Proving safety properties of software

The use of software is pervasive in areas as diverse as aerospace, automotive, chemical processes, civil infrastructure, energy, health-care, manufacturing, transportation, entertainment, and consumer appliances. Our safety, security, and economy are now closely linked to the reliability of software. This research is about a technique to prove event-based safety properties of program. A safety property is defined in terms of event traces. An event trace is associated with an execution path and it is the sequence of events that execute on the path. Each event is identified with a program statement or a block of statements. Particularly, this research has been focused on one type of problem that follows one type of safety property we call matching pair (MP) property. Memory leaks, asymmetric synchronization, and several other defects are examples of violation of the matching pair property. The property involves matching between two types of events on every execution path. We present a practical method to validate the MP property for large software. The method is designed to address the challenges resulting from the cross-cutting semantics and presence of invisible control flow. The method has two phases: the macro phrase and the micro phrase. The macro analysis phase incorporates important notions of signature and matching pair graph (MPG). Signatures enable a decomposition of the problem into small independent instances for validation, each identified by a unique signature. The MPG(X) defines for each signature X, a minimal set of functions to be analyzed for validating the instance. The micro analysis phase produces the event traces graph representing all the relevant execution paths through the functions belonging to a MPG(X). A fast and accurate analysis of large software is possible because the macro analysis can exactly identify the functions that need to be analyzed and the micro analysis further greatly reduces the amount of analysis required to cover all execution paths by creating event trace graph (ETG) from the control flow graph (CFG). We applied macro level analysis on eight versions of Linux kernels spanning for three years. We further calculated ETGs for all functions identified by macro analysis for three versions of Linux. With the combination of macro and micro analysis, we were able to prove the correctness of more than 90% of the synchronization instances in the Linux kernel. For each remaining case, we produced relevant ETGs for the further investigation by human experts

Specification of software component requirements using the trace function method.

This paper describes the application of the Trace Function Method to specify the requirements of a software component. We illustrate the method on a software component of a telecommunications system that was developed by Ericsson. Beginning with incomplete informal descriptions, we analysed the requirements of the system and wrote a description that contains all pertinent information in one easily used reference document. The resulting documentation is more compact and complete than traditional software documentation and provides precise information that will be useful for testing and inspection

Specification of Software Component Requirements Using the Trace Function Method

Abstract — This paper describes the application of the Trace Function Method to specify the requirements of a software component. We illustrate the method on a software component of a telecommunications system that was developed by Ericsson. Beginning with incomplete informal descriptions, we analysed the requirements of the system and wrote a description that contains all pertinent information in one easily used reference document. The resulting documentation is more compact and complete than traditional software documentation and provides precise information that will be useful for testing and inspection. I