FDR Explorer

AbstractIn this paper we describe the internal structures of FDR, the refinement model checker for Hoare's Communicating Sequential Processes (CSP), as well as an Application Programming Interface (API) allowing one to interact more closely with, and have fine grained control over, FDR's behaviour and data structures. With such information it is possible to create optimised CSP code to perform refinement checks that are more space/time efficient, hence enabling the analysis of more complex and data intensive specifications. This information is very valuable for both CSP users and tools that automatically generate CSP code, such as those related to security analysis generating test-cases as CSP processes. We also present a simple example of using the tool. Finally, we show how one can transform FDR's graph format into a graph notation (e.g., JGraph), hence enabling visualisation of Labelled Transition Systems (LTS) of CSP specifications

Automatically Generating CSP Models for Communicating Haskell Processes

Tools such as FDR can check whether a CSP model of an implementation is a refinement of a given CSP specification. We present a technique for generating such CSP models of Haskell implementations that use the Communicating Haskell Processes library. Our technique avoids the need for a detailed semantics of the Haskell language, and requires only minimal program annotation. The generated CSP-M model can be checked for deadlock or refinements by FDR, allowing easy use of formal methods without the need to maintain a model of the program implementation alongside the program itself

ProcessJ: A process-oriented programming language

Java is a general purpose object-oriented programming language that has been widely adopted. Because of its high adoption rate and its lineage as a C-style language, its syntax is familiar to many programmers. The downside is that Java is not natively concurrent. Volumes have been written about concurrent programming in Java; however, concurrent programming is difficult to reason about within an object-oriented paradigm and so is difficult to get right. occam -π is a general purpose process-oriented programming language. Concurrency is part of the theoretical underpinnings of the language. Concurrency is simple to reason about within an occam -π application because there is never any shared state; also occam -π is based on a process calculus, with algebraic laws for composing processes. It has well-defined semantics regarding how processes interact. The downside is that the syntax is foreign and even archaic to programmers who are used to the Java syntax. This thesis presents a new language, ProcessJ, which is a general purpose, process-oriented programming language meant to bridge the gap between Java and occam -π. ProcessJ does this by combining the familiar syntax of Java with the process semantics of occam -π. This allows for a familiar-looking language that is easy to reason about in concurrent programs. This thesis describes the ProcessJ language, as well as the implementation of a compiler that translates ProcessJ source code to Java with Java Communicating Sequential Processes (JCSP), a library that provides CSP-style communication primitives

Contribution à la spécification et à la vérification des logiciels à base de composants : enrichissement du langage de données de Kmelia et vérication de contrats

With Model Driven Engineering models are the heart of software development. Thesemodels evolve through transformations. In this thesis our interest was the validationfor these model transformations by testing, and more precisely the test oracles. Wepropose two approaches to assist the tester to create these oracles. With the first ap-proach this assistance is passive; we provide the tester with a new oracle function.The test oracles created with this new oracle function control only part of the modelproduced by the transformation under test. We defined the notion of partial verdict,described the situations where having a partial verdict is beneficial for the tester andhow to test a transformation in this context. We developed a tool implementing thisproposal, and ran experiments with it. With the second approach, we provide a moreactive assistance about test oracles’ quality. We study the quality of a set of modeltransformation test oracles. We consider that the quality of a set of oracles is linkedto its ability to detect faults in the transformation under test. We show the limits ofmutation analysis which is used for this purpose, then we propose a new approach thatcorrects part of these drawbacks. We measure the coverage of the output meta-modelby the set of oracles we consider. Our approach does not depend on the language usedfor the transformation under test’s implementation. It also provides the tester withhints on how to improve her oracles. We defined a process to evaluate meta-modelcoverage and qualify test oracles. We developed a tool implementing our approach tovalidate it through experimentations.L'utilisation croissante des composants et des services logiciels dans les différents secteursd'activité (télécommunications, transports, énergie, finance, santé, etc.) exige desmoyens (modèles, méthodes, outils, etc.) rigoureux afin de maîtriser leur production etd'évaluer leur qualité. En particulier, il est crucial de pouvoir garantir leur bon fonctionnementen amont de leur déploiement lors du développement modulaire de systèmes logiciels.Kmelia est un modèle à composants multi-services développé dans le but de construiredes composants logiciels et des assemblages prouvés corrects. Trois objectifs principauxsont visés dans cette thèse. Le premier consiste à enrichir le pouvoir d'expression du modèle Kmelia avec un langage de données afin de satisfaire le double besoin de spécificationet de vérification. Le deuxième vise l'élaboration d'un cadre de développement fondé sur lanotion de contrats multi-niveaux. L'intérêt de tels contrats est de maîtriser la constructionprogressive des systèmes à base de composants et d'automatiser le processus de leur véri-fication. Nous nous focalisons dans cette thèse sur la vérification des contrats fonctionnelsen utilisant la méthode B. Le troisième objectif est l'instrumentation de notre approchedans la plate-forme COSTO/Kmelia. Nous avons implanté un prototype permettant deconnecter COSTO aux différents outils associés à la méthode B. Ce prototype permet deconstruire les machines B à partir des spécifications Kmelia en fonction des propriétés à vé-rifier. Nous montrons que la preuve des spécifications B générées garantit la cohérence desspécifications Kmelia de départ. Les illustrations basées sur l'exemple CoCoME confortentnos propositions

