Using formal methods to support testing

Formal methods and testing are two important approaches that assist in the development of high quality software. While traditionally these approaches have been seen as rivals, in recent years a new consensus has developed in which they are seen as complementary. This article reviews the state of the art regarding ways in which the presence of a formal specification can be used to assist testing

When are Stochastic Transition Systems Tameable?

A decade ago, Abdulla, Ben Henda and Mayr introduced the elegant concept of decisiveness for denumerable Markov chains [1]. Roughly speaking, decisiveness allows one to lift most good properties from finite Markov chains to denumerable ones, and therefore to adapt existing verification algorithms to infinite-state models. Decisive Markov chains however do not encompass stochastic real-time systems, and general stochastic transition systems (STSs for short) are needed. In this article, we provide a framework to perform both the qualitative and the quantitative analysis of STSs. First, we define various notions of decisiveness (inherited from [1]), notions of fairness and of attractors for STSs, and make explicit the relationships between them. Then, we define a notion of abstraction, together with natural concepts of soundness and completeness, and we give general transfer properties, which will be central to several verification algorithms on STSs. We further design a generic construction which will be useful for the analysis of {\omega}-regular properties, when a finite attractor exists, either in the system (if it is denumerable), or in a sound denumerable abstraction of the system. We next provide algorithms for qualitative model-checking, and generic approximation procedures for quantitative model-checking. Finally, we instantiate our framework with stochastic timed automata (STA), generalized semi-Markov processes (GSMPs) and stochastic time Petri nets (STPNs), three models combining dense-time and probabilities. This allows us to derive decidability and approximability results for the verification of these models. Some of these results were known from the literature, but our generic approach permits to view them in a unified framework, and to obtain them with less effort. We also derive interesting new approximability results for STA, GSMPs and STPNs.Comment: 77 page

Ontology View on Automata Theory

The summary of automata theory ontology is presented in the paper. It is based on the following dependences: a type of an automaton – the language accepted by the automaton – applications. The given ontology does not claim to be exhaustive as automata theory is very extensive and it is a complicated problem to survey all its aspects within one article. Only the main properties of automata and their applications are considered

Scheduling Induced Bounds and the Verification of Preemptive Real-Time Systems

Distributed real-time and embedded (DRE) systems have stringent constraints on timeliness and other properties whose assurance is crucial to correct system behavior. Our previous research has shown that detailed models of essential middleware mechanisms can be developed, composed, and for constrained examples verified tractably, using state of the art timed automata model checkers. However, to apply model checking to a wider range of real-time systems, particularly those involving more general forms of preemptive concurrency, new techniques are needed to address decidability and tractability concerns. This paper makes three contributions to research on formal verification and validation of DRE systems. First, it describes how bounded fair scheduling policies introduce a quasi-cyclic structure in the state space of multi-threaded real-time systems. Second, it shows that bounds on the divergence of threads\u27 execution can be determined for that quasi-cyclic structure, which then can be exploited to reduce the complexity of model checking. Third, it presents a case study involving progress-based fair scheduling of multi-threaded processing pipelines, with which the approach is evaluated

Wendy, the Good Little Fairness Widget

The advent of decentralized trading markets introduces a number of new challenges for consensus protocols. In addition to the `usual' attacks -- a subset of the validators trying to prevent disagreement -- there is now the possibility of financial fraud, which can abuse properties not normally considered critical in consensus protocols. We investigate the issues of attackers manipulating or exploiting the order in which transactions are scheduled in the blockchain. More concretely, we look into relative order fairness, i.e., ways we can assure that the relative order of transactions is fair. We show that one of the more intuitive definitions of fairness is impossible to achieve. We then present Wendy, a group of low overhead protocols that can implement different concepts of fairness. Wendy acts as an additional widget for an existing blockchain, and is largely agnostic to the underlying blockchain and its security assumptions. Furthermore, it is possible to apply a the protocol only for a subset of the transactions, and thus run several independent fair markets on the same chain

A Unifying View of Loosely Time-Triggered Architectures

Cyber-Physical Systems require distributed architectures to support safety critical real-time control. Hermann Kopetz' Time-Triggered Architecture (TTA) has been proposed as both an architecture and a comprehensive paradigm for systems architecture, for such systems. TTA offers the programmer a logical discrete time compliant with synchronous programming, together with timing bounds. A clock synchronization protocol is required, unless the local clocks used themselves provide the recquired accuracy. To relax the strict requirements on synchronization imposed by TTA, Loosely Time-Triggered Architectures (LTTA) have been proposed. In LTTA, computation and communication units are all triggered by autonomous, unsynchronized, clocks. Communication media act as shared memories between writers and readers and communication is non blocking. This is at the price of communication artifacts (such as duplication or loss of data), which must be compensated for by using some "LTTA protocol". In this paper we pursue our previous work by providing a unified presentation of the two variants of LTTA (token- and time-based), with simplified analyses. We compare these two variants regarding performance and robustness and we provide ways to combine them. This report was prepared for a lecture in Gérard Berry's seminar series at the Collège de France, March 5, 2014; it is a corrected version of a paper, which appeared at Emsoft'2010. It is dedicated to our close friend Paul Caspi who died in April 2012.Les infrastructures de calcul distribuées pour le contrôle des systèmes embarqués critiques requièrent des propriétés particulières destinées à préserver les caractéristiques attendues du contrôleur. Les architectures TTA (Time-Triggered Architectures) ont été proposées par Hermann Kopetz, à la fois comme une architecture de calcul et comme une méthodologie de conception des systèmes. TTA offre au programmeur un temps logique conforme à celui de la programmation synchrone, avec en outre un contrôle strict du temps. Il requiert un protocole de synchronisation entre les horloges du système réparti. Pour affaiblir ces hypothèses, les architectures LTTA (Loosely Time-Triggered Architectures) ont été proposées récemment. Dans LTTA, les calculs et les communications sont rythmées par des horloges locales, non synchronisées. Les supports de communication se comportent comme des mémoires partagées. La communication est donc non-bloquante. Ce type de communiccation crée évidemment des artefacts à combattre par un protocole dit "LTTA". Dans cet article nous présentons une approche unifiée des deux techniques connues pour ce type de protocole, reposant sur l'usage, soit de jetons, soit du temps. On compare ces deux variantes et on étudie leur performance. Le présent rapport est une version corrigée d'un article paru à Emsoft'2010. Il est dédié à notre très cher ami Paul Caspi, décédé en Avril 2012