26 research outputs found
Combining Type Checking and Set Constraint Solving to Improve Automated Software Verification
In this paper we show how prescritive type checking and constraint solving
can be combined to increase automation during software verification. We do so
by defining a type system and implementing a typechecker for {log} (read
`setlog'), a Constraint Logic Programming (CLP) language and satisfiability
solver based on set theory. Hence, we proceed as follows: a) a type system for
{log} is defined; b) the constraint solver is proved to be safe w.r.t. the type
system; c) the implementation of a concrete typechecker is presented; d) the
integration of type checking and set constraint solving to increase automation
during software verification is discussed; and f) two industrial-strength case
studies are presented where this combination is used with very good results
Rigorous development process of a safety-critical system: from ASM models to Java code
The paper presents an approach for rigorous development of safety-critical systems based on the Abstract State Machine formal method. The development process starts from a high level formal view of the system and, through refinement, derives more detailed models till the desired level of specification. Along the process, different validation and verification activities are available, as simulation, model review, and model checking. Moreover, each refinement step can be proved correct using an SMT-based approach. As last step of the refinement process, a Java implementation can be developed and linked to the formal specification. The correctness of the implementation w.r.t. its formal specification can be proved by means of model-based testing and runtime verification. The process is exemplified by using a Landing Gear System as case study
The Role of Validation in Refinement-Based Formal Software Development
International audienceIn this chapter, we consider the issue of validation in the context of formal software development. Although validation is a standard practice in all industrial software development processes, this activity is somehow less well addressed within formal methods. As the needs for formal languages, tools and environments are increasing in producing real-life software, the validation issue must be addressed. In this chapter, we discuss what the place of validation within formal methods, what specific issues there are associated with formal methods as far as validation is concerned, and what tools can be used in this regard. We then present a few examples of the usefulness of validation from the case studies we have developed. The chapter is concluded with a few open research problems associated with validation and future work
A Comprehensive Study of Declarative Modelling Languages
Declarative behavioural modelling is a powerful modelling paradigm
that enables users to model system functionality abstractly and
formally. An abstract model is a concise and compact representation
of key characteristics of a system, and enables the stakeholders to
reason about the correctness of the system in the early stages of
development.
There are many different declarative languages and they have greatly
varying constructs for representing a transition system, and they
sometimes differ in rather subtle ways. In this thesis, we compare
seven formal declarative modelling languages B, Event-B, Alloy, Dash,
TLA+, PlusCal, and AsmetaL on several criteria. We classify these
criteria under three main categories: structuring transition systems
(control modelling), data descriptions in transition systems (data
modelling), and modularity aspects of modelling. We developed this
comparison by completing a set of case studies across the data-
vs. control-oriented spectrum in all of the above languages.
Structurally, a transition system is comprised of a snapshot
declaration and snapshot space, initialization, and a transition
relation, which is potentially composed of individual transitions. We
meticulously outline the differences between the languages with
respect to how the modeller would express each of the above components
of a transition system in each language, and include discussions
regarding stuttering and inconsistencies in the transition relation.
Data-related aspects of a formal model include use of basic and
composite datatypes, well-formedness and typechecking, and separation
of name spaces with respect to global and local variables. Modularity
criteria includes subtransition systems and data decomposition. We
employ a series of small and concise exemplars we have devised to
highlight these differences in each language. To help modellers
answer the important question of which declarative modelling language
may be most suited for modelling their system, we present
recommendations based on our observations about the differentiating
characteristics of each of these languages
Verifying Strong Eventual Consistency in Distributed Systems
Data replication is used in distributed systems to maintain up-to-date copies of shared data across multiple
computers in a network. However, despite decades of research, algorithms for achieving consistency in
replicated systems are still poorly understood. Indeed, many published algorithms have later been shown to
be incorrect, even some that were accompanied by supposed mechanised proofs of correctness. In this work,
we focus on the correctness of Conflict-free Replicated Data Types (CRDTs), a class of algorithm that provides
strong eventual consistency guarantees for replicated data. We develop a modular and reusable framework
in the Isabelle/HOL interactive proof assistant for verifying the correctness of CRDT algorithms. We avoid
correctness issues that have dogged previous mechanised proofs in this area by including a network model
in our formalisation, and proving that our theorems hold in all possible network behaviours. Our axiomatic
network model is a standard abstraction that accurately reflects the behaviour of real-world computer networks.
Moreover, we identify an abstract convergence theorem, a property of order relations, which provides a formal
definition of strong eventual consistency. We then obtain the first machine-checked correctness theorems for
three concrete CRDTs: the Replicated Growable Array, the Observed-Remove Set, and an Increment-Decrement
Counter. We find that our framework is highly reusable, developing proofs of correctness for the latter two
CRDTs in a few hours and with relatively little CRDT-specific code
A formal approach for correct-by-construction system substitution
Safety-critical systems depend on the fact that their software components provide services that behave correctly (i.e. satisfy their requirements). Additionally, in many cases, these systems have to be adapted or reconfigured in case of failures or when changes in requirements or in quality of service occur. When these changes appear at the software level, they can be handled by the notion of substitution. Indeed, the software component of the source system can be substituted by another software component to build a new target system. In the case of safety-critical systems, it is mandatory that this operation enforces that the new target system behaves correctly by preserving the safety properties of the source system during and after the substitution operation. In this thesis, the studied systems are modeled as state-transition systems. In order to model system substitution, the Event-B method has been selected as it is well suited to model such state-transition systems and it provides the benefits of refinement, proof and the availability of a strong tooling with the Rodin Platform. This thesis provides a generic model for system substitution that entails different situations like cold start and warm start as well as the possibility of system degradation, upgrade or equivalence substitutions. This proposal is first used to formalize substitution in the case of discrete systems applied to web services compensation and allowed modeling correct compensation. Then, it is also used for systems characterized by continuous behaviors like hybrid systems. To model continuous behaviors with Event-B, the Theory plug-in for Rodin is investigated and proved successful for modeling hybrid systems. Afterwards, a correct substitution mechanism for systems with continuous behaviors is proposed. A safety envelope for the output of the system is taken as the safety requirement. Finally, the proposed approach is generalized, enabling the derivation of the previously defined models for web services compensation through refinement, and the reuse of proofs across system models
Event-B モデルの詳細化構造の計画とリファクタリングの支援手法
学位の種別: 課程博士審査委員会委員 : (主査)東京大学准教授 蓮尾 一郎, 東京大学教授 萩谷 昌己, 東京大学教授 小林 直樹, 東京大学教授 高野 明彦, 東京大学教授 千葉 滋University of Tokyo(東京大学