Combining Type Checking and Set Constraint Solving to Improve Automated Software Verification

In this paper we show how prescritive type checking and constraint solving can be combined to increase automation during software verification. We do so by defining a type system and implementing a typechecker for {log} (read `setlog'), a Constraint Logic Programming (CLP) language and satisfiability solver based on set theory. Hence, we proceed as follows: a) a type system for {log} is defined; b) the constraint solver is proved to be safe w.r.t. the type system; c) the implementation of a concrete typechecker is presented; d) the integration of type checking and set constraint solving to increase automation during software verification is discussed; and f) two industrial-strength case studies are presented where this combination is used with very good results

Rigorous development process of a safety-critical system: from ASM models to Java code

The paper presents an approach for rigorous development of safety-critical systems based on the Abstract State Machine formal method. The development process starts from a high level formal view of the system and, through refinement, derives more detailed models till the desired level of specification. Along the process, different validation and verification activities are available, as simulation, model review, and model checking. Moreover, each refinement step can be proved correct using an SMT-based approach. As last step of the refinement process, a Java implementation can be developed and linked to the formal specification. The correctness of the implementation w.r.t. its formal specification can be proved by means of model-based testing and runtime verification. The process is exemplified by using a Landing Gear System as case study

The Role of Validation in Refinement-Based Formal Software Development

International audienceIn this chapter, we consider the issue of validation in the context of formal software development. Although validation is a standard practice in all industrial software development processes, this activity is somehow less well addressed within formal methods. As the needs for formal languages, tools and environments are increasing in producing real-life software, the validation issue must be addressed. In this chapter, we discuss what the place of validation within formal methods, what specific issues there are associated with formal methods as far as validation is concerned, and what tools can be used in this regard. We then present a few examples of the usefulness of validation from the case studies we have developed. The chapter is concluded with a few open research problems associated with validation and future work

A Comprehensive Study of Declarative Modelling Languages

Declarative behavioural modelling is a powerful modelling paradigm that enables users to model system functionality abstractly and formally. An abstract model is a concise and compact representation of key characteristics of a system, and enables the stakeholders to reason about the correctness of the system in the early stages of development. There are many different declarative languages and they have greatly varying constructs for representing a transition system, and they sometimes differ in rather subtle ways. In this thesis, we compare seven formal declarative modelling languages B, Event-B, Alloy, Dash, TLA+, PlusCal, and AsmetaL on several criteria. We classify these criteria under three main categories: structuring transition systems (control modelling), data descriptions in transition systems (data modelling), and modularity aspects of modelling. We developed this comparison by completing a set of case studies across the data- vs. control-oriented spectrum in all of the above languages. Structurally, a transition system is comprised of a snapshot declaration and snapshot space, initialization, and a transition relation, which is potentially composed of individual transitions. We meticulously outline the differences between the languages with respect to how the modeller would express each of the above components of a transition system in each language, and include discussions regarding stuttering and inconsistencies in the transition relation. Data-related aspects of a formal model include use of basic and composite datatypes, well-formedness and typechecking, and separation of name spaces with respect to global and local variables. Modularity criteria includes subtransition systems and data decomposition. We employ a series of small and concise exemplars we have devised to highlight these differences in each language. To help modellers answer the important question of which declarative modelling language may be most suited for modelling their system, we present recommendations based on our observations about the differentiating characteristics of each of these languages

Event-B モデルの詳細化構造の計画とリファクタリングの支援手法

学位の種別: 課程博士審査委員会委員 : （主査）東京大学准教授 蓮尾 一郎, 東京大学教授 萩谷 昌己, 東京大学教授 小林 直樹, 東京大学教授 高野 明彦, 東京大学教授 千葉 滋University of Tokyo(東京大学

A formal approach for correct-by-construction system substitution

Safety-critical systems depend on the fact that their software components provide services that behave correctly (i.e. satisfy their requirements). Additionally, in many cases, these systems have to be adapted or reconfigured in case of failures or when changes in requirements or in quality of service occur. When these changes appear at the software level, they can be handled by the notion of substitution. Indeed, the software component of the source system can be substituted by another software component to build a new target system. In the case of safety-critical systems, it is mandatory that this operation enforces that the new target system behaves correctly by preserving the safety properties of the source system during and after the substitution operation. In this thesis, the studied systems are modeled as state-transition systems. In order to model system substitution, the Event-B method has been selected as it is well suited to model such state-transition systems and it provides the benefits of refinement, proof and the availability of a strong tooling with the Rodin Platform. This thesis provides a generic model for system substitution that entails different situations like cold start and warm start as well as the possibility of system degradation, upgrade or equivalence substitutions. This proposal is first used to formalize substitution in the case of discrete systems applied to web services compensation and allowed modeling correct compensation. Then, it is also used for systems characterized by continuous behaviors like hybrid systems. To model continuous behaviors with Event-B, the Theory plug-in for Rodin is investigated and proved successful for modeling hybrid systems. Afterwards, a correct substitution mechanism for systems with continuous behaviors is proposed. A safety envelope for the output of the system is taken as the safety requirement. Finally, the proposed approach is generalized, enabling the derivation of the previously defined models for web services compensation through refinement, and the reuse of proofs across system models

ABZ 2014: The Landing Gear Case StudyCase Study Track, Held at the 4th International Conference on Abstract State Machines, Alloy, B, TLA, VDM, and Z, Toulouse, France, June 2-6, 2014. Proceedings /

XII, 161 p. 47 illus.online resource

An assurance level sensitive UML profile for supporting DO-178C

Several model-based approaches have been proposed to ease the process of developing certifiable safety-critical software. In this thesis, we are interested in airborne software which must comply with DO-178C standard. However, existing approaches do not provide complete support for all the activities of the software life cycle as defined by DO-178C. In this thesis, we propose an UML profile that captures the concepts of DO-178C and its supplements in order to model the evidence required for certification. This profile provides modeling constructs for the definition of a DO-178C compliant software life cycle, the specification of the software requirements, the specification of verification data and finally the specification of the traceability that is requested by DO-178C. Furthermore, this profile has the unique feature of providing means to specify the objectives and activities to be performed throughout the software life cycle depending on the targeted assurance level and applied DO-178C supplements. We implemented the proposed profile within Papyrus, an UML modeling environment. We used the profile to model a realistic example of airborne software. Specifically, we illustrated the usefulness of the profile through four use cases