Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Bücher
Zeitschriften
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Weitere Formate
Podcasts Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
SLX-Digitalkonferenz: Zukunftswerkstatt 2024

Mehr Umsatz mit Top-Kontakten

Am 7. Mai erfahren Sie, wie Vertriebsteams Leadgenerierung, Leadnurturing und Leadstrategien effizient steuern können.
Erweiterte Suche
Anmelden
nach oben

2012 | Buch

Abstraction as a Unifying Link for Formal Approaches to Concurrency Kapitel lesen Erstes Kapitel lesen

Software Engineering and Formal Methods

10th International Conference, SEFM 2012, Thessaloniki, Greece, October 1-5, 2012. Proceedings

herausgegeben von: George Eleftherakis, Mike Hinchey, Mike Holcombe

Verlag: Springer Berlin Heidelberg

Buchreihe : Lecture Notes in Computer Science

Enthalten in: Springer Professional "Wirtschaft+Technik" , Springer Professional "Technik" , Springer Professional "Wirtschaft"

Einloggen, um Zugang zu erhalten
insite
SUCHEN

Über dieses Buch

This book constitutes the refereed proceedings of the 10th International Conference on Software Engineering and Formal Methods, SEFM 2012, held in Thessaloniki, Greece, in October 2012. The 19 revised research papers presented together with 3 short papers, 2 tool papers, and 2 invited talks were carefully reviewed and selected from 98 full submissions. The SEFM conference aspires to advance the state-of-the-art in formal methods, to enhance their scalability and usability with regards to their application in the software industry and to promote their integration with practical engineering methods.

Inhaltsverzeichnis

Frontmatter

Keynote Talks

Abstraction as a Unifying Link for Formal Approaches to Concurrency
Abstract
Abstraction is a crucial tool in specifying and justifying developments of systems. This observation is recognised in many different methods for developing sequential software; it also applies to some approaches to the formal development of concurrent systems although there its use is perhaps less uniform. The rely/guarantee approach to formal design has, for example, been shown to be capable of recording the design of complex concurrent software in a “top down” stepwise process that proceeds from abstract specification to code. In contrast, separation logics were –at least initially– motivated by reasoning about details of extant code. Such approaches can be thought of as “bottom up”. The same “top down/bottom up” distinction can be applied to “atomicity refinement” and “linearisability”. Some useful mixes of these approaches already exist and they are neither to be viewed as competitive approaches nor are they irrevocably confined by the broad categorisation. This paper reports on recent developments and presents the case for how careful use of abstractions can make it easier to marry the respective advantages of different approaches to reasoning about concurrency.
Cliff B. Jones
A Rule-Based and Imperative Language for Biochemical Modeling and Simulation
Abstract
We present COSBI LAB Language (\(\mathcal{L}\) for short), a simple modeling language for biochemical systems. \(\mathcal{L}\) features stochastic multiset rewriting, defined in part through rewriting rules, and in part through imperative code.
We provide a continuous-time Markov chain semantics for \(\mathcal{L}\) at three different abstraction levels, linked by Galois connections. We then describe a simulation algorithm for the most concrete semantics, which is then adapted to work at higher abstract levels while improving space and time performance. Doing so results in the well-known Gillespie’s Direct Method, as well as in a further optimized algorithm.
Đurica Nikolić, Corrado Priami, Roberto Zunino

