Constraint-Oriented Style in LOTOS

The concept of a constraint-oriented specification style is presented in general terms and with respect to the ISO Formal Description Technique LOTOS (Language Of Temporal Ordering Specification). The constraint-oriented style has proven very suitable for specifying the abstract, implementation-independent behaviour of systems in a modular fashion. The essential idea behind constraint-oriented specification is separation of concerns, which is facilitated by the behaviour combinators of LOTOS. The constraint-oriented style is illustrated by giving a highly-structured specification in LOTOS of the well-known AB (Alternating Bit) Protocol

The Invoicing Case Study in (E-)LOTOS

The informal requirements for the invoicing case study are analysed and interpreted. This leads to a high-level specification architecture that can be formalised. Specifications are presented in LOTOS (Language Of Temporal Ordering Specification). For comparison, specifications are also presented E-LOTOS (Enhancements to LOTOS) – the new version of LOTOS currently being standardised. Since LOTOS allows a balance to be struck between process-oriented and data-oriented modelling, specifications in both styles are given. The resulting specifications are evaluated in the context of LOTOS and formal approaches more generally

Rigorous object-oriented analysis

Object-oriented methods for analysis, design and programming are commonly used by software engineers. Formal description techniques, however, are mainly used in a research environment. We have investigated how rigour can be introduced into the analysis phase of the software development process by combining object-oriented analysis (OOA) methods with formal description techniques. The main topics of this investigation are a formal interpretation of the OOA constructs using LOTOS, a mathematical definition of the basic OOA concepts using a simple denotational semantics and a new method for object- oriented analysis that we call the Rigorous Object-Oriented Analysis method (ROOA). The LOTOS interpretation of the OOA concepts is an intrinsic part of the ROOA method. It was designed in such a way that software engineers with no experience in LOTOS, can still use ROOA. The denotational semantics of the concepts of object-oriented analysis illuminates the formal syntactic transformations within ROOA and guarantees that the basic object- oriented concepts can be understood independently of the specification language we use. The ROOA method starts from a set of informal requirements and an object model and produces a formal object-oriented analysis model that acts as a requirements specification. The resulting formal model integrates the static, dynamic and functional properties of a system in contrast to existing OOA methods which are informal and produce three separate models that are difficult to integrate and keep consistent. ROOA provides a systematic development process, by proposing a set of rules to be followed during the analysis phase. During the application of these rules, auxiliary structures are created to help in tracing the requirements through to the final formal model. As LOTOS produces executable specifications, prototyping can be used to check the conformance of the specification against the original requirements and to detect inconsistencies, omissions and ambiguities early in the development process

Mixing formal specifications using ICL (interconnection language)

There is an increasing need and desire to develop systems by combining components that are written in different languages and/or run on different kinds of machines. Success largely depends on the ability of their components to communicate and work together despite their differing backgrounds. This thesis addresses the problem of mixing two formal specification languages, SDL and LOTOS. Various approaches to mixing specification languages are examined including the SPECS approach which is presented in more detail. A unique feature of the SPECS approach is the support of multiple specification languages, including the ability to mix specifications languages within a given system design. This area of research investigates the SPECS specific mixing language ICL (Interconnection Language). The thesis looks at two formal languages, one of an asynchronous nature (SDL) and one of a synchronous nature (LOTOS), which can be combined using the Interconnection Language. Also a set of rules are given to produce this formal mixing specification from less formal descriptions. These rules use a range of informal representations and rigorous models of the required system to produce of the ICL specification. An application of these rules is presented. This research work was carried out as part of DCU’s contribution to the SPECS (Specification and Programming Environment for Communication Software) project, part of the RACE program of the EC. SPECS’s aim was to, as much as possible, automate the software development process by using formal languages. An overview of the SPECS project is presented in chapter 1 of this thesis