Requirements Specification, Behavioral Specification and Checking of object-oriented Interlocking Systems using Multi-Object Logics, UML State Machines and Multi-Object Checking

Rechner haben durch ihre Programmierbarkeit und ihre Leistungsfähigkeit in nahezu sämtliche Bereiche des täglichen Lebens Einzug gehalten. Für den Einsatz rechnergestützter Systeme in sicherheitskritischen Umgebungen ist ein Nachweis für die korrekte Funktion von Hard- und Software zu erbringen. Unter dem Gesichtspunkt der Wirtschaftlichkeit erfordert die Entwicklung sicherheitskritischer Systeme den Einsatz automatisierbarer Verfahren, die diesen Nachweis unterstützen. Während relevante Normen die Anwendung formaler und damit automatisierbarer Verfahren empfehlen, existieren keinerlei Kriterien, welche Formalismen wie adäquat oder gar effizient eingesetzt werden können. Universelle Beschreibungssprachen wie die Unified Modeling Language (UML) erfahren durch die hohe Verfügbarkeit von Entwicklungswerkzeugen zunehmende Verbreitung, können den Anforderungen an Formalität und Verifikationsunterstützung jedoch nicht nachkommen. In der vorliegenden Arbeit wird eine Methodik zur Unterstützung des Entwicklungsprozesses sicherheitskritischer Systeme an einem Beispiel aus der Leit- und Sicherungstechnik im Eisenbahnwesen entwickelt. Die Methodik greift dabei Darstellungskonzepte der UML geeignet auf, so dass vorhandene Entwicklungswerkzeuge weiterhin Verwendung finden können. Die vorgestellte Methodik umfasst die Formalisierung der funktionalen Anforderungen in Formeln in der Multi-Objektlogik D1, die über mehrfach erweiterten Kripke-Strukturen interpretiert werden. Mehrfach erweiterte Kripke-Strukturen bilden ebenfalls die Grundlage für kommunizierende Zustandsmaschinen, die durch Zerlegung aus UML-Zustandsmaschinen generiert werden können. Durch die gemeinsame Basis von Anforderungs- und Verhaltensspezifikation wird die Anwendung des effizienten, automatisierbaren Multi-Object Checking Verfahrens zur Verifikation möglich. Im Rahmen der vorliegenden Arbeit wurde dieses Verfahren um einen Mechanismus zur Generierung von Fehlerszenarien erweitert. Dieser findet sowohl bei der Verifikation zur Fehlerlokalisation im Modell als auch bei der Validation zur Generierung von Testfällen Anwendung, so dass nicht nur die Verifikation sondern auch die Validation geeignet unterstützt werden. Die Anwendbarkeit der Methodik wird an einem Fallbeispiel, der Entwicklung einer Stellwerkslogik, demonstriert.Due to their programmability and their high capabilities, computers have entered almost all areas of everyday life. In order to use computer-based systems in a safety-critical environment, the proper function of hardware and software has to be certified. For economic reasons, the development of safety-critical systems requires automation providing such evidence. Whereas relevant norms recommend the application of formal and for this reason automatable methods, criteria regarding how to apply which formalism adequately or even efficiently do not exist yet. As a result of their large amount of available development tools, modeling languages like the Unified Modeling Language (UML) have become more and more popular. However, the UML does not meet the requirements as to formality or as to verification support. In this thesis, a methodology to support the development process of safety-critical systems is developed, using an example of the operation and control technology in railway systems. The methodology reuses UML concepts in such a way that existing development tools can be applied. The provided methodology includes the formalization of functional requirements as Multi-Object Logic D1 formulas. These formulas are interpreted over several times extended Kripke structures which are the basis for communicating state machines. As UML state machines can be decomposed into communicating state machines, UML state machines become applicable in the behavior specification phase. Due to the common basis of the requirements and the behavioral specification, the Multi-Object Checking procedure can be utilized for verification. In this thesis, the Multi-Object Checking procedure is extended by a scenario generation feature in case a Multi-Object Checking property does not hold. This feature can be applied both to verification for fault localization in the model and to validation for test case generation. The applicability of the methodology is demonstrated, using the example of the development of an interlocking logic