Regular Papers

Sound Control-Flow Graph Extraction for Java Programs with Exceptions
Abstract
We present an algorithm to extract control-flow graphs from Java bytecode, considering exceptional flows. We then establish its correctness: the behavior of the extracted graphs is shown to be a sound over-approximation of the behavior of the original programs. Thus, any temporal safety property that holds for the extracted control-flow graph also holds for the original program. This makes the extracted graphs suitable for performing various static analyses, in particular model checking. The extraction proceeds in two phases. First, we translate Java bytecode into BIR, a stack-less intermediate representation. The BIR transformation is developed as a module of Sawja, a novel static analysis framework for Java bytecode. Besides Sawja’s efficiency, the resulting intermediate representation is more compact than the original bytecode and provides an explicit representation of exceptions. These features make BIR a natural starting point for sound control-flow graph extraction. Next, we formally define the transformation from BIR to control-flow graphs, which (among other features) considers the propagation of uncaught exceptions within method calls. We prove the correctness of the two-phase extraction by suitably combining the properties of the two transformations with those of an idealized control-flow graph extraction algorithm, whose correctness has been proved directly. The control-flow graph extraction algorithm is implemented in the ConFlEx tool. A number of test-cases show the efficiency and the utility of the implementation.
Afshin Amighi, Pedro de C. Gomes, Dilian Gurov, Marieke Huisman
Checking Sanity of Software Requirements
Abstract
In the last decade it became a common practice to formalise software requirements to improve the clarity of users’ expectations. In this work we build on the fact that functional requirements can be expressed in temporal logic and we propose new techniques that automatically detect flaws and suggest improvements of given requirements. Specifically, we describe and experimentally evaluate new approaches to consistency and vacuity checking that identify all inconsistencies and pinpoint their exact source (the smallest inconsistent set). To complete the sanity checking we also deliver a novel semi-automatic completeness evaluation that can assess the coverage of user requirements and suggest missing properties the user might have wanted to formulate. The usefulness of our completeness evaluation is demonstrated in a case study of an aeroplane control system.
Jiří Barnat, Petr Bauch, Luboš Brim
TVAL+ : TVLA and Value Analyses Together
Abstract
Effective static analyses must precisely approximate both heap structure and information about values. During the last decade, shape analysis has obtained great achievements in the field of heap abstraction. Similarly, numerical and other value abstractions have made tremendous progress, and they are effectively applied to the analysis of industrial software. In addition, several generic static analyzers have been introduced. These compositional analyzers combine many types of abstraction into the same analysis to prove various properties. The main contribution of this paper is the combination of Sample, an existing generic analyzer, with a TVLA-based heap abstraction (TVAL+).
Pietro Ferrara, Raphael Fuchs, Uri Juhasz
A Systematic Approach to Atomicity Decomposition in Event-B
Abstract
Event-B is a state-based formal method that supports a refinement process in which an abstract model is elaborated towards an implementation in a step-wise manner. One weakness of Event-B is that control flow between events is typically modelled implicitly via variables and event guards. While this fits well with Event-B refinement, it can make models involving sequencing of events more difficult to specify and understand than if control flow was explicitly specified. New events may be introduced in Event-B refinement and these are often used to decompose the atomicity of an abstract event into a series of steps. A second weakness of Event-B is that there is no explicit link between such new events that represent a step in the decomposition of atomicity and the abstract event to which they contribute. To address these weaknesses, atomicity decomposition diagrams support the explicit modelling of control flow and refinement relationships for new events. In previous work, the atomicity decomposition approach has been evaluated manually in the development of two large case studies, a multi media protocol and a spacecraft sub-system. The evaluation results helped us to develop a systematic definition of the atomicity decomposition approach, and to develop a tool supporting the approach. In this paper we outline this systematic definition of the approach, the tool that supports it and evaluate the contribution that the tool makes.
Asieh Salehi Fathabadi, Michael Butler, Abdolbaghi Rezazadeh
Compositional Reasoning about Shared Futures
Abstract
Distributed and concurrent object-oriented systems are difficult to analyze due to the complexity of their concurrency, communication, and synchronization mechanisms. The future mechanism extends the traditional method call communication model by facilitating sharing of references to futures. By assigning method call result values to futures, third party objects may pick up these values. This may reduce the time spent waiting for replies in a distributed environment. However, futures add a level of complexity to program analysis, as the program semantics becomes more involved.
This paper presents a model for asynchronously communicating objects, where return values from method calls are handled by futures. The model facilitates invariant specifications over the locally visible communication history of each object. Compositional reasoning is supported, as each object may be specified and verified independently of its environment. A kernel object-oriented language with futures inspired by the ABS modeling language is considered. A compositional proof system for this language is presented, formulated within dynamic logic.
Crystal Chang Din, Johan Dovland, Olaf Owe
Verification of Aspectual Composition in Feature-Modeling
Abstract
Crosscutting concerns are pervasive in embedded software and ambient systems due to the stringent non-functional requirements imposed on them. Maintaining families of these systems to address issues with the crosscutting concerns, such as security concerns, is recognised to be tedious and costly. To tackle the above problem, we adapt the aspect-oriented paradigm to feature-modeling.
One of the most serious problems in aspect-oriented modeling is the potential of taking a valid model and spoiling its validity when weaving an aspect to it. We present a formal verification technique of aspectual composition in the context of feature-modeling that is based on product family algebra. We define a set of validity criteria for aspects with regard to their corresponding base specifications. The verification is done prior to the weaving of the aspects to their base specifications.
