DOI: 10.3897/jucs.127870

Authors: Ícaro Prado Fernandes, Luiz Eduardo Galvão Martins

Abstract: Building quality software, that is, suitable for use and meeting user needs, is one of the biggest challenges in the software industry. Although it is possible to guarantee the proper functioning of software through testing activities, such activities are exhaustive in nature, as it is impossible to test all inputs of a minimally complex program. This work proposes a method to prioritize test cases based on human knowledge using a combination of factors evaluated in an assessment answered by 29 software industry professionals and 5 academics. The assessment confirmed that the proposed factors are relevant. Finally, a practical example that prioritizes test cases for a banking application was carried out and it was observed that the proposed method works properly.

HTML

PDF

DOI: 10.3897/jucs.134739

Authors: Orçun Çetin, Emre Ekmekcioglu, Budi Arief, Julio Hernandez-Castro

Abstract: Web services play an important role in our daily lives. They are used in a wide range of activities, from online banking and shopping to education, entertainment and social interactions. Therefore, it is essential to ensure that they are kept as secure as possible. However – as is the case with any complex software system – creating a sophisticated software free from any security vulnerabilities is a very challenging task. One method to enhance software security is by employing static code analysis. This technique can be used to identify potential vulnerabilities in the source code before they are exploited by bad actors. This approach has been instrumental in tackling many vulnerabilities, but it is not without limitations. Recent research suggests that static code analysis can benefit from the use of large language models (LLMs). This is a promising line of research, but there are still very few and quite limited studies in the literature on the effectiveness of various LLMs at detecting vulnerabilities in source code. This is the research gap that we aim to address in this work. Our study examined five notable LLM chatbot models: ChatGPT 4, ChatGPT 3.5, Claude, Bard/Gemini1, and Llama-2, assessing their abilities to identify 104 known vulnerabilities spanning the Top-10 categories defined by the Open Worldwide Application Security Project (OWASP). Moreover, we evaluated issues related to these LLMs’ false-positive rates using 97 patched code samples. We specifically focused on PHP vulnerabilities, given its prevalence in web applications. We found that ChatGPT-4 has the highest vulnerability detection rate, with over 61.5% of vulnerabilities found, followed by ChatGPT-3.5 at 50%. Bard has the highest rate of vulnerabilities missed, at 53.8%, and the lowest detection rate, at 13.4%. For all models, there is a significant percentage of vulnerabilities that were classified as partially found, indicating a level of uncertainty or incomplete detection across all tested LLMs. Moreover, we found that ChatGPT-4 and ChatGPT-3.5 are consistently more effective across most categories, compared to other models. Bard and Llama-2 display limited effectiveness in detecting vulnerabilities across the majority of categories listed. Surprisingly, our findings reveal high false positive rates across all LLMs. Even the model demonstrating the best performance (ChatGPT-4) notched a false positive rate of nearly 63%, while several models glaringly under-performed, hitting startlingly bad false positive rates of over 90%. Finally, simultaneously deploying multiple LLMs for static analysis resulted in only a marginal enhancement in the rates of vulnerability detection. We believe these results are generalizable to most other programming languages, and hence far from being limited to PHP only.

HTML

PDF

DOI: 10.3897/jucs.91311

Authors: Geovana Ramos Sousa Silva, Genaína Nunes Rodrigues, Edna Dias Canedo

Abstract: Verification of chatbot conversational flows is paramount to capturing and understanding chatbot behavior and predicting problems that would cause the entire flow to be restructured from scratch. The literature on chatbot testing is scarce, and the few works that approach this subject do not focus on verifying the communication sequences in tandem with the functional requirements of the conversational flow itself. However, covering all possible conversational flows of context-oriented chatbots through testing is not feasible in practice given the many ramifications that should be covered by test cases. Alternatively, model checking provides a model-based verification in a mathematically precise and unambiguous manner. Moreover, it can anticipate design flaws early in the software design phase that could lead to incompleteness, ambiguities, and inconsistencies. We postulate that finding design flaws in chatbot conversational flows via model checking early in the design phase may overcome quite a few verification gaps that are not feasible via current testing techniques for context-oriented chatbot conversational flows. Therefore, in this work, we propose a modeling strategy to design and verify chatbot conversational flows via the Uppaal model checking tool. Our strategy is materialized in the form of templates and a mapping of chatbot elements into Uppaal elements. To evaluate this strategy, we invited a few chatbot developers with different levels of expertise. The feedback from the participants revealed that the strategy is a great ally in the phases of conversational prototyping and design, as well as helping to refine requirements and revealing branching logic that can be reused in the implementation phase.

HTML

XML

PDF

DOI: 10.3897/jucs.80537

Authors: Ajay Kumar

Abstract: Context: Reliability prediction is critical for software engineers in the current challenging scenario of increased demand for high-quality software. Even though various software reliability prediction models have been established so far, there is always a need for a more accurate model in today's competitive environment for producing high-quality software. Objective: This paper proposes a neuro-fuzzy hybridized method by integrating self-organized- map (SOM) and fuzzy time series (FTS) forecasting for the reliability prediction of a software system. Methodology: In the proposed approach, a well-known supervised clustering algorithm SOM is incorporated with FTS forecasting for developing a hybrid model for software reliability prediction. To validate the proposed approach, an experimental study is done by applying proposed neuro-fuzzy method on a software failure dataset. In addition, a comparative study was conducted for evaluating the performance of the proposed method by comparing it with some of the existing FTS models. Results: Experimental outcomes show that the proposed approach performs better than the existing FTS models. Conclusion: The results show that the proposed approach can be used efficiently in the software industry for software reliability prediction.

HTML

XML

PDF

DOI: 10.3897/jucs.70978

Authors: Abderrahim Ait Wakrime, Souha Boubaker, Slim Kallel, Emna Guermazi, Walid Gaaloul

Abstract: In today’s competitive business environments, organizations increasingly need to model and deploy flexible and cost effective business processes. In this context, configurable process models are used to offer flexibility by representing process variants in a generic manner. Hence, the behavior of similar variants is grouped in a single model holding configurable elements. Such elements are then customized and configured depending on specific needs. However, the decision to configure an element may be incorrect leading to critical behavioral errors. Recently, process configuration has been extended to include Cloud resources allocation, to meet the need of business scalability by allowing access to on-demand IT resources. In this work, we propose a formal model based on propositional satisfiability formula allowing to find correct elements configuration including resources allocation ones. In addition, we propose to select optimal con- figurations based on Cloud resources cost. This approach allows to provide the designers with correct and cost-effective configuration decisions.

HTML

XML

PDF

DOI: 10.3897/jucs.65241

Authors: P. K. Gupta

Abstract: Software is an integration of numerous programming modules (e.g., functions, procedures, legacy system, reusable components, etc.) tested and combined to build the entire module. However, some undesired faults may occur due to a change in modules while performing validation and verification. Retesting of entire software is a costly affair in terms of money and time. Therefore, to avoid retesting of entire software, regression testing is performed. In regression testing, an earlier created test suite is used to retest the software system's modified module. Regression Testing works in three manners; minimizing test cases, selecting test cases, and prioritizing test cases. In this paper, a two-phase algorithm has been proposed that considers test case selection and test case prioritization technique for performing regression testing on several modules ranging from a smaller line of codes to huge line codes of procedural language. A textual based differencing algorithm has been implemented for test case selection. Program statements modified between two modules are used for textual differencing and utilized to identify test cases that affect modified program statements. In the next step, test case prioritization is implemented by applying the Genetic Algorithm for code/condition coverage. Genetic operators: Crossover and Mutation have been applied over the initial population (i.e. test cases), taking code/condition coverage as fitness criterion to provide a prioritized test suite. Prioritization algorithm can be applied over both original and reduced test suite depending upon the test suite's size or the need for accuracy. In the obtained results, the efficiency of the prioritization algorithms has been analyzed by the Average Percentage of Code Coverage (APCC) and Average Percentage of Code Coverage with cost (APCCc). A comparison of the proposed approach is also done with the previously proposed methods and it is observed that APCC & APCCc values achieve higher percentage values faster in the case of the prioritized test suite in contrast to the non-prioritized test suite.

