Formal Methods Specification and Analysis Guidebook for the Verification of Software and Computer Systems

This guidebook, the second of a two-volume series, is intended to facilitate the transfer of formal methods to the avionics and aerospace community. The 1st volume concentrates on administrative and planning issues [NASA-95a], and the second volume focuses on the technical issues involved in applying formal methods to avionics and aerospace software systems. Hereafter, the term "guidebook" refers exclusively to the second volume of the series. The title of this second volume, A Practitioner's Companion, conveys its intent. The guidebook is written primarily for the nonexpert and requires little or no prior experience with formal methods techniques and tools. However, it does attempt to distill some of the more subtle ingredients in the productive application of formal methods. To the extent that it succeeds, those conversant with formal methods will also nd the guidebook useful. The discussion is illustrated through the development of a realistic example, relevant fragments of which appear in each chapter. The guidebook focuses primarily on the use of formal methods for analysis of requirements and high-level design, the stages at which formal methods have been most productively applied. Although much of the discussion applies to low-level design and implementation, the guidebook does not discuss issues involved in the later life cycle application of formal methods

Preliminary Design of JML: A Behavioral Interface Specification Language for Java

JML is a behavioral interface specification language tailored to Java(TM). Besides pre- and postconditions, it also allows assertions to be intermixed with Java code; these aid verification and debugging. JML is designed to be used by working software engineers; to do this it follows Eiffel in using Java expressions in assertions. JML combines this idea from Eiffel with the model-based approach to specifications, typified by VDM and Larch, which results in greater expressiveness. Other expressiveness advantages over Eiffel include quantifiers, specification-only variables, and frame conditions. This paper discusses the goals of JML, the overall approach, and describes the basic features of the language through examples. It is intended for readers who have some familiarity with both Java and behavioral specification using pre- and postconditions

Efficient computer-aided verification of parallel and distributed software systems

The society is becoming increasingly dependent on applications of distributed software systems, such as controller systems and wireless telecommunications. It is very difficult to guarantee the correct operation of this kind of systems with traditional software quality assurance methods, such as code reviews and testing. Formal methods, which are based on mathematical theories, have been suggested as a solution. Unfortunately, the vast complexity of the systems and the lack of competent personnel have prevented the adoption of sophisticated methods, such as theorem proving. Computerised tools for verifying finite state asynchronous systems exist, and they been successful on locating errors in relatively small software systems. However, a direct translation of software to low-level formal models may lead to unmanageably large models or complex behaviour. Abstract models and algorithms that operate on compact high-level designs are needed to analyse larger systems. This work introduces modelling formalisms and verification methods of distributed systems, presents efficient algorithms for verifying high-level models of large software systems, including an automated method for abstracting unneeded details from systems consisting of loosely connected components, and shows how the methods can be applied in the software development industry.reviewe

Larch/C++ Reference Manual

Larch/C++ is a notation for formally specifying the behavior and interfaces of C++ classes and functions. The goal of this reference manual is to precisely record the design of Larch/C++. We try to give examples and explanations, and we hope that these will be helpful to readers trying to learn about formal specification using Larch/C++