Qinglei Zhang, Ridha Khedri, Jason Jaskolka
A Denotational Model for Instantaneous Signal Calculus
Abstract
In this paper we explore an observation-oriented denotational semantics for instantaneous signal calculus which contains all conceptually instantaneous reactions of signal calculus for event-based synchronous languages. The healthiness conditions are studied for especially dealing with the emission of signals. Every instantaneous reaction can be identified as denoting a healthiness function over the set of events which describe the state of the system and its environment. The normal form, surprisingly, has the comparatively elegant and straightforward denotational semantic definition. Furthermore, a set of algebraic laws concerning the distinct features for instantaneous signal calculus is investigated. All algebraic laws can be established in the framework of our semantic model, i.e., if the equality of two differently written instantaneous reactions is algebraically provable, the two reactions are also equivalent with respect to the denotational semantics.
Yongxin Zhao, Longfei Zhu, Huibiao Zhu, Jifeng He
A Timed Mobility Semantics Based on Rewriting Strategies
Abstract
We consider TiMo (Timed Mobility) which is a process algebra for prototyping software engineering applications supporting mobility and timing constraints. We provide an alternative semantics of TiMo using rewriting logic; in particular, we develop a rewriting logic model based on strategies to describe a maximal parallel computational step of a TiMo specification. This new semantical model is proved to be sound and complete w.r.t. to the original operational semantics which was based on negative premises. We implement the rewriting model within the strategy-based rewriting system Elan, and provide an example illustrating how a TiMo specification is executed and how a range of (behavioural) properties are analysed.
Gabriel Ciobanu, Maciej Koutny, Jason Steggles
Towards a Formal Component Model for the Cloud
Abstract
We consider the problem of deploying and (re)configuring resources in a “cloud” setting, where interconnected software components and services can be deployed on clusters of heterogeneous (virtual) machines that can be created and connected on-the-fly. We introduce the Aeolus component model to capture similar scenarii from realistic cloud deployments, and instrument automated planning of day-to-day activities such as software upgrade planning, service deployment, elastic scaling, etc. We formalize the model and characterize the feasibility and complexity of configuration achievability in Aeolus.
Roberto Di Cosmo, Stefano Zacchiroli, Gianluigi Zavattaro
The Rely/Guarantee Approach to Verifying Concurrent BPEL Programs
Abstract
Web services have become more and more important in these years, and BPEL4WS (BPEL) is the OASIS standard for web services composition and orchestration. It contains several distinct features, including scope-based compensation and fault handling mechanism. This paper focuses on the verification of BPEL programs, especially the verification of concurrent BPEL programs. The rely/guarantee approach is applied. Firstly, we present the operational semantics for BPEL programs. Secondly we apply the rely/guarantee method in the design of the verification rules. The rules can handle the features of BPEL programs, including compensation, fault handling and concurrency. Finally, the whole proof system is proved to be sound based on our operational semantics.
Huibiao Zhu, Qiwen Xu, Chris Ma, Shengchao Qin, Zongyan Qiu
Completing the Automated Verification of a Small Hypervisor – Assembler Code Verification
Abstract
In [1] the almost complete formal verification of a small hypervisor with the automated C code verifier VCC [2] was reported: the correctness of the C portions of the hypervisor and of the guest simulation was established; the verification of the assembler portions of the code was left as future work. Suitable methodology for the verification of Macro Assembler programs in VCC was given without soundness proof in [3]. A joint semantics of C + Macro Assembler necessary for such a soundness proof was introduced in [4]. In this paper i) we observe that for two instructions (that manipulate stack pointers) of the hypervisor code the C + Macro Assembler semantics does not suffice; therefore we extend it to C + Macro Assembler + assembler, ii) we argue the soundness of the methodology from [3] with respect to this new semantics, iii) we apply the methodology from [3] to formally verify the Macro Assembler + assembler portions of the hypervisor from [1], completing the formal verification of the small hypervisor in the automated tool VCC.
Wolfgang Paul, Sabine Schmaltz, Andrey Shadrin
A Configuration Approach for IMA Systems
Abstract
In this paper, we focus on system configurations of Integrated Modular Avionics (IMA) systems and present a novel approach for their calculation. We consider IMA systems based on ASAAC standards (STANAG 4626, EN 4660). These systems are modelled, by means of blueprints, using the SAE standardised modelling and analysis language AADL. For the calculation of system configurations, the required data is gathered from the system model and is transformed into a SAT modulo theory (SMT) formula. This formula includes a set of user input parameters, which steer the resource allocation. All feasible solutions satisfy the schedulability by a given set of scheduling schemes. The as schedulable considered configurations serve in choosing the final system configuration, for which a set of possible valid reconfigurations is calculated. To facilitate more compact allocations and increase the quality of (re-)configurations, we consider system modes. Both the chosen configuration and its corresponding reconfigurations are stored in the AADL system model, making all necessary data available within the same developing environment.
Visar Januzaj, Stefan Kugele, Florian Biechele, Ralf Mauersberger
polyLarva: Runtime Verification with Configurable Resource-Aware Monitoring Boundaries
Abstract
Runtime verification techniques are increasingly being applied in industry as a lightweight formal approach to achieve added assurance of correctness at runtime. A key issue determining the adoption of these techniques is the overheads introduced by the runtime checks, affecting the performances of the monitored systems. Despite advancements in the development of optimisation techniques lowering these overheads, industrial settings such as online portals present new challenges, since they frequently involve the handling of high volume transaction throughputs and cannot afford substantial deterioration in the service they provide.