HTML

XML

PDF

DOI: 10.3217/jucs-025-08-0967

Authors: Benjamin Weyers, Ekaterina Auer, Wolfram Luther

Abstract: We suggest to widen the focus of the scientific computations community from an isolated consideration of reliable numerical algorithms using standardized arithmetic to a broad user-centered system modeling and simulation approach relying on an appropriate verification and validation (V&V) design. Most V&V works rarely consider human-related issues specifically. However, modern applications generate and employ huge amounts of heterogeneous data and usually exhibit high complexity - challenges that are best tackled by augmenting human reasoning with automated techniques. That is, novel visual and collaborative approaches are needed to interpret the results, which has to be accounted for in the general V&V procedure. This should include an assessment of (meta-) data and code/outcome quality, selection of methods to propagate and bound uncertainty and, lastly, formally rigorous validation efforts. We present an approach to reliable visual analytics (i.e., analytics subjected to this V&V assessment), which can in turn contribute to the overall V&V procedure after that. Two use cases illustrate the potential of the introduced framework for reliable visual analytics.

HTML

XML

PDF

DOI: 10.3217/jucs-023-01-0089

Authors: Simon Thompson

Abstract: In this paper we look back to work done in the late 1980s, and that looked at links between grammars, data types and recursion principles, and illustrating it with examples that include enumerations of types and developing a structure editor. The work is introduced by a historical foreword, and closes with an afterword that discusses some of the subsequent developments of these ideas.

HTML

XML

PDF

DOI: 10.3217/jucs-020-14-1903

Authors: Youngdong Kim, Ikhwan Kim, Inhye Kang, Taehyoun Kim, Minyoung Sung

Abstract: This paper presents a model-based approach to the design and verification of motordrive software for networked motion control systems. We develop a formal model for an Ethernetbased motion system, where, using timed automata, we describe the concurrent and synchronizedbehaviors of the components, i.e., motion controller, motor drives, and communication links. The drive, in particular, is modeled in enough detail to accurately reflect the software implementa-tion used in a real drive. We use the design of multitasked drive software with fixed-priority preemptive scheduling. With UPPAAL model checking, we verify the precision and accuracyof the rendered motion in terms of the requirements on the actuation delay at each drive and the actuation deviation between different drives, respectively. The analysis results demonstratethe benefits of our model-based approach in the safety verification and design space exploration of motor drive software. We show that it is possible to verify deadlock freeness and real-timeschedulability in an early design phase. And, for varying number of drives and size of messages, we can successfully determine the combination of task periods that leads to the best precision andaccuracy.

HTML

XML

PDF

DOI: 10.3217/jucs-020-09-1373

Authors: José Mateo, María del Carmen Ruiz, Hermenegilda Maciá, Juan Pardo

Abstract: NORA (Network rOle-based Routing Algorithm) and NORIA (Network rOle-based Routing Intelligent Algorithm) are novel routing algorithms for Wireless Sensor Networks (WSNs), which combine various effective techniques in order to reduce energy consumption and improve data routes. NORA is an algorithm, which uses local and neighbourhood information to assign a role to each node on the net, whereas NORIA adds a fuzzy logic engine to NORA in order to improve this assignment. These algorithms are far from being trivial, and, therefore, there is a clear need for the use of formal methods to check their correctness and performance, prior to their deployment in a real environment. To this end, this paper presents a neat and rigorous study of both algorithms, and, for the sake of completeness, we study and compare also both with a well-known routing protocol: Tree Routing. Finally, Coloured Petri Nets (CPNs) have been chosen as an appropriate modelling language, using the well-known tool, CPNTools, to conduct our experiments.

HTML

XML

PDF

DOI: 10.3217/jucs-020-05-0720

Authors: Rafael De Mello, Eldanae Teixeira, Marcelo Schots, Cláudia Maria Lima Werner, Guilherme Travassos

Abstract: Software Product Line Engineering (SPL) should ensure the correctness, completeness and consistenc y of its artefacts and related domain to prevent the propagation of defects in derived products. Software inspection techniques are effective in detecting defects in software artefacts and avoiding their propagation throughout the software development process. However, the results of a quasi-systematic review of the technical literature reported in this paper pointed to a lack of such techniques to support the inspection of SPL artefacts, including techniques to support the inspection of feature models (FMs) that are largely used in domain modelling. Therefore, a checklist-based inspection technique (FMCheck) has been developed to support the detection of defects on FMs. FMCheck is configurable and can be applied to the original feature model notation (the F ODA approach) and its extensions, including the Odyssey-FEX notation. The inspection technique was empirically evaluated, having indicated its feasibility and effectiveness. It is possible to see that inspectors applying FMCheck to inspect F-s can be more effective than those applying ad-hoc techniques, regarding four distinct domains.

HTML

XML

PDF

DOI: 10.3217/jucs-020-05-0640

Authors: Mauricio Alférez, Roberto Lopez-Herrejón, Ana Moreira, Vasco Amaral, Alexander Egyed

Abstract: Software Product Line Engineering (SPLE) is a successful paradigm to produce a family of products for a specific domain. A challenge in SPLE is to check that different models used in early SPL specification do not contain inconsistent information that may be propagated and generate inconsistent products that do not conform to its requirements. This challenge is difficult to address due to the high number of possible combinations of product features and model fragments specifying those features. Variability Consistency Checking (VCC) offers automatic means to address that challenge. VCC relates information inferred from the relationships between features and from base models related to those features. Validating if all the products in an SPL satisfy user-defined consistency constraints is based on searching for a satisfying assignment of each formula generated by VCC. We validated VCC and its supporting tool on two case studies from different application domains, the results were encouraging as we did not observed significant performance penalties.

HTML

XML

PDF

DOI: 10.3217/jucs-020-05-0587

Authors: Felype Ferreira, Rohit Gheyi, Paulo Borba, Gustavo Soares

Abstract: Developers evolve software product lines (SPLs) manually or using typical program refactoring tools. However, when evolving an SPL to introduce new features or to improve its design, it is important to make sure that the behavior of existing products is not affected. Typical program refactorings cannot guarantee that because the SPL context goes beyond code and other kinds of core assets, and involves additional artifacts such as feature models and configuration knowledge. Besides that, we typically have to deal with a set of alternative assets that do not constitute a well-formed program in an SPL. As a result, manual changes and existing program refactoring tools may introduce behavioral changes or invalidate existing product configurations. To reduce such risks, we propose approaches and implement four tools for making product line evolution safer. These tools check if SPL transformations preserve the behavior of the original SPL products. They implement different and practical approximations of refinement notions from a theory for safely evolving SPLs. Besides specifying the algorithms of each approach, we compare them with respect to soundness, performance and code coverage in 35 evolution scenarios of an SPL with 32 KLOC.

HTML

XML

PDF

DOI: 10.3217/jucs-019-15-2198

Authors: Doron Drusinsky

Abstract: This paper describes a behavioral and temporal pattern detection technique for state-space systems whose state is a random variable such as the state estimated using a Kalman filter. Our novel behavioral and temporal pattern detection technique uses diagrammatic, intuitive, yet formal specifications based on a dialect of the UML of the kind used to monitor or formally verify the correctness of deterministic systems. Combining these formal specifications with a special code generator, extends the deterministic pattern detection technique to the domain of stochastic processes. We demonstrate the technique using a Ballistic trajectory Kalman filter tracking example in which a pattern-rule of interest is not flagged when observing the sequence of mean track position values but is flagged with a reasonable probability using the proposed technique.