Verification of LOTOS Specifications Using Term Rewriting Techniques

Recently the use of formal methods in describing and analysing the behaviour of (computer) systems has become more common. This has resulted in the proliferation of a wide variety of different specification formalisms, together with analytical techniques and methodologies for specification development. The particular specification formalism adopted for this study is LOTOS, an ISO standard formal description technique. Although there are many works dealing with how to write LOTOS specifications and how to develop a LOTOS specification from the initial abstract requirements specification to concrete implementation, relatively few works are concerned with the problems of expressing and proving the correctness of LOTOS specifications, i.e. verification. The main objective of this thesis is to address this shortfall by investigating the meaning of verification as it relates to concurrent systems in general, and in particular to those systems described using LOTUS. Further goals are to automate the verification process using equational reasoning and term rewriting, and also to attempt to make the results of this work, both theoretical and practical, as accessible to LOTOS practitioners as possible. After introducing the LOTUS language and related formalisms, the thesis continues with a survey of approaches to verification of concurrent systems with a view to identifying those approaches suitable for use in verification of properties of systems specified using LOTOS. Both general methodology and specific implementation techniques are considered. As a result of this survey, two useful approaches are identified. Both are based on the technique of expressing the correctness of a LOTUS specification by comparison with another, typically more abstract, specification. The second approach, covered later in the thesis, uses logic for the more abstract specification. The main part of the thesis is concerned with the first approach, in which both specifications are described in LOTUS, and the comparison is expressed by a behavioural equivalence or preorder relation. This approach is further explored by means of proofs based on the paradigm of equational reasoning, implemented by term rewriting. Initially, only Basic LOTUS (i.e. the process algebra) is considered. A complete (i.e. confluent and terminating) rule set for weak bisimulation congruence over a subset of Basic LOTOS is developed using RRL (Rewrite Rule Laboratory). Although fully automatic, this proof technique is found to be insufficient for anything other than finite toy examples. In order to give more power, the rule set is supplemented by an incomplete set of rules expressing the expansion law. The incompleteness of the rule set necessitates the use of a strategy in applying the rules, as indiscriminate application of the rules may lead to non-termination of the rewriting. A case study illustrates the use of these rules, and also the effect of different interpretations of the verification requirement on the outcome of the proof. This proof technique, as a result of the deficiencies of the tool on which it is based, has two major failings: an inability to handle recursion, and no opportunity for user control in the proof. Moving to a different tool, PAM (Process Algebra Manipulator), allows correction of these faults, but at the cost of automation. The new implementation acts merely as computerised pencil and paper, although tactics can be defined which allow some degree of automation. Equations may be applied in either direction, therefore completion is no longer as important. (Note that the tactic language could be used to describe a a complete set of rules which would give an automatic proof technique, therefore some effort towards completion is still desirable. However, since LOTOS weak bisimulation congruence is undecidable, there can never be a complete rule set for deciding equivalence of terms from the full LOTUS language.) The composition of the rule set is re-considered, with a. view to using alternative axiomatisations of weak bisimulation congruence: two main axiomatisations are described and their relative merits compared. The axiomatisation of other LOTUS relations is also considered. In particular, we consider the pitfalls of axiomatising the cred preorder relation. In order to demonstrate the use of the PAM proof system developed, the case study, modified to use recursion, is re-examined. Four other examples taken from the literature, one substantial, the others fairly small, are also investigated to further demonstrate the applicability of the PAM proof system to a variety of examples. The above approach considers Basic LOTUS only; to be more generally applicable the verification of properties of full LOTOS specifications (i.e. including abstract data types) must also be studied. Methods for proving the equivalence of full LOTUS specifications are examined, including a modification of the technique used successfully above. The application of this technique is illustrated via proofs of the equivalence of three variants of the well-known stack example

Towards reduction of Paradigm coordination models

The coordination modelling language Paradigm addresses collaboration between components in terms of dynamic constraints. Within a Paradigm model, component dynamics are consistently specified at a detailed and a global level of abstraction. To enable automated verification of Paradigm models, a translation of Paradigm into process algebra has been defined in previous work. In this paper we investigate, guided by a client-server example, reduction of Paradigm models based on a notion of global inertness. Representation of Paradigm models as process algebraic specifications helps to establish a property-preserving equivalence relation between the original and the reduced Paradigm model. Experiments indicate that in this way larger Paradigm models can be analyzed

Towards reduction of Paradigm coordination models

The coordination modelling language Paradigm addresses collaboration between components in terms of dynamic constraints. Within a Paradigm model, component dynamics are consistently specified at a detailed and a global level of abstraction. To enable automated verification of Paradigm models, a translation of Paradigm into process algebra has been defined in previous work. In this paper we investigate, guided by a client-server example, reduction of Paradigm models based on a notion of global inertness. Representation of Paradigm models as process algebraic specifications helps to establish a property-preserving equivalence relation between the original and the reduced Paradigm model. Experiments indicate that in this way larger Paradigm models can be analyzed.Comment: In Proceedings PACO 2011, arXiv:1108.145