Analyse expliziter Zustandsverwaltung als Mittel der Synchronisation

Parallelität ist fester Bestandteil moderner Softwareentwicklung. Nebenläufige Zugriffe auf geteilte Ressourcen müssen synchronisiert werden, da sonst Softwarefehler wie Data-Races entstehen. Zur Synchronisation werden neben etablierten auch häufig »selbstgestrickte« zustandsbasierte Mechanismen eingesetzt. Diese implementieren oft endliche Automaten. Bestehenden leichtgewichtigen, auf Mustererkennung ausgerichteten Ansätzen zur Analyse von Synchronisationseigenschaften expliziter Zustandsverwaltung fehlt es an Mächtigkeit, um solche Muster befriedigend zu analysieren. Diese Abhandlung stellt einen neuen, deutlich schwergewichtigeren Ansatz zur Analyse expliziter Zustandsverwaltung als Mittel der Synchronisation vor. Dabei reduziert statische Analyse in der Sprache C geschriebene Systeme auf im formalen Prozesskalkül CSP verfasste Modelle. Refinement-Checker untersuchen, ob Paare von Zugriffen auf Variablen im Modell ein Data-Race bilden. Lässt sich das Data-Race im Modell ausschließen, ist es dank konservativer Approximierung auch im ursprünglichen System unerreichbar. Die Modellierung und Vorverarbeitung des Modells wird erläutert. Die Evaluation zeigt, dass der neue Ansatz oft eine bessere Einschätzung der Synchronisationseigenschaften expliziter Zustandsverwaltung liefert als bisherige Ansätze. Die Anwendung auf reale eingebettete Systeme aus Automobilen demonstriert, dass der Ansatz praktisch einsetzbar ist

Modelling flash devices with FDR: progress and limits

We present our experience of working with the Failures-Divergence Refinement (FDR) toolkit while extending our modelling of the behaviour of Flash Memory. This effort is a step towards the low-level modelling of data-storage technology that is the target of the POSIX filestore minichallenge. The key objective was to advance previous work presented in [4,2] to cover the full Open Nand-Flash Interface (ONFi) 2.1 model. The previous work covered a sub-model of the mandatory features of ONFi 1.0. The FDR toolkit was used for refinement/ model-checking. In addition to the compression techniques available in FDR, we also experimented with FDR Explorer - an application programming interface (API) that allowed us to get a better picture of FDR performance. This paper summarises the progress we made, and the limits we encountered. We are now able to verify many of the operations in ONFi 2.1 model using full Failures-Divergence refinement checking, rather than just trace refinement. Through the use of compression techniques available in the FDR toolkit and in particular by hiding the events deeper in the model, we were able to get compression of the state-space. The work also reports the number of attempts to compile the full ONFi 2.1 model