HTML

XML

PDF

DOI: 10.3217/jucs-019-06-0771

Authors: Kazuhiro Ogata, Kokichi Futatsugi

Abstract: Observational transition systems (OTSs) are state machines that can be described as behavioral specifications in CafeOBJ, an algebraic specification language and processor. The OTS/CafeOBJ method uses OTSs and CafeOBJ for systems specification and verification. Simultaneous induction is intensively used to prove that an OTS enjoys invariants in the method. To prove that two state predicates p and q are invariants with respect to an OTS S, simultaneous induction generates the proof obligations: (1) p(υ0) and p(υ) ∧ q(υ) ⇒ p(υ′), and (2) q(υ0) and p(υ) ∧ q(υ) ⇒ q(υ′) for each initial state υ0, each state υ and each successor state υ′ of υ. Instead, we may also use the proof obligations: (1) q(υ) ⇒ p(υ), and (2) q(υ0) and p(υ) ∧ q(υ) ⇒ q(υ′). The proof technique generating proof obligations like this is called semi-simultaneous induction. The proof obligation is equivalent to (1) q(υ) ⇒ p(υ), and (2) q(υ0) and q(υ) ⇒ q(υ′). But, the former may need less cases, making proofs shorter, than the latter. More importantly, the former makes it possible to record the process in which way lemmas have been conjectured. This article demonstrates some benefits of (semi)simultaneous induction, describes semi-simultaneous induction and justifies it.

HTML

XML

PDF

DOI: 10.3217/jucs-019-02-0207

Authors: Hamideh Sabouri, Ramtin Khosravi

Abstract: Software product line engineering enables proactive reuse among a set of related products through explicit modeling of commonalities and differences among them. Features are usually used to distinguish different products as a product is identified by its supported feature set that is represented by a configuration. Dynamic product lines enhance flexibility of a product by allowing run-time reconfiguration. In this paper, we focus on modeling and verification of families of concurrent and distributed systems that are reconfigurable. To this end, we introduce the notion of variability in actor models to achieve family of reconfigurable actors. Then, we present our methodology to model this concept using the actor-based modeling language Rebeca. The model checking backbone of Rebeca enables us to ensure establishment of certain constraints on reconfigurations. We show the applicability and effectiveness of our approach by applying it on a set of case studies.

HTML

XML

PDF

DOI: 10.3217/jucs-019-01-0053

Authors: Hyun-Seok Min, Sang-Mun Chung, Jin-Young Choi

Abstract: Traditionally, System Analysis and Software Design are treated as separate processes. Software Design is based on System Analysis but they have little direct relationship to each other. UML (Unified Modeling Language) is widely accepted by industry as the de facto standard for System Analysis and Software Design. The primary tool for System Analysis is the Use Case Diagram and its Scenarios, while the primary tools for Software Design are the Class Diagram and Sequence Diagram. State Machine Diagram is also very useful for behavioral modeling. Our aim is to derive system behavior from software design, so that separate processes can work together. This paper suggests how to make a system-wide State Machine Diagram by gathering State Machine Diagrams in the system using predefined Stereotypes and Synchronization/Externalization. The resulting system-wide State Machine Diagram can be used for various things, such as automatic test case generation for the system, deadlock detection, and Use Case scenario consistency checking. The proposed method is applied to the Missile project of ADD (Agency for Defense Development) in South Korea. The result is very promising. It is expected to be applied to more projects.

HTML

XML

PDF

DOI: 10.3217/jucs-018-19-2731

Authors: Deepti Mishra, Alok Mishra

Abstract: Globally distributed software development is an established trend towards delivering high-quality software to global users at lower costs. The main expected benefits from distributed software development are improvements in development time efficiency, being close to the customers and having flexible access to greater and less costly resources. Organizations require to use their existing resources as effectively as possible, and also need to employ resources on a global scale from different sites within the organization and from partner organization throughout the world. However, distributed software development particularly face communication and coordination problems due to spatial, temporal and cultural separation between team members. Ensuring quality issues in such projects is a significant issue. This paper presents global software inspection process in the distributed software development environment towards quality assurance and management.

HTML

XML

PDF

DOI: 10.3217/jucs-018-14-1950

Authors: Doron Drusinsky

Abstract: This paper describes a technique for behavioral and temporal pattern detection within financial data, such as credit card and bank account data, where the required information is only partially visible. Typically, transaction amount, transaction date, merchant name and type, and location of transaction are all visible data items, i.e., they are readily available in the financial institutions database. In contrast, the transaction status as a business transaction (using a personal card), a personal transaction, an investment related transaction, or perhaps a suspicious transaction, is information not explicitly available in the database. Our behavioral pattern detection technique combines well-known Hidden Markov Model (HMM) techniques for learning and subsequent identification of hidden artifacts, with run-time pattern detection of probabilistic UML-based formal specifications. The proposed approach entails a process in which the end-user first develops his or her deterministic patterns, s/he then identifies hidden artifacts in those patterns. Those artifacts induce the state set of the identifying HMM, whose remaining parameters are learned using standard frequency analysis techniques. In the run-time pattern detection phase, the system emits visible information, used by the HMM to deduce invisible information, and sequences thereof; both types of information are then used by a probabilistic pattern detector to monitor the pattern.

HTML

XML

PDF

DOI: 10.3217/jucs-018-06-0775

Authors: Pattama Charuenporn, Sarun Intakosum

Abstract: Web Services have been widely adopted in business projects, and almost all Web Service developers agree that security factors are the principal components that must be taken into consideration. A large number of security metrics and measurements is available for specific business needs, and the best practice for different business demands is therefore needed if the quality of service security metrics (Qos-SM) is to be developed. This research proposes a new way of developing Qos-SM using Qos ontology mapping with two information system standards, COBIT and ITIL, as a result of which new Qos-SM are developed. In order to prove the correctness and precision of the metrics, the researchers have used the metrics to measure the level of security quality from Web service data sets. The experimental results, based on vector analysis, show that the same level of security quality is attained with both of the metrics developed and the metrics from previous research. This research also represents the metrics in the form of a class diagram, thus facilitating its application in the organization.

HTML

XML

PDF

DOI: 10.3217/jucs-016-21-3164

Authors: Raju Halder, Shantanu Pal, Agostino Cortesi

Abstract: Digital watermarking for relational databases emerged as a candidate solution to provide copyright protection, tamper detection, traitor tracing, maintaining integrity of relational data. Many watermarking techniques have been proposed in the literature to address these purposes. In this paper, we survey the current state-of-theart and we classify them according to their intent, the way they express the watermark, the cover type, the granularity level, and their verifiability.

HTML

XML

PDF

DOI: 10.3217/jucs-016-17-2435

Authors: Wuliang Sun, Eunjee Song, Paul Grabow, Devon Simmonds

Abstract: There is a need for more rigorous analysis techniques that developers can use for verifying the critical properties in UML models. The UML-based Specification Environment (USE) tool supports verification of invariants, preconditions, and postconditions specified in the Object Constraint Language (OCL). Due to its animation and analysis power, it is useful when checking critical non-functional properties such as security policies. However, the USE requires one to specify a model using its own textual language and does not allow one to import any model specification files created by other UML modeling tools. Hence, you would create a model with OCL constraints using a modeling tool such as the IBM Rational Software Architect (RSA) and then use the USE for the model verification. This approach, however, requires a manual transformation between two different specification formats, which diminishes advantage of using tools for model-level verification. In this paper, we describe our own implementation of a specification transformation engine based on the Model-Driven Architecture (MDA) framework. Our approach currently supports automatic tool-level transformations to USE from UML modeling tools built on the Eclipse-based Modeling Framework (EMF).

HTML

XML

PDF

DOI: 10.3217/jucs-016-17-2293

Authors: Duc-Hanh Dang, Anh-Hoang Truong, Martin Gogolla

Abstract: Narrowing the wide conceptual gap between problem and implementation domains is considered a significant factor within software engineering. Currently, such a relation is often obtained using mappings between metamodels for a structural semantics. This paper proposes an approach based on the integration of Triple Graph Grammars (TGGs) and the Object Constraint Language (OCL) in order to explain a behavioral relation between models at different levels of abstraction. Triple rules incorporating OCL allow us to synchronize execution scenarios of a system at two levels. In this way we obtain an integrated operational semantics of the models as well as the possibility for conformance verification between them. We illustrate our approach with a case study for the relation between use case and design models.