One approach to reduce overheads is the deployment of the verification computation on auxiliary computing resources, creating a boundary between the system and the verification code. This limits the use of system resources with resource intensive verification being carried out on the remote-side. However, under particular scenarios this approach may still not be ideal, as it may induce significant communication overheads. In this paper, we propose a framework which enables fine-tuning of the tradeoff between processing, memory and communication monitoring overheads, through the use of a user-configurable monitoring boundary. This approach has been implemented in the second generation of the Larva runtime verification tool, polyLarva.
Christian Colombo, Adrian Francalanza, Ruth Mizzi, Gordon J. Pace
Frama-C
A Software Analysis Perspective
Abstract
Frama-C is a source code analysis platform that aims at conducting verification of industrial-size C programs. It provides its users with a collection of plug-ins that perform static analysis, deductive verification, and testing, for safety- and security-critical software. Collaborative verification across cooperating plug-ins is enabled by their integration on top of a shared kernel and datastructures, and their compliance to a common specification language. This foundational article presents a consolidated view of the platform, its main and composite analyses, and some of its industrial achievements.
Pascal Cuoq, Florent Kirchner, Nikolai Kosmatov, Virgile Prevosto, Julien Signoles, Boris Yakobowski
An Optimization Approach for Effective Formalized fUML Model Checking
Abstract
Automatically formalizing fUML models into CSP is a challenging task. However, checking the generated CSP model using FDR2 is far more challenging. That is because the generated CSP model holds many implementation details inherited from the fUML model, as well as the formalization of the non-trivial fUML inter-object communication mechanism. Using the state space compression techniques available in FDR2 (such as supercompilation and compression functions) is not enough to provide an effective model checking that avoids the state explosion problem. In this paper we introduce a novel approach that makes use of a restricted CSP model (because it follows certain formalization rules) to optimize the generated model. As an application of our approach, we design a framework that works on two levels; the first one provides optimization advice to the modeller, while the second one automatically applies optimization rules which transform the CSP model to a more optimized one with a reduced state space.
Implementing and applying the approach on two large case studies demonstrated the effectiveness of the approach. We also prove that the optimization rules are safe to be applied automatically without eliminating important information from the CSP model.
Islam Abdelhalim, Steve Schneider, Helen Treharne
Efficient Probabilistic Abstraction for SysML Activity Diagrams
Abstract
SysML activity diagrams are OMG/INCOSE standard models for specifying and analyzing systems’ behaviors. In this paper, we propose an abstraction approach for this type of diagrams that helps to mitigate the state-explosion problem in probabilistic model checking. To this end, we present two algorithms to reduce the size of a given SysML activity diagram. The first eliminates the irrelevant behaviors regarding the property under check, while the second merges control nodes into equivalent ones. The resulting abstracted model can answer safely the Probabilistic Computation Tree Logic (PCTL) property. Moreover, we present a novel calculus for activity diagrams (NuAC) that captures their underlying semantics. In addition, we prove the soundness of our approach by defining a probabilistic weak simulation relation between the semantics of the abstract and the concrete models. This relation is shown to preserve the satisfaction of the PCTL properties. Finally, we demonstrate the effectiveness of our approach on an online shopping system case study.
Samir Ouchani, Otmane Ait Mohamed, Mourad Debbabi
ML Dependency Analysis for Assessors
Abstract
Critical software needs to obtain an assessment before commissioning. This assessment is given after a long task of software analysis performed by assessors. They may be helped by tools, used interactively, to build models using information-flow analysis. Tools like SPARK-Ada exist for Ada subsets used for critical software. But some emergent languages such as those of the ML family lack such adapted tools. Providing similar tools for ML languages requires special attention on specific features such as higher-order functions and pattern-matching. This paper presents an information-flow analysis for such a language specifically designed according to the needs of assessors. This analysis can be parametrized to allow assessors getting a view of dependencies at several levels of abstraction and gives the basis for an efficient fault tolerance analysis.
Philippe Ayrault, Vincent Benayoun, Catherine Dubois, François Pessaux
An Improved Test Generation Approach from Extended Finite State Machines Using Genetic Algorithms
Abstract
This paper presents a new approach to test generation from extended finite state machines using genetic algorithms, by proposing a new fitness function for path data generation. The fitness function that guides the search is crucial for the success of a genetic algorithm; an improvement in the fitness function will reduce the duration of the generation process and increase the success chances of the search algorithm. The paper performs a comparison between the newly proposed fitness function and the most widely used function in the literature. The experimental results show that, for more complex paths, that can be logically decomposed into independent sub-paths, the new function outperforms the previously proposed function and the difference is statistically significant.
Raluca Lefticaru, Florentin Ipate
Securely Accessing Shared Resources with Concurrent Constraint Programming
Abstract
We present a fine-grained security model to enforce the access control on the shared constraint store in Concurrent Constraint Programming (CCP) languages. We show the model for a nonmonotonic version of Soft CCP (SCCP), that is an extension of CCP where the constraints have a preference level associated with them. Crisp constraints can be modeled in the same framework as well. In the considered nonmonotonic soft version (NmSCCP), it is also possible to remove constraints from the store. The language can be used for coordinating agents on a common store of information that represents the set of shared resources. In such scenarios, it is clearly important to enforce the integrity and confidentiality rights on the resources, in order, for instance, to hide part of the information to some agents, or to prevent an agent to consume too many resources.
Stefano Bistarelli, Francesco Santini

