section Two, perceptual theory is examined by comparing two positions: Gibson's "registration" theory and the "constructive" tradition, with some consideration of the Gestalt view. The photograph's link with the real world is maintained in the comprehensive psychological theory of Neisser and the passage from nature to convention is accounted for here, as well as in Peirce's theory of signs. In photographic theory proper, the "trace of the real" is regarded as of seminal importance. "Language analogies are then considered in Section Three. Basic differences between word and image are clarified, and it is contended that while "language" metaphors can be used with some profit, too close a model borrowing from structural linguistics is fraught with difficulties. Sebeok's semiotic framework of communication and signification is introduced and regarded as useful in uniting natural and nonverbal phenomena to photographic concerns.. However, the project of "translinguistics", initiated by Barthes, but not ultimately pursued by him, is shown to have dangerous formalist and determinist leanings especially in conjunction with Marxist-Läcanian concepts. Partisan political concerns in "ideological" image analysis have become over-dominant in some instances for a wide understanding of issues. Finally, in Section Four, suggestions for new priorities in image education through photography are advanced and compared to present practice. Examples of work are given in the Appendices

Hierarchies of invariant spin models

In this paper we present classes of state sum models based on the recoupling theory of angular momenta of SU(2) (and of its q-counterpart $U_q(sl(2))$, q a root of unity). Such classes are arranged in hierarchies depending on the dimension d, and include all known closed models, i.e. the Ponzano-Regge state sum and the Turaev-Viro invariant in dimension d=3, the Crane-Yetter invariant in d=4. In general, the recoupling coefficient associated with a d-simplex turns out to be a $\{3(d-2)(d+1)/2\}j$ symbol, or its q-analog. Each of the state sums can be further extended to compact triangulations $(T^d,\partial T^d)$ of a PL-pair $(M^d,\partial M^d)$, where the triangulation of the boundary manifold is not keeped fixed. In both cases we find out the algebraic identities which translate complete sets of topological moves, thus showing that all state sums are actually independent of the particular triangulation chosen. Then, owing to Pachner's theorems, it turns out that classes of PL-invariant models can be defined in any dimension d.Comment: 42 pages, 25 figure

Majorana states in inhomogeneous spin ladders

We propose an inhomogeneous open spin ladder, related to the Kitaev honeycomb model, which can be tuned between topological and nontopological phases. In extension of Lieb's theorem, we show numerically that the ground state of the spin ladder is either vortex free or vortex full. We study the robustness of Majorana end states (MES) which emerge at the boundary between sections in different topological phases and show that while the MES in the homogeneous ladder are destroyed by single-body perturbations, in the presence of inhomogeneities at least two-body perturbations are required to destabilize MES. Furthermore, we prove that x, y, or z inhomogeneous magnetic fields are not able to destroy the topological degeneracy. Finally, we present a trijunction setup where MES can be braided. A network of such spin ladders provides thus a promising platform for realization and manipulation of MES

Pictorial space: a comparative account of projective versus constructivist theories of graphic perception

Ankara : Bilkent University, Department of Graphic Design and Institute of Fine Arts, 1996.Thesis (Master's) -- Bilkent University, 1996.Includes bibliographical references leaves 122-124This study aims at constructing an 'overall theoretical outline' that would structure the existing approaches to graphic perception within a comprehensible whole. In this context, two dominant theoretical paradigms, namely 'projective' and 'constructivist' arguments of pictorial perception are analysed in a comparative manner. Due to the fact that different theorists adopt these two arguments in varying degrees, 4 distinct approaches to pictorial perception are analysed extending within two extremes. The comparison is based on the phenomenon of pictorial space as a significant feature of graphic imagery.Anafarta, OrhanM.S

Learning Program Specifications from Sample Runs

With science fiction of yore being reality recently with self-driving cars, wearable computers and autonomous robots, software reliability is growing increasingly important. A critical pre-requisite to ensure the software that controls such systems is correct is the availability of precise specifications that describe a program\u27s intended behaviors. Generating these specifications manually is a challenging, often unsuccessful, exercise; unfortunately, existing static analysis techniques often produce poor quality specifications that are ineffective in aiding program verification tasks. In this dissertation, we present a recent line of work on automated synthesis of specifications that overcome many of the deficiencies that plague existing specification inference methods. Our main contribution is a formulation of the problem as a sample driven one, in which specifications, represented as terms in a decidable refinement type representation, are discovered from observing a program\u27s sample runs in terms of either program execution paths or input-output values, and automatically verified through the use of expressive refinement type systems. Our approach is realized as a series of inductive synthesis frameworks, which use various logic-based or classification-based learning algorithms to provide sound and precise machine-checked specifications. Experimental results indicate that the learning algorithms are both efficient and effective, capable of automatically producing sophisticated specifications in nontrivial hypothesis domains over a range of complex real-world programs, going well beyond the capabilities of existing solutions