HTML

XML

PDF

DOI: 10.3217/jucs-016-04-0543

Authors: Armand Puccetti

Abstract: In this paper, we describe the static analysis of the XEN 3.0.3 hypervisor using the Frama-C static analysis tool.

HTML

XML

PDF

DOI: 10.3217/jucs-015-17-3273

Authors: Louis-Marie Traonouez, Didier Lime, Olivier Roux

Abstract: At the border between control and verification, parametric verification can be used to synthesize constraints on the parameters to ensure that a system verifies given specifications. In this paper we propose a new framework for the parametric verification of time Petri nets with stopwatches. We first introduce a parametric extension of time Petri nets with inhibitor arcs (ITPNs) with temporal parameters and we define a symbolic representation of the parametric state-space based on the classical state-class graph method. Then, we propose semi-algorithms for the parametric modelchecking of a subset of parametric TCTL formulae on ITPNs. These results have been implemented in the tool Romeo and we illustrate them in a case-study based on a scheduling problem.

HTML

XML

PDF

DOI: 10.3217/jucs-015-08-1563

Authors: Joaquín Entrialgo, Javier García, José Díaz, Daniel García

Abstract: In real-time systems, temporal behaviour is as important as functional behaviour, so several techniques have been especially developed for these systems. Stochastic analysis techniques model the execution time of tasks as random variables and constitute a very powerful tool to study the temporal behaviour of real-time systems. However, as they can not avoid all the timing bugs in the implementation, they must be combined with measurement techniques in order to gain more confidence in the implemented system. This paper presents a monitoring tool which can measure real-time systems developed using POSIX. The corresponding analysis and a visualization tool that makes it possible to find errors easily is also introduced. In order to find bugs in the timing behaviour of the system when an stochastic analysis technique is used, two metrics, called "pessimism" and "optimism", are proposed. They are based on two random variables, the optimistic and the pessimistic execution time, which are also introduced in this paper. These metrics are used in the debugging tools to compare the model and the measured system in order to find errors. The metrics are examined in four case studies.

HTML

XML

PDF

DOI: 10.3217/jucs-015-07-1472

Authors: Francisco Jurado, Ana Molina, Miguel Redondo, Manuel Ortega Cantero, Adam Giemza, Lars Bollen, H. Hoppe

Abstract: Learning to program is an important subject for students of Computer Science. Mentoring these students is a time-consuming and complex task. In this paper, we present a learning and tutoring environment that integrates task/solution delivery, assessment support and tutor’s annotations, by extending Eclipse to a "Real World Integrated Development Environment". We will present a distributed system that uses Tuple Space architecture to integrate Eclipse with an evaluation module and a hand-writing annotation feature.

HTML

XML

PDF

DOI: 10.3217/jucs-015-01-0241

Authors: Scott Lee, Gillian Dobbie, Jing Sun, Lindsay Groves

Abstract: The rapid growth of the World Wide Web has resulted in a dramatic increase in semistructured data usage, creating a growing need for effective and efficient utilization of semistructured data. In order to verify the correctness of semistructured data design, precise descriptions of the schemas and transformations on the schemas must be established. One effective way to achieve this goal is through formal modeling and automated verification. This paper presents the first step towards this goal. In our approach, we have formally specified the semantics of the ORA-SS (Object-Relationship-Attribute data model for Semistructured data) data modeling language in PVS (Prototype Verification System) and provided automated verification support for both ORA-SS schemas and XML (Extensible Markup Language) data instances using the PVS theorem prover. This approach provides a solid basis for verifying algorithms that transform schemas for semistructured data.

HTML

XML

PDF

DOI: 10.3217/jucs-015-01-0072

Authors: Lindsay Groves

Abstract: Verification of concurrent algorithms has been the focus of much research over a considerable period of time, and a variety of techniques have been developed that are suited to particular classes of algorithm, for example algorithms based on message passing or mutual exclusion. The development of nonblocking or lock-free algorithms, which rely only on hardware primitives such as Compare And Swap, present new challenges for verification, as they allow greater levels of currency and more complex interactions between processes. In this paper, we describe and compare two approaches to reasoning about nonblocking algorithms. We give a brief overview of the simulation approach we have used in previous work. We then give a more detailed description of an approach based on Lipton's reduction method, and illustrate it by verifying two versions of a shared counter and two versions of a shared stack. Both approaches work by transforming a concurrent execution into an equivalent sequentia-execution, but they differ in the way that executions are transformed and the way that transformations are justified.

HTML

XML

PDF

DOI: 10.3217/jucs-015-01-0003

Authors: Egon Börger, Ove Sörensen, Bernhard Thalheim

Abstract: The recent literature on business process modeling notations contains numerous contributions to the so-called OR-join (or inclusive merge gateway) problem. We analyze the problem and present an approach to solve it without compromising any of the two major concerns that are involved: a) a clear semantical definition (design), which also clarifies what has to be implemented to achieve the intended generality of the construct, and b) a comprehensive set of static and dynamic analysis methods (verification of properties of business process models using the construct). We provide a conceptually simple scheme for dynamic OR-join synchronization policies, which can be implemented with low run-time overhead and allows the practitioner to effectively link the design of business process models with OR-joins to an analysis of the intended model properties. The definitions have been experimentally validated by a graph-based simulator.

HTML

XML

PDF

DOI: 10.3217/jucs-014-12-2083

Authors: Giampaolo Bella

Abstract: As soon as major protocol flaws were discovered empirically - a good luck that is not older than the early 1990s -- this title question came up to the world. It was soon realised that some notion of formal correctness was necessary to substantiate the confidence derived from informal analyses. But protocol correctness was born in a decade when security in general was only beginning to ferment. Security protocols aim at a large variety of goals. This is partly due to the increasing domains where the protocols are finding an application, such as secure access to localarea network services, secure e-mail, e-commerce, public-key registration at certification authorities and so on. Also, several interpretations are possible about each goal. Clearly, it is impossible to study protocol correctness profitably without a universal and unambiguous interpretation of its goals. What may be typical of security problems is that it is at least as important to state a detailed and appropriate model of threats that a secure system is meant to withstand. This has been a second and significant source of perhaps useless debates around many protocols. These are certain to be some of the reasons why dozens of papers appeared about one, now popular, protocol attack in just a few years of the second half of the last decade. One of the protocol designers firmly refused those "findings" because his protocol had been conceived within a different threat model -- and perhaps for different goals -- from the one that the publications had been constructed upon. It seems obvious that an ant may survive under a single sheet of paper but certainly will not under a hard-back bulky book. It should be clarified what an ant and a bulky book precisely are. With particular attention to similar issues, this position paper discusses some findings of the author's in the area of protocol formal analysis. Their significance mostly is methodical rather than specific for particular protocols. The paper then outlines the author's favourite tool, the Inductive Method, and concludes with a few open problems.

HTML

XML

PDF

DOI: 10.3217/jucs-014-12-2059

Authors: Don Batory, Egon Börger

Abstract: A goal of software product lines is the economical assembly of programs in a family of programs. In this paper, we explore how theorems about program properties may be integrated into feature-based development of software product lines. As a case study, we analyze an existing Java/JVM compilation correctness proof for defining, interpreting, compiling, and executing bytecode for the Java language. We show how features modularize program source, theorem statements and their proofs. By composing features, the source code, theorem statements and proofs for a program are assembled. The investigation in this paper reveals a striking similarity of the refinement concepts used in Abstract State Machines (ASM) based system development and Feature-Oriented Programming (FOP) of software product lines. We suggest to exploit this observation for a fruitful interaction of researchers in the two communities.

HTML

XML

PDF

DOI: 10.3217/jucs-014-12-1984

Authors: Anatol Slissenko, Pavel Vasilyev

Abstract: We describe a prototype of a simulator for reactive timed abstract state machines (ASM) that checks whether the generated runs verify a requirements specification represented as a formula of a First Order Timed Logic (FOTL). The simulator deals with ASM with continuous or discrete time. The time constraints are linear inequalities. It can treat two semantics, one with instantaneous actions and another one with delayed actions, the delays being bounded and non-deterministic.

