99 research outputs found
Flexible Invariants Through Semantic Collaboration
Modular reasoning about class invariants is challenging in the presence of
dependencies among collaborating objects that need to maintain global
consistency. This paper presents semantic collaboration: a novel methodology to
specify and reason about class invariants of sequential object-oriented
programs, which models dependencies between collaborating objects by semantic
means. Combined with a simple ownership mechanism and useful default schemes,
semantic collaboration achieves the flexibility necessary to reason about
complicated inter-object dependencies but requires limited annotation burden
when applied to standard specification patterns. The methodology is implemented
in AutoProof, our program verifier for the Eiffel programming language (but it
is applicable to any language supporting some form of representation
invariants). An evaluation on several challenge problems proposed in the
literature demonstrates that it can handle a variety of idiomatic collaboration
patterns, and is more widely applicable than the existing invariant
methodologies.Comment: 22 page
Specifying Reusable Components
Reusable software components need expressive specifications. This paper
outlines a rigorous foundation to model-based contracts, a method to equip
classes with strong contracts that support accurate design, implementation, and
formal verification of reusable components. Model-based contracts
conservatively extend the classic Design by Contract with a notion of model,
which underpins the precise definitions of such concepts as abstract
equivalence and specification completeness. Experiments applying model-based
contracts to libraries of data structures suggest that the method enables
accurate specification of practical software
From Event-B models to Dafny code contracts
International audienceThe constructive approach to software correctness aims at formal modelling and verification of the structure and behaviour of a system in different levels of abstraction. In contrast, the analytical approach to software verification focuses on code level correctness and its verification. Therefore it would seem that the constructive and analytical approaches should complement each other well. To demonstrate this idea we present a case for linking two existing verification methods, Event-B (constructive) and Dafny (analytical). This approach combines the power of Event-B abstraction and its stepwise refinement with the verification capabilities of Dafny. We presented a small case study to demonstrate this approach and outline of the rules for transforming Event-B events to Dafny contracts. Finally, a tool for automatic generation of Dafny contracts from Event-B formal models is presented
Testing Library Specifications by Verifying Conformance Tests
Abstract. Formal specifications of standard libraries are necessary when statically verifying software that uses those libraries. Library specifications must be both correct, accurately reflecting library behavior, and useful, describing library behavior in sufficient detail to allow static verification of client programs. Specification and verification researchers regularly face the question of whether the library specifications we use are correct and useful, and we have collectively provided no good answers. Over the past few years we have created and refined a software engineering process, which we call the Formal CTD Process (FCTD), to address this problem. Although FCTD is primarily targeted toward those who write Java libraries (or specifications for existing Java libraries) using the Java Modeling Language (JML), its techniques are broadly applicable. The key to FCTD is its novel usage of library conformance test suites. Rather than executing the conformance tests, FCTD uses them to measure the correctness and utility of specifications through static verification. FCTD is beginning to see significant use within the JML community and is the cornerstone process of the JML Spec-a-thons, meetings that bring JML researchers and practitioners together for intensive specification writing sessions. This article describes the Formal CTD Process, its use in small case studies, and its broad application to the standard Java class library.
The International Cancer Expert Corps: A Unique Approach for Sustainable Cancer Care in Low and Lower-Middle Income Countries
The growing burden of non-communicable diseases including cancer in low- and lower-middle income countries (LMICs) and in geographic-access limited settings within resource-rich countries requires effective and sustainable solutions. The International Cancer Expert Corps (ICEC) is pioneering a novel global mentorship–partnership model to address workforce capability and capacity within cancer disparities regions built on the requirement for local investment in personnel and infrastructure. Radiation oncology will be a key component given its efficacy for cure even for the advanced stages of disease often encountered and for palliation. The goal for an ICEC Center within these health disparities settings is to develop and retain a high-quality sustainable workforce who can provide the best possible cancer care, conduct research, and become a regional center of excellence. The ICEC Center can also serve as a focal point for economic, social, and healthcare system improvement. ICEC is establishing teams of Experts with expertise to mentor in the broad range of subjects required to establish and sustain cancer care programs. The Hubs are cancer centers or other groups and professional societies in resource-rich settings that will comprise the global infrastructure coordinated by ICEC Central. A transformational tenet of ICEC is that altruistic, human-service activity should be an integral part of a healthcare career. To achieve a critical mass of mentors ICEC is working with three groups: academia, private practice, and senior mentors/retirees. While in-kind support will be important, ICEC seeks support for the career time dedicated to this activity through grants, government support, industry, and philanthropy. Providing care for people with cancer in LMICs has been a recalcitrant problem. The alarming increase in the global burden of cancer in LMICs underscores the urgency and makes this an opportune time fornovel and sustainable solutions to transform cancer care globally
Structured specifications for better verification of heap-manipulating programs
Abstract. Conventional specifications typically have a flat structure that is based primarily on the underlying logic. Such specifications lack structures that could have provided better guidance to the verification process. In this work, we propose to add three new structures to a specification framework for separation logic to achieve a more precise and better guided verification for pointer-based programs. The newly introduced structures empower users with more control over the verification process in the following ways: (i) case analysis can be invoked to take advantage of disjointness conditions in the logic. (ii) early, as opposed to late, instantiation can minimise on the use of existential quantification. (iii) formulae that are staged provide better reuse of the verification process. Initial experiments have shown that structured specifications can lead to more precise verification without incurring any performance overhead.
Components, contracts, and connectors for the Unified Modelling Language UML
The lack of a component concept for the UML is widely ac-\ud
knowledged. Contracts between components can be the starting point for introducing components and component interconnections. Contracts between service providers and service users are formulated based on abstractions of action and operation behaviour using the pre- and postcon-\ud
dition technique. A valid contract allows to establish an interconnection- a connector - between the provider and the user. The contract concept supports the re-use of components by providing means to establish and modify component interconnections. A flexible contract concept shall be based on a renement relation for operations and classes, derived from operation abstractions. Abstract behaviour, expressed by pre- and post-conditions, and renement are the key elements in the denition of a formal and flexible component and component interconnection approach
Practical API Protocol Checking with Access Permissions
Reusable APIs often define usage protocols. We previously developed a sound modular type system that checks compliance with typestate-based protocols while affording a great deal of aliasing flexibility. We also developed Plural, a prototype tool that embodies our approach as an automated static analysis and includes several extensions we found useful in practice. This paper evaluates our approach along the following dimensions: (1) We report on experience in specifying relevant usage rules for a large Java standard API with our approach. We also specify several other Java APIs and identify recurring patterns. (2) We summarize two case studies in verifying third-party open-source code bases with few false positives using our tool. We discuss how tool shortcomings can be addressed either with code refactorings or extensions to the tool itself. These results indicate that our approach can be used to specify and enforce real API protocols in practice
Inheritance of Temporal Logic Properties
Abstract. Inheritance is one of the key features for the success of object-oriented languages. Inheritance (or specialisation) supports incremental design and re-use of already written specifications or programs. In a for-mal approach to system design the interest does not only lie in re-use of class definitions but also in re-use of correctness proofs. If a provably correct class is specialised we like to know those correctness properties which are preserved in the subclass. This can avoid re-verification of already proven properties and may thus substantially reduce the verifi-cation effort. In this paper we study the question of inheritance of correctness prop-erties in the context of state-based formalisms, using a temporal logic (CTL) to formalise requirements on classes. Given a superclass and its specialised subclass we develop a technique for computing the set of for-mulas which are preserved in the subclass. For specialisation we allow addition of attributes, modification of existing as well as extension with new methods.
- …