57,061 research outputs found
Towards an I/O Conformance Testing Theory for Software Product Lines based on Modal Interface Automata
We present an adaptation of input/output conformance (ioco) testing
principles to families of similar implementation variants as appearing in
product line engineering. Our proposed product line testing theory relies on
Modal Interface Automata (MIA) as behavioral specification formalism. MIA
enrich I/O-labeled transition systems with may/must modalities to distinguish
mandatory from optional behavior, thus providing a semantic notion of intrinsic
behavioral variability. In particular, MIA constitute a restricted, yet fully
expressive subclass of I/O-labeled modal transition systems, guaranteeing
desirable refinement and compositionality properties. The resulting modal-ioco
relation defined on MIA is preserved under MIA refinement, which serves as
variant derivation mechanism in our product line testing theory. As a result,
modal-ioco is proven correct in the sense that it coincides with traditional
ioco to hold for every derivable implementation variant. Based on this result,
a family-based product line conformance testing framework can be established.Comment: In Proceedings FMSPLE 2015, arXiv:1504.0301
An Iterative Abstraction Algorithm for Reactive Correct-by-Construction Controller Synthesis
In this paper, we consider the problem of synthesizing
correct-by-construction controllers for discrete-time dynamical systems. A
commonly adopted approach in the literature is to abstract the dynamical system
into a Finite Transition System (FTS) and thus convert the problem into a two
player game between the environment and the system on the FTS. The controller
design problem can then be solved using synthesis tools for general linear
temporal logic or generalized reactivity(1) specifications. In this article, we
propose a new abstraction algorithm. Instead of generating a single FTS to
represent the system, we generate two FTSs, which are under- and
over-approximations of the original dynamical system. We further develop an
iterative abstraction scheme by exploiting the concept of winning sets, i.e.,
the sets of states for which there exists a winning strategy for the system.
Finally, the efficiency of the new abstraction algorithm is illustrated by
numerical examples.Comment: A shorter version has been accepted for publication in the 54th IEEE
Conference on Decision and Control (held Tuesday through Friday, December
15-18, 2015 at the Osaka International Convention Center, Osaka, Japan
Formal Verification of Security Protocol Implementations: A Survey
Automated formal verification of security protocols has been mostly focused on analyzing high-level abstract models which, however, are significantly different from real protocol implementations written in programming languages. Recently, some researchers have started investigating techniques that bring automated formal proofs closer to real implementations. This paper surveys these attempts, focusing on approaches that target the application code that implements protocol logic, rather than the libraries that implement cryptography. According to these approaches, libraries are assumed to correctly implement some models. The aim is to derive formal proofs that, under this assumption, give assurance about the application code that implements the protocol logic. The two main approaches of model extraction and code generation are presented, along with the main techniques adopted for each approac
A synchronous program algebra: a basis for reasoning about shared-memory and event-based concurrency
This research started with an algebra for reasoning about rely/guarantee
concurrency for a shared memory model. The approach taken led to a more
abstract algebra of atomic steps, in which atomic steps synchronise (rather
than interleave) when composed in parallel. The algebra of rely/guarantee
concurrency then becomes an instantiation of the more abstract algebra. Many of
the core properties needed for rely/guarantee reasoning can be shown to hold in
the abstract algebra where their proofs are simpler and hence allow a higher
degree of automation. The algebra has been encoded in Isabelle/HOL to provide a
basis for tool support for program verification.
In rely/guarantee concurrency, programs are specified to guarantee certain
behaviours until assumptions about the behaviour of their environment are
violated. When assumptions are violated, program behaviour is unconstrained
(aborting), and guarantees need no longer hold. To support these guarantees a
second synchronous operator, weak conjunction, was introduced: both processes
in a weak conjunction must agree to take each atomic step, unless one aborts in
which case the whole aborts. In developing the laws for parallel and weak
conjunction we found many properties were shared by the operators and that the
proofs of many laws were essentially the same. This insight led to the idea of
generalising synchronisation to an abstract operator with only the axioms that
are shared by the parallel and weak conjunction operator, so that those two
operators can be viewed as instantiations of the abstract synchronisation
operator. The main differences between parallel and weak conjunction are how
they combine individual atomic steps; that is left open in the axioms for the
abstract operator.Comment: Extended version of a Formal Methods 2016 paper, "An algebra of
synchronous atomic steps
A synchronous program algebra: a basis for reasoning about shared-memory and event-based concurrency
This research started with an algebra for reasoning about rely/guarantee
concurrency for a shared memory model. The approach taken led to a more
abstract algebra of atomic steps, in which atomic steps synchronise (rather
than interleave) when composed in parallel. The algebra of rely/guarantee
concurrency then becomes an instantiation of the more abstract algebra. Many of
the core properties needed for rely/guarantee reasoning can be shown to hold in
the abstract algebra where their proofs are simpler and hence allow a higher
degree of automation. The algebra has been encoded in Isabelle/HOL to provide a
basis for tool support for program verification.
In rely/guarantee concurrency, programs are specified to guarantee certain
behaviours until assumptions about the behaviour of their environment are
violated. When assumptions are violated, program behaviour is unconstrained
(aborting), and guarantees need no longer hold. To support these guarantees a
second synchronous operator, weak conjunction, was introduced: both processes
in a weak conjunction must agree to take each atomic step, unless one aborts in
which case the whole aborts. In developing the laws for parallel and weak
conjunction we found many properties were shared by the operators and that the
proofs of many laws were essentially the same. This insight led to the idea of
generalising synchronisation to an abstract operator with only the axioms that
are shared by the parallel and weak conjunction operator, so that those two
operators can be viewed as instantiations of the abstract synchronisation
operator. The main differences between parallel and weak conjunction are how
they combine individual atomic steps; that is left open in the axioms for the
abstract operator.Comment: Extended version of a Formal Methods 2016 paper, "An algebra of
synchronous atomic steps
Model based safety analysis for an Unmanned Aerial System
This paper aims at describing safety architectures of autonomous systems by using Event-B formal method. The autonomous systems combine various activities which can be organised in layers. The Event-B formalism well supports the rigorous design of this kind of systems. Its refinement mechanism allows a progressive modelling by checking the correctness and the relevance of the models by discharging proof obligations. The application of the Event-B method within the framework of layered architecture specification enables the emergence of desired global properties with relation to layer interactions. The safety objectives are derived in each layer and they involve static and dynamic properties such as an independence property, a redundant property or a sequential property. The originality of our approach is to consider a refinement process between two layers in which the abstract model is the model of the lower layer. In our modelling, we distinguish nominal behaviour and abnormal behaviour in order to well establish failure propagation in our architecture
- …