HTML

XML

PDF

DOI: 10.3217/jucs-014-12-1929

Authors: Gerhard Schellhorn

Abstract: This paper gives a definition of ASM refinement suitable for the verification that a protocol implements atomic transactions. We used this definition as the basis of the formal verification of the refinements of the Mondex case study with the interactive theorem prover KIV. The refinement definition we give differs from the one we gave in earlier work which preserves partial and total correctness assertions of ASM runs. The reason is that the main goal of the refinement of the Mondex protocol is to preserve a security invariant, while total correctness is not preserved. To preserve invariants, the definition of generalized forward simulation is limited to the use of "small" diagrams, which contain of a single protocol step. We show a technique that allows to use the natural "big" diagrams that consist of an atomic action being refined by a full protocol run.

HTML

XML

PDF

DOI: 10.3217/jucs-013-13-2076

Authors: Hossein Hojjat, Hootan Nakhost, Marjan Sirjani

Abstract: In the IEEE 802.1D standard for the Media Access Control layer (MAC layer) bridges, there is an STP (Spanning Tree Protocol) definition, based on the algorithm that was proposed by Radia Perlman. In this paper, we give a formal proof for correctness of the STP algorithm by showing that finally a single node is selected as the root of the tree and the loops are eliminated correctly. We use formal inductive reasoning to establish these requirements. In order to ensure that the bridges behave correctly regardless of the topology of the surrounding bridges and LANs, the Rebeca modular verification techniques are applied. These techniques are shown to be efficiently applicable in model checking of open systems.

HTML

XML

PDF

DOI: 10.3217/jucs-013-13-1972

Authors: Shunsuke Sasaki, Tasuku Nishihara, Daisuke Ando, Masahiro Fujita

Abstract: System Dependence Graph (SDG) is a graph representation which shows dependencies among statements / expressions in a design. In this paper, we propose a new HW/SW co-design methodology based on SDG. In our method, any combination of C / C++ / SpecC descriptions is acceptable as input designs so that design functions can be specified flexibly. First, the input descriptions are analyzed and verified with static but partially dynamic program checking methods by traversing SDG. With those methods, large descriptions can be processed. Next, those designs are divided into HW and SW parts. In this step, SDGs are fully utilized to insert parallelism into the designs, and it enables flexible HW/SW partitioning. The HW parts are further optimized and then converted into RTL descriptions by existing behavioral synthesis tools. Finally, the generated RTL descriptions together with the SW parts are compared to the original descriptions in order to make sure that they are logically equivalent. Also, designerspecified properties may be model checked with these final design descriptions. Such formal verifications can be realized by translating those descriptions into Finite State Machine (FSM) type representations and existing formal verifiers. We show two case studies with practical examples to demonstrate the usefulness of our approach.

HTML

XML

PDF

DOI: 10.3217/jucs-013-08-1073

Authors: Dominique Méry, Stephan Merz

Abstract: We consider the extension of fair event system specifications by concepts of access control (prohibitions, user rights, and obligations). We give proof rules for verifying that an access control policy is correctly implemented in a system, and consider preservation of access control by refinement of event systems. Prohibitions and obligations are expressed as properties of traces and are preserved by standard refinement notions of event systems. Preservation of user rights is not guaranteed by construction; we propose to combine implementation-level user rights and obligations to implement high-level user rights.

HTML

XML

PDF

DOI: 10.3217/jucs-013-06-0682

Authors: Frederico Jr., Ricardo Lima, Marcio Cornelio, Sergio Soares, Paulo Maciel, Raimundo Barreto, Eduardo Tavares

Abstract: Non-functional requirements such as performance, program size, and energy consumption significantly affect the quality of software systems. Small devices like PDAs and mobile phones have little memory, slow processors, and energy constraints. The C programming language has been the choice of many programmers when developing application for small devices. On the other hand, the need for functional software correctness has derived several specification languages that adopt the Design by Contract (DBC) technique. In this work we propose a specification language for C, called CML (C Modeling Language), focused on non-functional requirements. CML is inspired on the Design By Contract technique. An additional contribution is a verification tool for hard real-time systems. The tool is the first application developed for CML. The practical usage of CML is presented through a case study, which is a real application for a vehicle monitoring system.

HTML

XML

PDF

DOI: 10.3217/jucs-013-05-0669

Authors: Anthony Hall

Abstract: This paper surveys the whys, and the wherefores of using formal methods in an industrial context. Evidence is presented that the benefits of using formal techniques, though not an automatic consequence of their adoption, can be considerable.

HTML

XML

PDF

DOI: 10.3217/jucs-013-05-0661

Authors: Jim Woodcock, Richard Banach

Abstract: This paper overviews the Verification Grand Challenge, a large scale multinationalintiative designed to significantly increase the interoperability, applicability and uptake of formal development techniques. Results to date are reviewed, and next steps are outlined.

HTML

XML

PDF

DOI: 10.3217/jucs-013-05-0650

Authors: John Rushby

Abstract: This paper outlines the emergence of formal techniques, explaining why they wereslow to take on an industrially acceptable form. The contemporary scene, in which formal techniques are increasingly packaged within tools usable by a wide variety of engineers, is reviewed,as are the promising prospects for the future.

HTML

XML

PDF

DOI: 10.3217/jucs-013-05-0639

Authors: Edmund Clarke, Flavio Lerda

Abstract: This paper introduces model checking, originally conceived for checking finite statesystems. It surveys its evolution to encompass finitely checkable properties of systems with unbounded state spaces, and its application to software and other systems.

HTML

XML

PDF

DOI: 10.3217/jucs-013-05-0619

Authors: Jean-Raymond Abrial

Abstract: This paper gives a tutorial introduction to the ideas behind system development usingthe B-Method. Properly handled, the crucial relationship between requirements and formal model leads to systems that are correct by construction. Some industrial successes are outlined.

HTML

XML

PDF

DOI: 10.3217/jucs-013-05-0607

Authors: Constance Heitmeyer

Abstract: This paper describes the specification, validation and verification of system and soft-ware requirements using the SCR tabular method and tools. An example is presented to illustrate the SCR tabular notation, and an overview of each of the ten tools in the SCR toolset is presented.

HTML

XML

PDF

DOI: 10.3217/jucs-013-05-0602

Authors: Sriram Rajamani

Abstract: This paper reviews the current practice of software engineering and outlines someprospects for developing a more holistic and formally grounded approach.

HTML

XML

PDF

DOI: 10.3217/jucs-013-05-0593

Authors: Richard Banach

Abstract: This introductory paper gives some historical background to the emergence of formalmethods, overviews what subsequently happened, and surveys prospects for the future. Brief introductions to the remaining papers in the Special Issue are given.

HTML

XML

PDF

DOI: 10.3217/jucs-012-11-1551

Authors: María Alpuente, María del Mar Gallardo, Ernesto Pimentel, Alicia Villanueva

Abstract: The size and complexity of software systems are continuously increasing, which makes them difficult and labor-intensive to develop, test and evolve. Since concurrent systems are particularly hard to verify by hand, achieving effective and automated verification tools for concurrent software has become an important topic of research. Model checking is a popular automated verification technology which allows us to determine the properties of a software system and enables more thorough and less costly testing. In this work, we improve the model-checking methodology previously developed for the timed concurrent constraint programming language tccp so that more sophisticated, real-time properties can be verified by the model-checking tools. The contributions of the paper are twofold. On the one hand, we define a timed extension of the tccp semantics which considers an explicit, discrete notion of the passing of time. On the other hand, we consistently define a real-time extension of the linear-time temporal logic that is used to specify and analyze the software properties in tccp. Both extensions fit into the tccp framework perfectly in such a way that with minor modifications any tccp model checker can be reused to analyze real-time properties. Finally, by means of an example, we illustrate the improved ability to check real-time properties.

