The AutoProof Verifier: Usability by Non-Experts and on Standard Code

Formal verification tools are often developed by experts for experts; as a result, their usability by programmers with little formal methods experience may be severely limited. In this paper, we discuss this general phenomenon with reference to AutoProof: a tool that can verify the full functional correctness of object-oriented software. In particular, we present our experiences of using AutoProof in two contrasting contexts representative of non-expert usage. First, we discuss its usability by students in a graduate course on software verification, who were tasked with verifying implementations of various sorting algorithms. Second, we evaluate its usability in verifying code developed for programming assignments of an undergraduate course. The first scenario represents usability by serious non-experts; the second represents usability on "standard code", developed without full functional verification in mind. We report our experiences and lessons learnt, from which we derive some general suggestions for furthering the development of verification tools with respect to improving their usability.Comment: In Proceedings F-IDE 2015, arXiv:1508.0338

Integrated Modeling and Verification of Real-Time Systems through Multiple Paradigms

Complex systems typically have many different parts and facets, with different characteristics. In a multi-paradigm approach to modeling, formalisms with different natures are used in combination to describe complementary parts and aspects of the system. This can have a beneficial impact on the modeling activity, as different paradigms an be better suited to describe different aspects of the system. While each paradigm provides a different view on the many facets of the system, it is of paramount importance that a coherent comprehensive model emerges from the combination of the various partial descriptions. In this paper we present a technique to model different aspects of the same system with different formalisms, while keeping the various models tightly integrated with one another. In addition, our approach leverages the flexibility provided by a bounded satisfiability checker to encode the verification problem of the integrated model in the propositional satisfiability (SAT) problem; this allows users to carry out formal verification activities both on the whole model and on parts thereof. The effectiveness of the approach is illustrated through the example of a monitoring system.Comment: 27 page

A Theory of Sampling for Continuous-time Metric Temporal Logic

This paper revisits the classical notion of sampling in the setting of real-time temporal logics for the modeling and analysis of systems. The relationship between the satisfiability of Metric Temporal Logic (MTL) formulas over continuous-time models and over discrete-time models is studied. It is shown to what extent discrete-time sequences obtained by sampling continuous-time signals capture the semantics of MTL formulas over the two time domains. The main results apply to "flat" formulas that do not nest temporal operators and can be applied to the problem of reducing the verification problem for MTL over continuous-time models to the same problem over discrete-time, resulting in an automated partial practically-efficient discretization technique.Comment: Revised version, 43 pages

Practical Automated Partial Verification of Multi-Paradigm Real-Time Models

This article introduces a fully automated verification technique that permits to analyze real-time systems described using a continuous notion of time and a mixture of operational (i.e., automata-based) and descriptive (i.e., logic-based) formalisms. The technique relies on the reduction, under reasonable assumptions, of the continuous-time verification problem to its discrete-time counterpart. This reconciles in a viable and effective way the dense/discrete and operational/descriptive dichotomies that are often encountered in practice when it comes to specifying and analyzing complex critical systems. The article investigates the applicability of the technique through a significant example centered on a communication protocol. More precisely, concurrent runs of the protocol are formalized by parallel instances of a Timed Automaton, while the synchronization rules between these instances are specified through Metric Temporal Logic formulas, thus creating a multi-paradigm model. Verification tests run on this model using a bounded validity checker implementing the technique show consistent results and interesting performances.Comment: 33 pages; fixed a few typos and added data to Table

Treatment of chronic plantar fasciopathy with extracorporeal shock waves (review)

There is an increasing interest by doctors and patients in extracorporeal shock wave therapy (ESWT) for chronic plantar fasciopathy (PF), particularly in second generation radial extracorporeal shock wave therapy (RSWT). The present review aims at serving this interest by providing a comprehensive overview on physical and medical definitions of shock waves and a detailed assessment of the quality and significance of the randomized clinical trials published on ESWT and RSWT as it is used to treat chronic PF. Both ESWT and RSWT are safe, effective, and technically easy treatments for chronic PF. The main advantages of RSWT over ESWT are the lack of need for any anesthesia during the treatment and the demonstrated long-term treatment success (demonstrated at both 6 and 12 months after the first treatment using RSWT, compared to follow-up intervals of no more than 12 weeks after the first treatment using ESWT). In recent years, a greater understanding of the clinical outcomes in ESWT and RSWT for chronic PF has arisen in relationship not only in the design of studies, but also in procedure, energy level, and shock wave propagation. Either procedure should be considered for patients 18 years of age or older with chronic PF prior to surgical intervention

A computational platform for robotized fluorescence microscopy (II): DNA damage, replication, checkpoint activation, and cell cycle progression by high-content high-resolution multiparameter image-cytometry

