10,685 research outputs found
PLTL Partitioned Model Checking for Reactive Systems under Fairness Assumptions
We are interested in verifying dynamic properties of finite state reactive
systems under fairness assumptions by model checking. The systems we want to
verify are specified through a top-down refinement process. In order to deal
with the state explosion problem, we have proposed in previous works to
partition the reachability graph, and to perform the verification on each part
separately. Moreover, we have defined a class, called Bmod, of dynamic
properties that are verifiable by parts, whatever the partition. We decide if a
property P belongs to Bmod by looking at the form of the Buchi automaton that
accepts the negation of P. However, when a property P belongs to Bmod, the
property f => P, where f is a fairness assumption, does not necessarily belong
to Bmod. In this paper, we propose to use the refinement process in order to
build the parts on which the verification has to be performed. We then show
that with such a partition, if a property P is verifiable by parts and if f is
the expression of the fairness assumptions on a system, then the property f =>
P is still verifiable by parts. This approach is illustrated by its application
to the chip card protocol T=1 using the B engineering design language
Syntactic Abstraction of B Models to Generate Tests
In a model-based testing approach as well as for the verification of
properties, B models provide an interesting solution. However, for industrial
applications, the size of their state space often makes them hard to handle. To
reduce the amount of states, an abstraction function can be used, often
combining state variable elimination and domain abstractions of the remaining
variables. This paper complements previous results, based on domain abstraction
for test generation, by adding a preliminary syntactic abstraction phase, based
on variable elimination. We define a syntactic transformation that suppresses
some variables from a B event model, in addition to a method that chooses
relevant variables according to a test purpose. We propose two methods to
compute an abstraction A of an initial model M. The first one computes A as a
simulation of M, and the second one computes A as a bisimulation of M. The
abstraction process produces a finite state system. We apply this abstraction
computation to a Model Based Testing process.Comment: Tests and Proofs 2010, Malaga : Spain (2010
Provably correct Java implementations of Spi Calculus security protocols specifications
Spi Calculus is an untyped high level modeling language for security protocols, used for formal protocols specification and verification. In this paper, a type system for the Spi Calculus and a translation function are formally defined, in order to formalize the refinement of a Spi Calculus specification into a Java implementation. The Java implementation generated by the translation function uses a custom Java library. Formal conditions on such library are stated, so that, if the library implementation code satisfies such conditions, then the generated Java implementation correctly simulates the Spi Calculus specification. A verified implementation of part of the custom library is further presente
Refinement sensitive formal semantics of state machines with persistent choice
Modeling languages usually support two kinds of nondeterminism, an external one for interactions of a system with its environment, and one that stems from under-specification as familiar in models of behavioral requirements. Both forms of nondeterminism are resolvable by composing a system with an environment model and by refining under-specified behavior (respectively). Modeling languages usually dont support nondeterminism that is persistent in that neither the composition with an environment nor refinements of under-specification will resolve it. Persistent nondeterminism is used, e.g., for modeling faulty systems. We present a formal semantics for UML state machines enriched with an operator persistent choice that models persistent nondeterminism. This semantics is based on abstract models - Ī¼-automata with a novel refinement relation - and a sound three-valued satisfaction relation for properties expressed in the Ī¼-calculus. Ā© 2009 Elsevier B.V. All rights reserved
The composition of Event-B models
The transition from classical B [2] to the Event-B language and method [3] has seen the removal of some forms of model structuring and composition, with the intention of reinventing them in future. This work contributes to thatreinvention. Inspired by a proposed method for state-based decomposition and refinement [5] of an Event-B model, we propose a familiar parallel event composition (over disjoint state variable lists), and the less familiar event fusion (over intersecting state variable lists). A brief motivation is provided for these and other forms of composition of models, in terms of feature-based modelling. We show that model consistency is preserved under such compositions. More significantly we show that model composition preserves refinement
An Operator-based Approach to Incremental Development of Conform Protocol State Machines
An incremental development framework which supports a conform construction of Protocol State Machines (PSMs) is presented. We capture design concepts and strategies of PSM construction by sequentially applying some development operators: each operator makes evolve the current PSM to another one. To ensure a conform construction, we introduce three conformance relations, inspired by the specification refinement and specification matchings supported by formal methods. Conformance relations preserve some global behavioral properties. Our purpose is illustrated by some development steps of the card service interface of an electronic purse: for each step, we introduce the idea of the development, we propose an operator and we give the new specification state obtained by the application of this operator and the property of this state relatively to the previous one in terms of conformance relation
Concurrent Data Structures Linked in Time
Arguments about correctness of a concurrent data structure are typically
carried out by using the notion of linearizability and specifying the
linearization points of the data structure's procedures. Such arguments are
often cumbersome as the linearization points' position in time can be dynamic
(depend on the interference, run-time values and events from the past, or even
future), non-local (appear in procedures other than the one considered), and
whose position in the execution trace may only be determined after the
considered procedure has already terminated.
In this paper we propose a new method, based on a separation-style logic, for
reasoning about concurrent objects with such linearization points. We embrace
the dynamic nature of linearization points, and encode it as part of the data
structure's auxiliary state, so that it can be dynamically modified in place by
auxiliary code, as needed when some appropriate run-time event occurs. We name
the idea linking-in-time, because it reduces temporal reasoning to spatial
reasoning. For example, modifying a temporal position of a linearization point
can be modeled similarly to a pointer update in separation logic. Furthermore,
the auxiliary state provides a convenient way to concisely express the
properties essential for reasoning about clients of such concurrent objects. We
illustrate the method by verifying (mechanically in Coq) an intricate optimal
snapshot algorithm due to Jayanti, as well as some clients
- ā¦