A new approach to specifying and handling exceptions

technical reportAn operation generally exhibits different patterns of behavior over different parts of its domain. Depending upon the context, such behavior may either be conceived of as "normal" or as an "exception." Thus, the behavior of an operation Is quite naturally characterized by the set of partial operations that characterize its (different) behavior on Its subdomains, and exceptions essentially serve to extend (modify) the normal behavior of an operation. In this milieu, we consider the issues of specifying and "handling" exceptional conditions that might occur during the execution of an operation. We argue that one of the important features that an exception handling mechanism need possess is to enable the behavior of an operation be altered over part of Its domain i.e. that of being able o incrementally modify t h e semantics of t h e partial operations that serve to characterize an operation. Surprisingly, this requirement arises out of a pragmatic consideration ? that of providing for the existence of a library of subroutines. We propose a general mechanism for specifying exceptions and their handlers that does not compromise the possibility of efficient implementations. Examples of application of the method are presented In the context of abstract algebraic) data type specifications, using skeletal specifications of a Stack and an error-correcting parser for a context free grammar. The major advantage of the proposed mechanism over conventional appoaches is that of completely avoiding the problem of "dynamic context propagation.

Errors as Data Values

A “thrown” exception is a non-local side effect that complicates static reasoning about code. Particularly in functional languages it is fairly common to instead propagate errors as ordinary values. The propagation is sometimes done in monadic style, and some languages include syntactic conveniences for writing expressions in that style. We discuss a guarded- algebra-inspired approach for integrating similar, implicit error propagation into a language with “normal” function application syntax. The presented failure management approach accommodates language designs with all- referentially-transparent expressions. It furthermore supports automatically checking data invariants and function pre- and post-conditions, recording a trace of any due-to-an-error unevaluateable or failed expressions, and in some cases retaining “bad” values for potential use in recovering from an error

A Historical Perspective on Runtime Assertion Checking in Software Development

This report presents initial results in the area of software testing and analysis produced as part of the Software Engineering Impact Project. The report describes the historical development of runtime assertion checking, including a description of the origins of and significant features associated with assertion checking mechanisms, and initial findings about current industrial use. A future report will provide a more comprehensive assessment of development practice, for which we invite readers of this report to contribute information

Rascal: From Algebraic Specification to Meta-Programming

Algebraic specification has a long tradition in bridging the gap between specification and programming by making specifications executable. Building on extensive experience in designing, implementing and using specification formalisms that are based on algebraic specification and term rewriting (namely Asf and Asf+Sdf), we are now focusing on using the best concepts from algebraic specification and integrating these into a new programming language: Rascal. This language is easy to learn by non-experts but is also scalable to very large meta-programming applications. We explain the algebraic roots of Rascal and its main application areas: software analysis, software transformation, and design and implementation of domain-specific languages. Some example applications in the domain of Model-Driven Engineering (MDE) are described to illustrate this.Comment: In Proceedings AMMSE 2011, arXiv:1106.596

Caching, crashing & concurrency - verification under adverse conditions

The formal development of large-scale software systems is a complex and time-consuming effort. Generally, its main goal is to prove the functional correctness of the resulting system. This goal becomes significantly harder to reach when the verification must be performed under adverse conditions. When aiming for a realistic system, the implementation must be compatible with the “real world”: it must work with existing system interfaces, cope with uncontrollable events such as power cuts, and offer competitive performance by using mechanisms like caching or concurrency. The Flashix project is an example of such a development, in which a fully verified file system for flash memory has been developed. The project is a long-term team effort and resulted in a sequential, functionally correct and crash-safe implementation after its first project phase. This thesis continues the work by performing modular extensions to the file system with performance-oriented mechanisms that mainly involve caching and concurrency, always considering crash-safety. As a first contribution, this thesis presents a modular verification methodology for destructive heap algorithms. The approach simplifies the verification by separating reasoning about specifics of heap implementations, like pointer aliasing, from the reasoning about conceptual correctness arguments. The second contribution of this thesis is a novel correctness criterion for crash-safe, cached, and concurrent file systems. A natural criterion for crash-safety is defined in terms of system histories, matching the behavior of fine-grained caches using complex synchronization mechanisms that reorder operations. The third contribution comprises methods for verifying functional correctness and crash-safety of caching mechanisms and concurrency in file systems. A reference implementation for crash-safe caches of high-level data structures is given, and a strategy for proving crash-safety is demonstrated and applied. A compatible concurrent implementation of the top layer of file systems is presented, using a mechanism for the efficient management of fine-grained file locking, and a concurrent version of garbage collection is realized. Both concurrency extensions are proven to be correct by applying atomicity refinement, a methodology for proving linearizability. Finally, this thesis contributes a new iteration of executable code for the Flashix file system. With the efficiency extensions introduced with this thesis, Flashix covers all performance-oriented concepts of realistic file system implementations and achieves competitiveness with state-of-the-art flash file systems

Formal Verification of Security Protocol Implementations: A Survey

Automated formal verification of security protocols has been mostly focused on analyzing high-level abstract models which, however, are significantly different from real protocol implementations written in programming languages. Recently, some researchers have started investigating techniques that bring automated formal proofs closer to real implementations. This paper surveys these attempts, focusing on approaches that target the application code that implements protocol logic, rather than the libraries that implement cryptography. According to these approaches, libraries are assumed to correctly implement some models. The aim is to derive formal proofs that, under this assumption, give assurance about the application code that implements the protocol logic. The two main approaches of model extraction and code generation are presented, along with the main techniques adopted for each approac

JWalk: a tool for lazy, systematic testing of java classes by design introspection and user interaction

Popular software testing tools, such as JUnit, allow frequent retesting of modified code; yet the manually created test scripts are often seriously incomplete. A unit-testing tool called JWalk has therefore been developed to address the need for systematic unit testing within the context of agile methods. The tool operates directly on the compiled code for Java classes and uses a new lazy method for inducing the changing design of a class on the fly. This is achieved partly through introspection, using Java’s reflection capability, and partly through interaction with the user, constructing and saving test oracles on the fly. Predictive rules reduce the number of oracle values that must be confirmed by the tester. Without human intervention, JWalk performs bounded exhaustive exploration of the class’s method protocols and may be directed to explore the space of algebraic constructions, or the intended design state-space of the tested class. With some human interaction, JWalk performs up to the equivalent of fully automated state-based testing, from a specification that was acquired incrementally