Modelling and Integrating Formal Models: from Test Cases and Requirements Models

A especificação formal de um sistema ou seu modelo formal é uma forma abstrata de representar suas propriedades (características). Métodos formais é um ramo da Engenharia de Software com foco no desenvolvimento de sistemas tendo uma especificação formal do mesmo como ponto de partida. Inicialmente, as vantagens de usar notações abstratas antes da implementação do sistema estavam apenas relacionadas a um melhor entendimento do problema. Depois, tornou-se evidente que o uso de notações formais abstratas combinadas com técnicas de refinamentos de modelos reduzem o tempo de desenvolvimento e aumentam a qualidade do produto de sistema. A fase de testes é positivamente influenciada pelo uso de métodos formais. Pesquisas têm sido desenvolvidas para melhorar a qualidade do sistema usando modelos formais e casos de teste. Uma vez verificadas as propriedades do sistema através de uma investigação dos modelos formais, é possível gerar casos de testes confiáveis do sistema que serão colocados em ação para verificar a implementação do sistema posteriormente. O campo de pesquisa que explora métodos formais aplicados com testes de software é chamada de Testes Baseados em Modelos, ou simplesmente MBT, do inglês Model-Based Testing. Porém, há situações onde não é possível possuir o modelo abstrato definido a priori. Para superar tal restrição outras técnicas surgiram para sintetizar um modelo abstrato seguindo apenas execuções do sistema. As execuções de um sistema contêm comportamentos necessários para construir um modelo abstrato desse sistema. Na literatura atual, tais técnicas usadas para construir representações abstratas seguindo execuções do sistema são chamadas de Anti-Model- Based Testing ou simplesmented Anti-MBT. Então, depois de construir um modelo abstrato, técnicas de verificação de modelos e geração de casos de teste seguindo modelos formais podem ser aplicadas normalmente. O propósito desse trabalho é dar suporte a algumas técnicas de MBT usadas no contexto da Motorola (CIn/BTC). Em tais técnicas, as especificações usadas para gerar casos de testes são geralmente incompletas, inconsistentes, e às vezes não existem. Portanto, usando casos de testes reais do sistema é possível criar novas especificações e atualizar especificações originais do sistema, e posteriormente gerar novos casos de teste usando comportamentos válidos do sistema. Um outro problema detectado em nosso contexto é a distância existente entre as representações abstratas e reais. Um caso de teste abstrato, por exemplo, é útil em técnicas formais, mas não é possível executar um caso de teste diretamente no sistema. Dessa forma, para executar (manualmente ou automaticamente) os casos de teste gerados pelas técnicas de MBT é necessário primeiro traduzi-los em uma representação real. Como resultado desse trabalho nós desenvolvemos técnicas formais de modelagem do comportamento do sistema usando casos de teste. Os resultados das técnicas de modelagem são modelos formais especificados nos formalismos de LTS ou CSP. Além disso, nós definimos uma técnica de unificação que une modelos formais gerados a partir de diferentes artefatos do sistema (requisitos e casos de teste). O resultado da técnica de unificação é um completo e unificado modelo do sistema, que contém informações providas de diferentes artefatos. Nós também definimos uma técnica para traduzir casos de teste abstratos em representações reais. Os casos de teste reais gerados por nossa técnica de tradução são usados no contexto do time de automação de testes da Motorola, onde esse trabalho está inserido. Finalmente, nós automatizamos as técnicas desenvolvidas usando linguagens de programação e especificações formais. O resultado é a ferramenta TCRev que é capaz de modelar, unificar e traduzir modelos do sistema. A ferramenta TCRev interage com o outras ferramentas externas, tais como FDR e FDR Explorer. Todos os resultados foram validados em estudos de casos reais executados no contexto da Motorola. Nessa dissertação nós apresentamos um destes estudo de caso