Dissection of complex molecular-networks in rare cell populations is limited by current technologies that do not allow simultaneous quantification, high-resolution localization, and statistically robust analysis of multiple parameters. We have developed a novel computational platform (Automated Microscopy for Image CytOmetry, A.M.I.CO) for quantitative image-analysis of data from confocal or widefield robotized microscopes. We have applied this image-cytometry technology to the study of checkpoint activation in response to spontaneous DNA damage in nontransformed mammary cells. Cell-cycle profile and active DNA-replication were correlated to (i) Ki67, to monitor proliferation; (ii) phosphorylated histone H2AX (\u3b3H2AX) and 53BP1, as markers of DNA-damage response (DDR); and (iii) p53 and p21, as checkpoint-activation markers. Our data suggest the existence of cell-cycle modulated mechanisms involving different functions of \u3b3H2AX and 53BP1 in DDR, and of p53 and p21 in checkpoint activation and quiescence regulation during the cell-cycle. Quantitative analysis, event selection, and physical relocalization have been then employed to correlate protein expression at the population level with interactions between molecules, measured with Proximity Ligation Analysis, with unprecedented statistical relevance

The engineering roles of requirements and specification

The distinction between requirements and specification is often confused in practice. This obstructs the system validation process, because it is unclear what exactly should be validated, and against what it should be validated. The reference model of Gunter et al. addresses this difficulty by providing a framework within which requirements can be distinguished from specification. It separates world phenomena from machine phenomena. However, it does not explain how the characterization can be used to help assure system validity. In this paper, we enhance the reference model to account for certain key elements that are necessary to expose and clarify the distinction and the link between requirements and specification. We use the enhanced version to present a more refined picture of validity, where validation has two steps that can be undertaken separately. We use this picture to question whether the “what the system will do, not how it will do it ” paradigm is useful in describing how to construct a specification, and propose an alternative. Finally, we present the requirements and specification for an illustrative example based on a runway incursion prevention system, with the ArchiTRIO formal language in a UML-like environment, to show how this might be done in practice.

A dynamic link between H/ACA snoRNP components and cytoplasmic stress granules

Many cell stressors block protein translation, inducing formation of cytoplasmic aggregates. These aggregates, named stress granules (SGs), are composed by translationally stalled ribonucleoproteins and their assembly strongly contributes to cell survival. Composition and dynamics of SGs are thus important starting points for identifying critical factors of the stress response. In the present study we link components of the H/ACA snoRNP complexes, highly concentrated in the nucleoli and the Cajal bodies, to SG composition. H/ACA snoRNPs are composed by a core of four highly conserved proteins -dyskerin, Nhp2, Nop10 and Gar1- and are involved in several fundamental processes, including ribosome biogenesis, RNA pseudouridylation, stabilization of small nucleolar RNAs and telomere maintenance. By taking advantage of cells overexpressing a dyskerin splice variant undergoing a dynamic intracellular trafficking, we were able to show that H/ACA snoRNP components can participate in SG formation, this way contributing to the stress response and perhaps transducing signals from the nucleus to the cytoplasm. Collectively, our results show for the first time that H/ACA snoRNP proteins can have additional non-nuclear functions, either independently or interacting with each other, thus further strengthening the close relationship linking nucleolus to SG composition

Robustness Testing of Intermediate Verifiers

Program verifiers are not exempt from the bugs that affect nearly every piece of software. In addition, they often exhibit brittle behavior: their performance changes considerably with details of how the input program is expressed-details that should be irrelevant, such as the order of independent declarations. Such a lack of robustness frustrates users who have to spend considerable time figuring out a tool's idiosyncrasies before they can use it effectively. This paper introduces a technique to detect lack of robustness of program verifiers; the technique is lightweight and fully automated, as it is based on testing methods (such as mutation testing and metamorphic testing). The key idea is to generate many simple variants of a program that initially passes verification. All variants are, by construction, equivalent to the original program; thus, any variant that fails verification indicates lack of robustness in the verifier. We implemented our technique in a tool called "mugie", which operates on programs written in the popular Boogie language for verification-used as intermediate representation in numerous program verifiers. Experiments targeting 135 Boogie programs indicate that brittle behavior occurs fairly frequently (16 programs) and is not hard to trigger. Based on these results, the paper discusses the main sources of brittle behavior and suggests means of improving robustness

A computational search for box C/D snoRNA genes in the Drosophila melanogaster genome

Abstract Motivation: In eukaryotes, the family of non-coding RNA genes includes a number of genes encoding small nucleolar RNAs (mainly C/D and H/ACA snoRNAs), which act as guides in the maturation or post-transcriptional modifications of target RNA molecules. Since in Drosophila melanogaster (Dm) only few examples of snoRNAs have been identified so far by cDNA libraries screening, integration of the molecular data with in silico identification of these types of genes could throw light on their organization in the Dm genome. Results: We have performed a computational screening of the Dm genome for C/D snoRNA genes, followed by experimental validation of the putative candidates. Few of the 26 confirmed snoRNAs had been recognized by cDNA library analysis. Organization of the Dm genome was also found to be more variegated than previously suspected, with snoRNA genes nested in both the introns and exons of protein-coding genes. This finding suggests that the presence of additional mechanisms of snoRNA biogenesis based on the alternative production of overlapping mRNA/snoRNA molecules. Availability: Additional information is available at http://www.bioinformatica.unito.it/bioinformatics/snoRNA