HTML

XML

PDF

DOI: 10.3217/jucs-012-08-0981

Authors: Wan Fokkink, Jun Pang

Abstract: We present two probabilistic leader election algorithms for anonymous unidirectional rings with FIFO channels, based on an algorithm from Itai and Rodeh [Itai and Rodeh 1981]. In contrast to the Itai-Rodeh algorithm, our algorithms are finite-state. So they can be analyzed using explicit state space exploration; we used the probabilistic model checker PRISM to verify, for rings up to size four, that eventually a unique leader is elected with probability one. Furthermore, we give a manual correctness proof for each algorithm.

HTML

XML

PDF

DOI: 10.3217/jucs-012-05-0482

Authors: Doron Drusinsky

Abstract: In this paper we describe a technique for monitoring and checking temporal logic assertions augmented with real-time and time-series constraints, or Metric Temporal Logic Series (MTLS). The method is based on Remote Execution and Monitoring (REM) of temporal logic assertions. We describe the syntax and semantics of MTLS and a monitoring technique based on alternating finite automata that is efficient for a large set of frequently used formulae and is also an on-line technique. We investigate the run-time data-structure size for several interesting assertions taken from the Kansas State specification patterns.

HTML

XML

PDF

DOI: 10.3217/jucs-012-03-0236

Authors: Lidia Fuentes, Daniel Jiménez, Mónica Pinto

Abstract: In recent times, interest in Ambient Intelligence (or AmI) has increased considerably. One of the main challenges in the development of these systems is to improve their modularization in order to achieve a high degree of reusability, adaptability and extensibility. This will help us to deal with the heterogeneity and evolution of the environments in which AmI devices exit. An example would be to easily adapt existing applications when new communication technologies appear. Current approaches apply component technologies to achieve these goals, but more should be done. Our research focuses on applying aspect technologies to components in order to improve AmI application modularization. We present the benefits of aspect technologies with regard to reusability and adaptability, by showing the limitations of PCOM, a component-based AmI middleware platform. We will show a study comparing DAOPAmI, our own component and aspect-based AmI middleware platform and PCOM.

HTML

XML

PDF

DOI: 10.3217/jucs-011-10-1695

Authors: Marjan Sirjani, Frank De Boer, Ali Movaghar

Abstract: Rebeca is an actor­based language for modeling concurrent and distributed systems as a set of reactive objects which communicate via asynchronous message passing. Rebeca is extended to support synchronous communication, and at the same time components are introduced to encapsulate the tightly coupled reactive objects which may communicate by synchronous messages. This provide us a language for modeling globally asynchronous and locally synchronous systems. Components interact only by asynchronous messages. This feature and also the event-driven nature of the computation are exploited to introduce a modular verification approach in order to overcome the state explosion problem in model checking. In this paper we elaborate on the corresponding theory of the modular verification approach which is based on the formal semantics of components in extended Rebeca.

HTML

XML

PDF

DOI: 10.3217/jucs-011-06-1054

Authors: Marjan Sirjani, Ali Movaghar, Amin Shali, Frank De Boer

Abstract: Actor-based modeling, with encapsulated active objects which communicate asynchronously, is generally recognized to be well-suited for representing concurrent and distributed systems. In this paper we discuss the actor-based language Rebeca which is based on a formal operational interpretation of the actor model. Its Java-like syntax and object-based style of modeling makes it easy to use for software engineers, and its independent objects as units of concurrency leads to natural abstraction techniques necessary for model checking. We present a front-end tool for translating Rebeca to the languages of existing model checkers in order to model check Rebeca models. Automated modular verification and abstraction techniques are supported by the tool.

HTML

XML

PDF

DOI: 10.3217/jucs-010-11-1519

Authors: John Andrew Andrew Van Der Poll, Paula Kotzé, Willem Labuschagne

Abstract: A condensed specification of a multi-level marketing (MLM) enterprise which can be modelled by mathematical forests and trees is presented in Z. We thereafter identify a number of proof obligations that result from operations on the state space. Z is based on first-order logic and a strongly-typed fragment of Zermelo-Fraenkel set theory, hence the feasibility of using certain reasoning heuristics developed for proving theorems in set theory is investigated for discharging the identified proof obligations. Using the automated reasoner OTTER, we illustrate how these proof obligations from a real-life enterprise may successfully be discharged using a suite of well-chosen heuristics.

HTML

XML

PDF

DOI: 10.3217/jucs-010-11-1498

Authors: Miguel Hornos

Abstract: This paper presents the FBT (FIL to Buechi automaton Translator) tool which automatically translates any formula from FIL (Future Interval Logic) into its semantically equivalent Buechi automaton. There are two advantages of using this logic for specifying and verifying system properties instead of other more traditional and extended temporal logics, such as LTL (Linear Temporal Logic): firstly, it allows a succinct construction of specific temporal contexts, where certain properties must be evaluated, thanks to its key element, the interval, and secondly, it also permits a natural, intuitive, graphical representation. The underlying algorithm of the tool is based on the tableau method and is specially intended for application in on-the-fly model checking. In addition to a description of the design and implementation structure of FBT, we also present some experimental results obtained by our tool, and compare these results with the ones produced by an other tool of similar characteristics (i.e. based on an on-the-fly tableau algorithm), but for LTL.

HTML

XML

PDF

DOI: 10.3217/jucs-009-11-1261

Authors: Doron Drusinsky, Man-Tak Shing

Abstract: Run-time monitoring of temporal properties and assertions is used for testing and as a component of execution-based model checking techniques. Traditional run-time monitoring however, is limited to observing sequences of pure Boolean propositions. This paper describes tools for observing temporal properties over time series, namely, sequences of propositions with constraints on data value changes over time. Using such Temporal Logic with time Series (TLS), it is possible to monitor important properties such as stability, monotonicity, temporal average and sum values, and temporal min/max values. The specification and monitoring of linear time temporal logic with real-time and time series constraints are supported by the Temporal Rover and the DBRover, which are in-process and remote run-time monitoring tools. The novel TLS extension described in this paper is based on practical experience and feedback provided by NASA engineers after using the DBRover to verify flight code. The paper also presents a novel hybrid approach to verify timing properties in rapid system prototyping that combines the traditional schedulability analysis of the design and the monitoring of timing constraint satisfaction during prototype execution based on a time-series temporal logic. The effectiveness of the approach is demonstrated with a prototype of the fish farm control system software.

HTML

XML

PDF

DOI: 10.3217/jucs-009-03-0270

Authors: Thi Viet Nga Nguyen, Francois Irigoin

Abstract: Alias analysis for Fortran is less complicated than for programming languages with pointers but many real Fortran programs violate the standard: a formal parameter or a common variable that is aliased with another formal parameter is modified. Compilers, assuming standard-conforming programs, consider that an assignment to one variable will not change the value of any other variable, allowing optimizations involving the aliased variables. Higher performance results but anything may happen: the program may appear to run normally, or produce incorrect answers, or behave unpredictably. The results may depend on the compiler and the optimization level. To guarantee the standard conformance of programs in order to make program analyses exact and program optimizations safe, precise alias information, i.e the determination of overlaps among arrays is studied in this paper. Static analyses and code instrumentation are used to find all violations of the aliasing rules in Fortran code. Alias violation tests are inserted only at places where it cannot be proved statically that they are useless in order to reduce the number of dynamic checks at run-time. A specific memory location naming technique is used to obtain compact representation and to enhance the precision of alias analysis. Modifications on the dependence graph created by aliasing are also studied to show the impact of aliases on the correctness of some program optimizing transformations. Experimental results on SPEC95 CFP benchmark are presented and some related issues are also discussed.

