Automated Verification of Specifications with Typestates and Access Permissions

We propose an approach to formally verify Plural specifications based on access permissions and typestates, by model-checking automatically generated abstract state-machines. Our exhaustive approach captures all the possible behaviors of abstract concurrent programs implementing the specification. We describe the formal methodology employed by our technique and provide an example as proof of concept for the state-machine construction rules. The implementation of a fully automated algorithm to generate and verify models, currently underway, provides model checking support for the Plural tool, which currently supports only program verification via data flow analysis (DFA)

A state/event-based model-checking approach for the analysis of abstract system properties.

AbstractWe present the UMC framework for the formal analysis of concurrent systems specified by collections of UML state machines. The formal model of a system is given by a doubly labelled transition system, and the logic used to specify its properties is the state-based and event-based logic UCTL. UMC is an on-the-fly analysis framework which allows the user to interactively explore a UML model, to visualize abstract behavioural slices of it and to perform local model checking of UCTL formulae. An automotive scenario from the service-oriented computing (SOC) domain is used as case study to illustrate our approach

AsmetaF: A Flattener for the ASMETA Framework

Abstract State Machines (ASMs) have shown to be a suitable high-level specification method for complex, even industrial, systems; the ASMETA framework, supporting several validation and verification activities on ASM models, is an example of a formal integrated development environment. Although ASMs allow modeling complex systems in a rather concise way -and this is advantageous for specification purposes-, such concise notation is in general a problem for verification activities as model checking and theorem proving that rely on tools accepting simpler notations. In this paper, we propose a flattener tool integrated in the ASMETA framework that transforms a general ASM model in a flattened model constituted only of update, parallel, and conditional rules; such model is easier to map to notations of verification tools. Experiments show the effect of applying the tool to some representative case studies of the ASMETA repository.Comment: In Proceedings F-IDE 2018, arXiv:1811.09014. The first two authors are supported by ERATO HASUO Metamathematics for Systems Design Project (No. JPMJER1603), JST. Funding Reference number: 10.13039/501100009024 ERAT

Counter-constrained finite state machines: modelling component protocols with resource-dependencies

This report deals with the specification of software component protocols (i.e., the set of service call sequences). The contribution of this report is twofold: (a) We discuss specific requirements of real-world protocols, especially in the presence of components wich make use of limited resources. (b) We define counter-constrained finite state machines (CC-FSMs), a novel extension of finite state machines, specifically created to model protocols having dependencies between services due to their access to shared resources. We provide a theoretical framework for reasoning and analysing CC-FSMs. Opposed to finite state machines and other approaches, CC-FSMs combine two valuable properties: (a) CC-FSMs are powerful enough to model realistic component protocols with resource allocation, usage, and de-allocation dependencies between methods (as occurring in common abstract datatypes such as stacks or queues) and (b) CC-FSMs have a decidabile equivalence- and inclusion problem as proved in this report by providing algorithms for efficient checking equivalence and inclusion. These algorithms directly lead to efficient checks for component interoperability and substitutability. Keywords: software component protocols, finite state machine extension, decidable inclusion check, interoperability, substitutability

An Abort-Aware Model of Transactional Programming

Abstract. There has been a lot of recent research on transaction-based concurrent programming, aimed at offering an easier concurrent programming paradigm that enables programmers to better exploit the parallelism of modern multi-processor machines, such as multi-core microprocessors. We introduce Transactional State Machines (TSMs) as an abstract finite-data model of transactional shared-memory concurrent programs. TSMs are a variant of concurrent boolean programs (or concurrent extended recursive state machines) augmented with additional constructs for specifying potentially nested transactions. Namely, some procedures (or code segments) can be marked as transactions and are meant to be executed “atomically”, and there are also explicit commit and abort operations for transactions. The TSM model is non-blocking and allows interleaved executions where multiple processes can simultaneously be executing inside transactions. It also allows nested transactions, transactions which may never terminate, and transactions which may be aborted explicitly, or aborted automatically by the run-time environment due to memory conflicts. We show that concurrent executions of TSMs satisfy a correctness criterion closely related to serializability, which we call stutter-serializability, with respect to shared memory. We initiate a study of model checking problems for TSMs. Model checking arbitrary TSMs is easily seen to be undecidable, but we show it is decidable in the following case: when recursion is exclusively used inside transactions in all (but one) of the processes, we show that model checking such TSMs against all stutterinvariant ω-regular properties of shared memory is decidable.