Abstraction Barriers and Refinement in the Polymorphic Lambda Calculus

This thesis examines specification refinement in the setting of polymorphic type theory and a complementary logic for relational parametricity. The starting point is the specification of abstract data types as done in the discipline of algebraic specification. Here, algebras are seen to match the standard notion of data type, i.e., a data representation together with operations on that data representation. An abstract data type is then a collection of data types sharing some well-defined abstract properties. In algebraic specification, these properties are specified algebraically by axioms in some suitable logic. Specification refinement then encompasses the idea that high-level specifications may be stepwise refined to executable programs that satisfy the initial specification; all in the framework of formal language and logic. This makes certain aspects of program development amenable to formal, computer-aided proofs of correctness. On the other hand, the discipline of type theory, lambda calculus, and its semantics is the prime field for research on programming languages. This framework is capable of characterising essentially any existing sequential programming-language feature, also advanced features such as recursive types, polymorphism and class-based object orientation. Furthermore, type theory provides a powerful framework for mechanised reasoning. This thesis is a contribution to lifting the idea of algebraic specification refinement into the more powerful domain of type theory and lambda calculus, thus giving the opportunity to expand in a sensible way a traditionally first order and functional framework to a wider range of programming aspects. We take a particular account of specification refinement and express it in a type-theoretic setting consisting of the polymorphic lambda calculus and a logic for relational parametricity. Key elements of algebraic specification are internalised in the syntax, e.g., data types viz. algebras are inhabitants of existential type, the latter providing essential data abstraction. For data types with only first-order operations, this setting automatically resolves certain issues of specification refinement, such as observational equivalence, stability and input sorts. After establishing a correspondence at first order, thus implanting the idea of algebraic specification refinement into the type-theoretic setting, the scene is set for lifting the idea of algebraic specification refinement to any number of programming features. In this thesis we focus on the generalisations to higher-order functions and to polymorphism. A simulation relation between two data types is a relation between their data representations that is preserved by their respective sets of operations. Using simulation relations is a classical way of explaining data refinement and observational equivalence. This combines with specification refinement to form specification refinement up to observational equivalence. With higher-order operations, however, we encounter in the logic a phenomenon related to what happens on the semantic level, i.e., the standard notion of refinement relation in the form of logical relations does not compose and the correspondence with observational equivalence is lost. In the logic it turns out that the standard notion of simulation relation fails to take into account a certain aspect of the abstraction barrier provided by existential types. We remedy this by proposing an alternative notion of simulation relation that observes this abstraction barrier more closely. We do this in two related ways; one relates to syntactic models while the other relates to a non-syntactic PER-model more apt for interpretive investigations. In algebraic specification, there is a universal proof method for specification refinement up to observational equivalence. This method can be imported soundly into the type-theoretic setting by asserting certain axioms. At first order, showing soundness for these axioms is straight-forward w.r.t. the standard parametric PER model for the logic. At higher order there are two problems. First, these axioms seemingly do not hold in the standard model. Secondly, the axioms speak in terms of simulation relations. At higher order, it is pertinent to have versions of the axioms featuring the abstraction barrier-observing simulation relations above, and to prove soundness for these poses an additional challenge. We show that the pure higher-order aspect of this problem can be solved by giving a setoid-based semantics. For the remaining task, we continue working from the observation that standard definitions do not observe abstraction barriers closely enough. Hence, we propose an alternative interpretation into the PER-model for data types that captures the abstraction barrier provided by existential types. The main contribution of this thesis is thus in generalising a prominent account of specification refinement to higher order and polymorphism via type theory incorporating relational parametricity. We also shed light on short-comings in the logic, as well as in the standard semantics, regarding the abstraction barrier provided by existential types. Two central contributions, namely abstraction barrier-observing simulation relations and abstraction barrier-observing semantics for data types, are the result of observing these short-comings. Finally, the work in this thesis also lays a foundation on which to adapt specification refinement to an object-oriented setting, because the theoretical concepts underlying object orientation can be seen as extensions of those for abstract data types

Data Refinement in Object-Oriented Verification

Data refinement is a special instance of refinement where a specification is refined by replacing the data type used in the specification. The theory of data refinement guarantees that this replacement does not adversely affect the functional behaviour of the programs that use these specifications. Object-oriented programming languages such as JML and Spec# support the specification and verification of object-oriented programs. We research their capabilities, identifying their strengths and weaknesses from both a specification and a tool-support point of view. This leads us to the conclusion that object-oriented specification languages should support a view of objects that abstracts away from the implementation details. We examine the specification and verification of programs that are written in this way, making use of existing language features, so that data refinements can be verified using existing verification tools. We propose a framework for the specification and verification of modular data refinement within an object-oriented environment. Objects are specified in terms of one data type and implemented in terms of another. Clients who interact with these objects are never concerned with the underlying implementation details as they interact directly with the abstract specification. A proof-of-concept tool is developed to demonstrate the viability and effectiveness of our proposed framework. This tool takes the form of an application that checks whether or not a program conforms to our framework for the modular data refinement of object-oriented programs

Specifying a forest harvest scheduling system which includes wood properties.

M. Sc. University of KwaZulu-Natal, Durban 2009.This dissertation aims to specify a forest harvest scheduling system which includes wood properties in the harvesting decisions for the long-term (strategic) planning horizon. This system will be used by plantation forestry companies which supply wood to pulp manufacturers, who desire a more uniform raw material entering pulp mills so that a more uniform product results. Vertically integrated forestry companies would benefit particularly, as the allocation of timber to mills, as well as the timber transport costs, are included in the system. It has been found from literature that only one forest harvest scheduling system exists which includes wood properties in the harvesting decision; however, this system was a short-term (operational) system. To our knowledge, no other system which includes wood properties in the harvesting decision has been reported. As the forest harvest scheduling system is affected by the forest, transport, mill and forest planning domains, their procedures and constraints, these domains were described first, and the forest harvest scheduling system described next. The system and the environments (or domains) were specified with two techniques: semi-formal and formal methods. The semi-formal method used the Zachman framework to structure the specification. The Business owner’s view of the system was used. This framework uses complementary models such as entity-relationship diagrams, business process diagrams and state charts to describe aspects of the same thing. The formal method specification used the Z notation which is based on set theory and predicate logic. The semi-formal and formal specifications together form a complementary specification. The semi-formal specification is more understandable by clients, but could contain inconsistencies. The formal specification is more precise, but because it uses mathematical notation, is not as well understood. The semi-formal specification describes more features, while the formal specification describes the features in depth. The forest harvest scheduling system specified uses wood properties in the harvesting and timber allocation decisions over the strategic planning horizon. When the system is implemented, wood having more uniform properties will be delivered to the mill, ensuring a more uniform pulp product