HTML

XML

PDF

DOI: 10.3217/jucs-009-03-0223

Authors: Lenore Zuck, Amir Pnueli, Yi Fang, Benjamin Goldberg

Abstract: There is a growing awareness, both in industry and academia, of the crucial role of formally verifying the translation from high-level source-code into low-level object code that is typically performed by an optimizing compiler. Formally verifying an optimizing compiler, as one would verify any other large program, is not feasible due to its size, ongoing evolution and modification, and, possibly, proprietary considerations. Translation validation is a novel approach that offers an alternative to the verification of translators in general and compilers in particular: Rather than verifying the compiler itself, one constructs a validation tool which, after every run of the compiler, formally confirms that the target code produced in the run is a correct translation of the source program. The paper presents voc, a methodology for the translation validation of optimizing compilers. We distinguish between structure preserving optimizations, for which we establish a simulation relation between the source and target code based on computational induction, and structure modifying optimizations, for which we develop specialized permutation rules. The paper also describes voc-64 - a prototype translation validator tool that automatically produces verification conditions for the global optimizations of the SGI Pro-64 compiler.

HTML

XML

PDF

DOI: 10.3217/jucs-009-03-0191

Authors: Sabine Glesner

Abstract: We evaluate the use of program checking to ensure the correctness of compiler implementations. Our contributions in this paper are threefold: Firstly, we extend the classical notion of black-box program checking to program checking with certificates. Our checking approach with certificates relies on the observation that the correctness of solutions of NP-complete problems can be checked in polynomial time whereas their computation itself is believed to be much harder. Our second contribution is the application of program checking with certificates to optimizing compiler backends, in particular code generators, thus answering the open question of how program checking for such compiler backends can be achieved. In particular, we state a checking algorithm for code generation based on bottom-up rewrite systems from static single assignment representations. We have implemented this algorithm in a checker for a code generator used in an industrial project. Our last contribution in this paper is an integrated view on all compiler passes, in particular a comparison between frontend and backend phases, with respect to the applicable methods of program checking.

HTML

XML

PDF

DOI: 10.3217/jucs-009-02-0152

Authors: Achim Brucker, Frank Rittinger, Burkhart Wolff

Abstract: We present a new proof environment for the specification language Z. The basis is a semantic representation of Z in a structure-preserving, shallow embedding in Isabelle/HOL. On top of the embedding, new proof support for the Z schema calculus and for proof structuring are developed. Thus, we integrate Z into a well-known and trusted theorem prover with advanced deduction technology such as higher-order rewriting, tableaux-based provers and arithmetic decision procedures. A further achievement of this work is the integration of our embedding into a new tool-chain providing a Z-oriented type checker, documentation facilities and macro support for refinement proofs, as a result, the gap has been closed between a logical embedding proven correct and a tool suited for applications of nontrivial size.

HTML

XML

PDF

DOI: 10.3217/jucs-009-02-0138

Authors: Robi Malik, Reinhard Mühlfeld

Abstract: We discuss our experience obtained during the PROFIsafe verification and test case generation project at Siemens Corporate Technology. In this project, a formal analysis of the PROFIsafe protocol for failsafe communication has been carried out. A formal model based on denite-state machines has been obtained from the UML specification of the protocol. This model has been analysed with formal verification techniques, and several important properties have been proven. Based on the verified model, a set of test cases for the automatic execution of conformance tests has been derived. The paper explains how the UML statecharts defining the PROFIsafe protocol are translated into denite-state machines, and points out important aspects and problems occurring during the modelling and verification of industrial applications.

HTML

XML

PDF

DOI: 10.3217/jucs-009-02-0088

Authors: Ernst-Rüdiger Olderog, Henning Dierks

Abstract: The tool Moby/RT supports the design of realtime systems at the levels of requirements, design specifications and programs. Requirements are expressed by constraint diagrams [Kleuker, 2000], design specifications by PLC-Automata [Dierks, 2000], and programs by Structured Text, a programming language dedicated for programmable logic controllers (PLCs), or by programs for LEGO Mindstorm robots. In this paper we outline the theoretical background of Moby/RT by discussing its semantic basis and its use for automatic verification by utilising the model-checker UPPAAL [Larsen et al., 1997].

HTML

XML

PDF

DOI: 10.3217/jucs-008-07-0674

Authors: Demissie Aredo

Abstract: This paper presents a framework for representing formal semantics of a subset of the Unified Modeling Language (UML) notation in a higher-order logic, more specifically semantics of UML sequence diagrams is encoded into the Prototype Verification System (PVS). The primary objective of our work is to make UML models amenable to rigorous analysis by providing their precise semantics. This approach paves a way for formal development of systems through a systematic transformation of UML models. This work is a part of a long-term vision to explore how the PVS tool set can be used to underpin practical tools for analyzing UML models. It contributes to the ongoing effort to provide mathematical foundation to UML notations, with the aim of clarifying the semantics of the language as well as supporting the development of semantically-based tools.

HTML

XML

PDF

DOI: 10.3217/jucs-007-11-0980

Authors: Robert Stärk, Stanislas Nanchen

Abstract: We introduce a logic for non distributed, deterministic Abstract State Machines with parallel function updates. Unlike other logics for ASMs which are based on dynamic logic, our logic is based on an atomic predicate for function updates and on a definedness predicate for the termination of the evaluation of transition rules. We do not assume that the transition rules of ASMs are in normal form, for example, that they concern distinct cases. Instead we allow structuring concepts of ASM rules including sequential composition and possibly recursive submachine calls. We show that several axioms that have been proposed for reasoning about ASMs are derivable in our system. We provide also an extension of the logic with explicit step information which allows to eliminate modal operators in certain cases. The main technical result is that the logic is complete for hierarchical (non-recursive) ASMs. We show that, for hierarchical ASMs, the logic is a definitional extension of first-order predicate logic.

HTML

XML

PDF

DOI: 10.3217/jucs-007-11-0952

Authors: Gerhard Schellhorn

Abstract: This paper describes a generic proof method for the correctness of refinements of Abstract State Machines based on commuting diagrams. The method generalizes forward simulations from the refinement of I/O automata by allowing arbitrary m:n diagrams, and by combining it with the refinement of data structures.

HTML

XML

PDF

DOI: 10.3217/jucs-007-08-0631

Authors: Cliff Jones

Abstract: This paper describes (one person's view of) how the Vienna Development Method grew out of the earlier work on the Vienna Definition Language. Both of these activities were undertaken at the IBM Laboratory Vienna during the 1960s and 70s.

HTML

XML

PDF

DOI: 10.3217/jucs-007-04-0307

Authors: Tommi Junttila

Abstract: Computational complexity of the sub­tasks in the symmetry reduction method for Place/Transition-nets is studied. The task of finding the automorphisms (symmetries) of a net is shown to be polynomial time many-one equivalent to the problem of finding the automorphisms of a graph. Deciding whether two markings are symmetric is shown to be a problem equivalent to the graph isomorphism problem. This remains to be the case even if a generator set for the automorphism group of the net is known. The problem of constructing the lexicographically greatest marking symmetric to a given marking (a canonical representative for the marking) is classified to belong to the lower levels of the polynomial hierarchy, namely to be FPNP[log n] - hard but in FPNP. It is also discussed how the self-symmetries of a marking can be exploited. Calculation of such symmetries is classified to be as hard as computing graph automorphism groups. Furthermore, the coverability version of testing marking symmetricity is shown to be an NP-complete problem. It is proven that canonical representative markings and the symmetric coverability problem cannot be combined in a straightforward way.

HTML

XML

PDF

DOI: 10.3217/jucs-007-02-0194

Authors: Wolfgang Reif, Gerhard Schellhorn, Tobias Vollmer, Jürgen Ruf

Abstract: In this paper we describe the formal specification and verification of an efficient algorithm based on bitvectors for real-time model checking with the KIV system. We demonstrate that the verification captures the essentials of the C++ algorithm as implemented in the RAVEN model checker. Verification revealed several possibilities to reduce the size of the code and to improve its efficiency.

HTML

XML

PDF

DOI: 10.3217/jucs-007-02-0175

Authors: Jan Rothe, Hendrik Tews, Bart Jacobs

Abstract: This paper presents the Coalgebraic Class Specification Language CCSL that is developed within the loop project on formal methods for object-oriented languages. CCSL allows the (coalgebraic) specification of behavioral types and classes of object-oriented languages. It uses higher-order logic with universal modal operators to restrict the behavior of objects. A front-end to the theorem provers pvs [ORR + 96] and ISABELLE [Pau94] compiles CCSL specifications into the logic of these theorem provers and allows to mechanically reason about the specifications.