Automated Verification of Specifications with Typestates and Access Permissions

We propose an approach to formally verify Plural specifications  of concurrent programs based on access permissions and  typestates, by model-checking automatically generated abstract  state-machines. Our approach captures all possible relevant  behaviors of abstract concurrent programs implementing the  specification. We describe the formal methodology employed in  our technique and provide an example as proof of concept for the  state-machine construction rules.  We implemented the fully automated algorithm to generate and  verify models as a freely available plug-in of the Plural tool,  called Pulse.  We tested Pulse on the full specification of a  Multi Threaded Task Server commercial application and showed  that this approach scales well and is efficient in finding  errors in specifications that could not be previously detected  with the Data Flow Analysis (DFA) capabilities of Plural

An abort-aware model of transactional programming

Abstract There has been a lot of recent research on transaction-based concurrent programming, aimed at offering an easier concurrent programming paradigm that enables programmers to better exploit the parallelism of modern multi-processor machines, such as multi-core microprocessors. We introduce Transactional State Machines (TSMs) as an abstract finite-data model of transactional shared-memory concurrent programs. TSMs are a variant of concurrent boolean programs (or concurrent extended recursive state machines) augmented with additional constructs for specifying potentially nested transactions. Namely, some procedures (or code segments) can be marked as transactions and are meant to be executed “atomically”, and there are also explicit commit and abort operations for transactions. The TSM model is non-blocking and allows interleaved executions where multiple processes can simultaneously be executing inside transactions. It also allows nested transactions, transactions which may never terminate, and transactions which may be aborted explicitly, or aborted automatically by the run-time environment due to memory conflicts. We show that concurrent executions of TSMs satisfy a correctness criterion closely related to serializability, which we call stutter-serializability, with respect to shared memory. We initiate a study of model checking problems for TSMs. Model checking arbitrary TSMs is easily seen to be undecidable, but we show it is decidable in the following case: when recursion The work of K. Etessami was done partly while visiting Microsof

A Toolset for Supporting UML Static and Dynamic Model Checking

The Unified Modeling Language has become widely accepted as a standard in software development. Several tools have been produced to support UML model validation. However, most of them support either static or dynamic model checking; and no tools support to check both static and dynamic aspects of a UML model . But a UML model should include the static and dynamic aspects of a software system. Furthermore, these UML tools translate a UML model into a validation language such as PROMELA. But they have some shortcomings: there is no proof of correctness (with respect to the UML semantics) for these tools. In order to overcome these shortcomings, we present a toolset which can validate both static and dynamic aspects of a model; and this toolset is based on the semantic model using Abstract State Machines. Since the toolset is derived from the semantic model, the toolset is correct with respect to the semantic model

On the Transformation of SystemC to AsmL Using Abstract Interpretation

SystemC is among a group of system level design languages proposed to raise the abstraction level for embedded system design and verification. A straight and sound verification by model checking or theorem proving of SystemC designs is, however, infeasible given the object-oriented nature of this library and the complexity of its simulation environment. We illustrated, in a previous work, the feasibility and success of performing model checking and assertions monitors generation of SystemC using a variant of Abstract State Machines (ASM) languages (AsmL). In this paper, we establish the soundness of our approach by proving the correctness of the transformation from SystemC to AsmL

First order model checking of w-Automata using multiway decision graphs

As the complexity of hardware digital systems increases, their correctness becomes a major concern. Traditional verification by simulation is infeasible to exhaustively test and guarantee correctness. More than a decade ago, however, formal verification has been introduced as complement technique to simulation. Formal methods establish that a design implementation satisfies its specification by mathematical reasoning. Among several techniques, model checking is one of the most successful technology, which is based on the exploration of the design state space. In this thesis, we propose a new model checking method based on the theory of }-automata and multiway decision graphs (MDGs). Unlike reduced ordered binary decision diagrams (ROBDDs), MDGs allow system models to be described using abstract state machines (ASMs) through abstract data sorts and uninterpreted function symbols, hence enabling the verification of larger designs independent of the datapath width. Given an ASM and a first-order linear time temporal logic property, the model checking problem proposed in this thesis is reduced to a language emptiness checking of an }-automaton that accepts all }-words produced by the system violating the property formula. The checking method comprises four steps: (1) transforming the first-order property into a propositional formula by constructing ASMs for the atomic formulas of the property; (2) generating an }-automaton from the negation of the transformed propositional formula; (3) computing the product of the generated automaton, the system model ASM and the constructed ASMs; and (4) applying a language emptiness checking algorithm on the product automaton. Three different checking algorithms have been developed, implemented, and proved correct in this thesis. To evaluate the performance of the proposed model checking method and implemented tool, we conducted several experimentations and case studies. We also compared the efficiency of our tool with an existing MDG regular model checking application, as well as with popular ROBDD-based automata model checking tools such as VIS. Our model checker was found to be outperforming the above tools