101,758 research outputs found
Redevelopment of an industrial case study using Event-B and Rodin
CDIS is a commercial air traffic information system that was developed using formal methods 15 years ago by Praxis, and it is still in operation today. This system is an example of an industrial scale system that has been developed using formal methods. In particular, the functional requirements of the system were specified using VVSL -- a variant of VDM. A subset of the original specification has been chosen to be reconstructed on the Rodin platform based on the new Event-B formalism. The goal of our reconstruction was to overcome three key difficulties of the original formalisation, namely the difficulty of comprehending the original specification, the lack of any mechanical proof of the consistency of the specification and the difficulty of dealing with distribution and atomicity refinement. In this paper we elucidate how a new formal notation and tool can help to overcome these difficulties
Synthesizing Certified Code
Code certification is a lightweight approach for formally demonstrating software quality. Its basic idea is to require code producers to provide formal proofs that their code satisfies certain quality properties. These proofs serve as certificates that can be checked independently. Since code certification uses the same underlying technology as program verification, it requires detailed annotations (e.g., loop invariants) to make the proofs possible. However, manually adding annotations to the code is time-consuming and error-prone. We address this problem by combining code certification with automatic program synthesis. Given a high-level specification, our approach simultaneously generates code and all annotations required to certify the generated code. We describe a certification extension of AutoBayes, a synthesis tool for automatically generating data analysis programs. Based on built-in domain knowledge, proof annotations are added and used to generate proof obligations that are discharged by the automated theorem prover E-SETHEO. We demonstrate our approach by certifying operator- and memory-safety on a data-classification program. For this program, our approach was faster and more precise than PolySpace, a commercial static analysis tool
PVSio-web: a tool for rapid prototyping device user interfaces in PVS
We present PVSio-web which extends the simulation component of the PVS proof system with functionalities for rapid prototyping device user interfaces. The tool presents itself as a classic image-editing environment with functionalities such as area selection and hyperlink creation, thus reducing the barriers that prevent non-experts in formal methods from using PVS. Designers load a picture of the layout of the device user interface under development, specify interactive areas over the layout, and link them to a PVS specification. They can then explore the behaviour of the formal user interface specification through point-and-click interactions. The architecture of the tool is general, and can be used as the basis for extending other verification tools. A demonstration of the capabilities of PVSio-web is presented through an example based on a commercial medical device user interface. Our ultimate aim is to promote and facilitate the use of formal verification tools when developing device user interfaces
Proving Well-Definedness of JML Specifications with KeY
Specification methods in formal program verification enable the enhancement of source code with formal annotations as to formally specify the behaviour of a program. This is a popular way in order to subsequently prove software to be
reliable and meet certain requirements, which is crucial for many applications and gains even more importance in modern society. The annotations can be taken as a contract, which then can be verified guaranteeing the specified program element – as a receiver – to fulfil this contract with its caller. However, these functional contracts can be problematic for partial functions, e.g., a division, as certain cases may be undefined, as in this example a division by zero. Modern programming languages such as Java handle undefined behaviour by casting an exception. There are several approaches to handle a potential undefinedness of specifications. In this thesis, we chose one which automatically generates formal proof obligations ensuring that undefined specification expressions will not be evaluated. Within this work, we elaborate on so-called Well-Definedness Checks dealing with undefinedness occurring in specifications of the modelling language JML/JML* in the KeY System, which is a formal software development tool providing mechanisms to deductively prove the before mentioned contracts. Advantages and delimitations are discussed and, furthermore, precise definitions as well as a fully functional implementation within KeY are given. Our work covers the major part of the specification elements currently supported by KeY, on the higher level including class invariants, model fields, method contracts, loop statements and block contracts. The process of checking the
well-definedness of a specification forms a preliminary step before the actual proof and rejects undefined specifications. We further contribute by giving a choice between two different semantics, both bearing different
advantages and disadvantages. The thesis also includes an extensive case study analysing many examples and measuring the performance of the implemented Well-Definedness Checks
Automated Verification of Specifications with Typestates and Access Permissions