HTML

XML

PDF

DOI: 10.3217/jucs-007-02-0159

Authors: Dominique Cansell, Dominique Mery, Stephan Merz

Abstract: We define a class of predicate diagrams that represent abstractions of - possibly infinite-state - reactive systems. Our diagrams support the verification of safety as well as liveness properties. Non-temporal proof obligations establish the correspondence between the original specification, whereas model checking can be used to verify behavioral properties. We define a notion of refinement between diagrams that is intended to justify the top_down development of systems within the framework of diagrams. The method is illustrated by a number of mutual-exclusion algorithms.

HTML

XML

PDF

DOI: 10.3217/jucs-007-02-0107

Authors: Rudolf Berghammer, Thorsten Hoffmann

Abstract: We use a relational characterization of binary direct sums to model sequences within the relation-algebraic manipulation and prototyping system RelView in a simple way. As an application we formally derive a RelView program for computing equivalence classes of an equivalence relation, where we combine relation-algebraic calculations with the so-called Dijkstra-Gries program development method. Also a refinement of the simple modeling is presented, which leads to the classical datatype of stacks, and a further application is sketched.

HTML

XML

PDF

DOI: 10.3217/jucs-007-01-0071

Authors: John Crossley, Iman Poernomo

Abstract: In this paper we describe our system for automatically extracting "correct" programs from proofs using a development of the Curry-Howard process. Although program extraction has been developed by many authors (see, for example, [HN88], [Con97] and [HKPM97]), our system has a number of novel features designed to make it very easy to use and as close as possible to ordinary mathematical terminology and practice. These features include 1. the use of Henkin's technique [Hen50] to reduce higher-order logic to many-sorted (first-order) logic; 2. the free use of new rules for induction subject to certain conditions; 3. the extensive use of previously programmed (total, recursive) functions; 4. the use of templates to make the reasoning much closer to normal mathematical proofs and 5. a conceptual distinction between the computational type theory (for representing programs) and the logical type theory (for reasoning about programs). As an example of our system we give a constructive proof of the well known theorem that every graph of even parity, which is non-trivial in the sense that it does not consist of isolated vertices, has a cycle. Given such a graph as input, the extracted program produces a cycle as promised.

HTML

XML

PDF

DOI: 10.3217/jucs-007-01-0037

Authors: Heinz Treseler, Olaf Stursberg, Paul W. H. Chung, Shuanghua Yang

Abstract: The paper presents a tool architecture which supports the formal verification of logic controllers for processing systems. The tool's main intention is to provide a front-end for modelling the controller as well as the processing systems. The models are automatically transformed into representations which can be analysed by existing model checking algorithms. While the first part of the paper gives an overview of the complete architecture, the second part introduces a newly developed modelling interface: Process Control Event Diagrams (PCEDs) are formally defined as a suitable means to represent the flow of information in controlled processes. The transformation of PCEDs into verifiable code is described, and the whole procedure of modelling, model transformation and verification is illustrated with a simple processing system.

HTML

XML

PDF

DOI: 10.3217/jucs-006-11-1088

Authors: Issa Traoré

Abstract: The current UML standard provides definitions for the semantics of its components. These definitions focus mainly on the static structure of UML, but they don t include an execution semantics. These definitions include several semantic variation points leaving out the door open for multiple interpretations of the concepts involved. This situation can be handled by formalizing the semantic concepts involved. In this paper we present an approach for the formalization of one of the multiple diagrams of UML, namely statechart diagrams. That is achieved by using the PVS Specification Language as formal semantics domain. We present also how the approach can be used to conduct a formal analysis using the PVS model-checker.

HTML

XML

PDF

DOI: 10.3217/jucs-006-11-1054

Authors: John Mullins

Abstract: In this article we address the issue of confidentiality of information in the context of downgrading systems i.e. systems admitting information flow between secrecy levels only through a downgrader. Inspired by the intuition underlying the usual definition of admissible information flow, we propose an analogue based on trace equivalence as developed in the context of concurrency theory and on a modification of the usual definition of purge function. We also provide unwinding conditions to guarantee a consistent and complete proof method in terms of communicating transition systems. We take advantage of this framework to investigate its compositionality issues w.r.t. the main operators over communicating transition systems. We conclude the article with a short presentation of this work s most promising aspects in the perspective of future developments.

HTML

XML

PDF

DOI: 10.3217/jucs-006-07-0704

Authors: Graeme Smith, Colin Fidge

Abstract: System requirements frequently change while the system is still under development. Usually this means going back and revising the requirements specification and redoing those development steps already completed. In this article we show how formal requirements can be allowed to evolve while system development is in progress, without the need for costly redevelopment. This is done via a formalism which allows requirements engineering steps to be interleaved with formal development steps in a manageable way. The approach is demonstrated by a significant case study, the Light Control System.

HTML

XML

PDF

DOI: 10.3217/jucs-003-05-0666

Authors: Luca Mearelli

Abstract: We present here the transformation to C++ code of the refined ASM mode l for the production cell developed in the paper "Integrating ASMs into the Softw are Development Life Cycle" (see this volume) which serves as program documentation. This implementation is a refinement step and produces code which has been valida ted through extensive experimentation with the production cell simulator of FZI Karlsruhe.

HTML

XML

PDF

DOI: 10.3217/jucs-003-05-0603

Authors: Egon Börger, Luca Mearelli

Abstract: In this paper we show how to integrate the use of Gurevich s Abstract State Machines (ASMs) into a complete software development life cycle. We present a structured software engineering method which allows the software engineer to control efficiently the modular development and the maintenance of well documented, formally inspectable and smoothly modifiable code out of rigorous ASM models for requirement specifications. We show that the code properties of interest (like correctness, safety, liveness and performance conditions) can be proved at high levels of abstraction by traditional and reusable mathematical arguments which-where needed-can be computer verified. We also show that the proposed method is appropriate for dealing in a rigorous but transparent manner with hardware-software co-design aspects of system development. The approach is illustrated by developing a C ++ program for the production cell control problem posed in [Lewerentz, Lindner 95]. The program has been validated by extensive experimentation with the FZI production cell simulator in Karlsruhe and has been submitted for inspection to the Dagstuhl seminar on "Practical Methods for Code Documentation and Inspection" (May 1997).

HTML

XML

PDF

DOI: 10.3217/jucs-003-05-0504

Authors: Wolf Zimmermann, Thilo Gaul

Abstract: Existing works on the construction of correct compilers have at least one of the following drawbacks: (i) correct compilers do not compile into machine code of existing processors. Instead they compile into programs of an abstract machine which ignores limitations and properties of real-life processors. (ii) the code generated by correct compilers is orders of magnitudes slower than the code generated by unverified compilers. (iii) the considered source language is much less complex than real-life programming languages. This paper focuses on the construction of correct compiler backends which generate machine-code for real-life processors from realistic intermediate languages. Our main results are the following: (i) We present a proof approach based on abstract state machines for bottom-up rewriting system specifications (BURS) for back-end generators. A significant part of this proof can be parametrized with the intermediate and machine language. (ii) The performance of the code constructed by our approach is in the same order of magnitude as the code generated by non-optimizing unverified C-compilers.

HTML

XML

PDF

DOI: 10.3217/jucs-003-04-0304

Authors: Karl Strötmann

Abstract: This paper addresses the correctness problem of an algorithm solving the constrained shortest path problem. We define an abstract, nondeterministic form of the algorithm and prove its correctness from a few simple axioms. We then define a sequence of natural refinements which can be proved to be correct and lead from the abstract algorithm to an efficient implementation due to Ulrich Lauther [Lauther 1996] and based on [Desrosiers et al. 1995]. Along the way, we also show that the abstract algorithm can be regarded as a natural extension of Moore s algorithm [Moore 1957] for solving the shortest path problem.

HTML

XML

PDF