The VerCors tool for verification of concurrent programs

The VerCors tool implements thread-modular static verification of concurrent programs, annotated with functional properties and heap access permissions. The tool supports both generic multithreaded and vector-based programming models. In particular, it can verify multithreaded programs written in Java, specified with JML extended with separation logic. It can also verify parallelizable programs written in a toy language that supports the characteristic features of OpenCL. The tool verifies programs by first encoding the specified program into a much simpler programming language and then applying the Chalice verifier to the simplified program. In this paper we discuss both the implementation of the tool and the features of its specification language

Run-Time Verification of Black-Box Components Using Behavioral Specifications: An Experience Report on Tool Development

htmlabstractWe introduce a generic component-based design of a run-time checker, identify its components and their requirements, and evaluate existing state of the art tools instantiating each component

Special section on advances in reachability analysis and decision procedures: contributions to abstraction-based system verification

Reachability analysis asks whether a system can evolve from legitimate initial states to unsafe states. It is thus a fundamental tool in the validation of computational systems - be they software, hardware, or a combination thereof. We recall a standard approach for reachability analysis, which captures the system in a transition system, forms another transition system as an over-approximation, and performs an incremental fixed-point computation on that over-approximation to determine whether unsafe states can be reached. We show this method to be sound for proving the absence of errors, and discuss its limitations for proving the presence of errors, as well as some means of addressing this limitation. We then sketch how program annotations for data integrity constraints and interface specifications - as in Bertrand Meyers paradigm of Design by Contract - can facilitate the validation of modular programs, e.g., by obtaining more precise verification conditions for software verification supported by automated theorem proving. Then we recap how the decision problem of satisfiability for formulae of logics with theories - e.g., bit-vector arithmetic - can be used to construct an over-approximating transition system for a program. Programs with data types comprised of bit-vectors of finite width require bespoke decision procedures for satisfiability. Finite-width data types challenge the reduction of that decision problem to one that off-the-shelf tools can solve effectively, e.g., SAT solvers for propositional logic. In that context, we recall the Tseitin encoding which converts formulae from that logic into conjunctive normal form - the standard format for most SAT solvers - with only linear blow-up in the size of the formula, but linear increase in the number of variables. Finally, we discuss the contributions that the three papers in this special section make in the areas that we sketched above. © Springer-Verlag 2009

Formalizing a hierarchical file system

An abstract file system is defined here as a partial function from (absolute) paths to data. Such a file system determines the set of valid paths. It allows the file system to be read and written at a valid path, and it allows the system to be modified by the Unix operations for creation, removal, and moving of files and directories. We present abstract definitions (axioms) for these operations. This specification is refined towards a pointer implementation. The challenge is to have a natural abstraction function from the implementation to the specification, to define operations on the concrete store that behave exactly in the same way as the corresponding functions on the abstract store, and to prove these facts. To mitigate the problems attached to partial functions, we do this in two steps: first a refinement towards a pointer implementation with total functions, followed by one that allows partial functions. These two refinements are proved correct by means of a number of invariants. Indeed, the insights gained consist, on the one hand, of the invariants of the pointer implementation that are needed for the refinement functions, and on the other hand of the precise enabling conditions of the operations on the different levels of abstraction. Each of the three specification levels is enriched with a permission system for reading, writing, or executing, and the refinement relations between these permission systems are explored. Files and directories are distinguished from the outset, but this rarely affects our part of the specifications. All results have been verified with the proof assistant PVS, in particular, that the invariants are preserved by the operations, and that, where the invariants hold, the operations commute with the refinement functions

The known unknowns of hydraulic engineering

Hydraulic engineers and researchers deal with scientific challenges involving turbulent flow motion and its interactions with the surroundings. Turbulent flows are characterised by unpredictable behaviour, and little systematic research has yet been conducted in natural systems. This paper discusses the implications of recent developments in affordable instrumentation previously characterised by intrinsic weaknesses that adversely affect the quality of the signal outputs. A challenging application is the unsteady turbulence field in tidal bores. The interactions between open channel flows and movable boundaries and atmosphere illustrate another aspect of our limited knowledge. Rapid siltation of reservoirs and air entrainment in turbulent free-surface flows are discussed. In both applications, hydraulic engineers require some broad-based expertise. In turn the education of future hydraulic engineers is of vital importance

Practically Applicable Formal Methods

Abstract. Formal methods are considered to be highly expensive. There-fore, they are currently applied almost only in high risk software develop-ment. In this paper, we show that formal techniques can be also efficiently used in standard large-scale applications. We focus on the generation of specifications which state the termination condition of for loops in Java code (expressed as so called Java Modeling Language decreases clauses). We demonstrate that with help of relatively simple techniques it is pos-sible to successfully generate the clauses for almost 80 % of the loops in a number of widely deployed applications. Moreover, it turns out that the remaining 20 % cases contain loops which should be carefully reviewed by software quality assurance personnel. The results show that our tech-nique might be helpful in spreading the usage of formal methods onto typical business software