We propose an approach to formally verify Plural specifications of concurrent programs based on access permissions and typestates, by model-checking automatically generated abstract state-machines. Our approach captures all possible relevant behaviors of abstract concurrent programs implementing the specification. We describe the formal methodology employed in our technique and provide an example as proof of concept for the state-machine construction rules. We implemented the fully automated algorithm to generate and verify models as a freely available plug-in of the Plural tool, called Pulse.  We tested Pulse on the full specification of a Multi Threaded Task Server commercial application and showed that this approach scales well and is efficient in finding errors in specifications that could not be previously detected with the Data Flow Analysis (DFA) capabilities of Plural
Automated Verification of Specifications with Typestates and Access Permissions
We propose an approach to formally verify Plural specifications based on access permissions and typestates, by model-checking automatically generated abstract state-machines. Our exhaustive approach captures all the possible behaviors of abstract concurrent programs implementing the specification. We describe the formal methodology employed by our technique and provide an example as proof of concept for the state-machine construction rules. The implementation of a fully automated algorithm to generate and verify models, currently underway, provides model checking support for the Plural tool, which currently supports only program verification via data flow analysis (DFA)
Parameterized verification of publish/subcribe protocols via Infinite-State Model Checking
We apply the Infinite-State Model Checking to formally specify and validate protocol skeletons for distributed systems with asynchronous communication and synchronous access to local data structures. More precisely, we validate the Redis Pub/Sub key-value Server. Redis is based on a publish-subscribe architecture used in Cloud Storage and Internet of Things ecosystems. For the considered protocol, we present a formal specification that combines ideas coming from round-based and shared-memory specification languages. The resulting model is validated via the SMT-based Infinite-state Model Checker Cubicle. In this setting we use unbounded arrays to model (1) arbitrary collections of publishers and subscribers, (2) unbounded shared memory used as a communication media between processes. Our model is validated using the symbolic backward reachability algorithm implemented in the tool. The peculiarity of the algorithm is that, upon termination, the resulting correctness proof is guaranteed to hold for every number of process instances
Model checking multi-agent systems
A multi-agent system (MAS) is usually understood as a system composed of interacting
autonomous agents. In this sense, MAS have been employed successfully as a modelling
paradigm in a number of scenarios, especially in Computer Science. However, the process
of modelling complex and heterogeneous systems is intrinsically prone to errors: for this
reason, computer scientists are typically concerned with the issue of verifying that a system
actually behaves as it is supposed to, especially when a system is complex.
Techniques have been developed to perform this task: testing is the most common technique,
but in many circumstances a formal proof of correctness is needed. Techniques
for formal verification include theorem proving and model checking. Model checking
techniques, in particular, have been successfully employed in the formal verification of
distributed systems, including hardware components, communication protocols, security
protocols.
In contrast to traditional distributed systems, formal verification techniques for MAS are
still in their infancy, due to the more complex nature of agents, their autonomy, and
the richer language used in the specification of properties. This thesis aims at making
a contribution in the formal verification of properties of MAS via model checking. In
particular, the following points are addressed:
• Theoretical results about model checking methodologies for MAS, obtained by
extending traditional methodologies based on Ordered Binary Decision Diagrams (OBDDS) for temporal logics to multi-modal logics for time, knowledge, correct behaviour, and strategies of agents. Complexity results for model checking these logics
(and their symbolic representations).
• Development of a software tool (MCMAS) that permits the specification and verification
of MAS described in the formalism of interpreted systems.
• Examples of application of MCMAS to various MAS scenarios (communication, anonymity, games, hardware diagnosability), including experimental results, and comparison with other tools available
Correct Transformation from CCSL to Promela for verification
Transforming a specification language into a language supported by a verification tool is a widely adopted way of doing formal verification. It enables the reuse of existing languages and tools. In this paper, we propose a correct transformation from CCSL to Promela to do formal verification by SPIN. To implement the transformation, we introduce "coincident instant" into Promela to deal with the discrete time in CCSL. Then we define property patterns to ensure that correctness properties are verified "coincident instant" by "coincident instant" during the verification. We define checkpoint transition systems (CTSs) to model source CCSL specifications and transformed Promel models. The proof of the correctness of our transformation relies on the checkpoint bisimulation defined over CTS. If a property is satisfied by a transformed Promela model, then it is satisfied by the source CCSL specification
- …