Short Papers

A Practical Approach for Closed Systems Formal Verification Using Event-B
Abstract
Assurance of high integrity systems based on closed systems is a challenge that becomes difficult to overcome when a classical testing approach is used; in particular the evidence generated from a classical testing approach may not meet the objectives of rigorous standards. This paper presents a new approach for the formal verification of closed systems, in particular commercial off the shelf (COTS) products. The approach brings together the formal language Event-B, mathematical proof theory and the Rodin toolset and provides the mechanism for creating abstract models of closed systems and to then verify these system properties against operational requirements. From an industrial perspective this approach represents a step change in the use and successful integration of closed systems; using formal methods to guarantee their integration and functionality. The outcome of the proof of concept will provide a solution that will increase the level of confidence on complex system of system solutions containing closed systems. Moreover, it will support the production of safety-cases by providing formal proofs of a system’s correctness.
Brett Bicknell, Jose Reis, Michael Butler, John Colley, Colin Snook
Extensible Specifications for Automatic Re-use of Specifications and Proofs
Abstract
One way to reduce the cost of formally verifying a large program is to perform proofs over a specification of its behaviour, which its implementation refines. However, interesting programs must often satisfy multiple properties. Ideally, each property should be proved against the most abstract specification for which it holds. This simplifies reasoning and increases the property’s robustness against later tweaks to the program’s implementation. We introduce extensible specifications, a lightweight technique for constructing a specification that can be instantiated and reasoned about at multiple levels of abstraction. This avoids having to write and maintain a different specification for each property being proved whilst still allowing properties to be proved at the highest levels of abstraction. Importantly, properties proved of an extensible specification hold automatically for all instantiations of it, avoiding unnecessary proof duplication. We explain how we applied this idea in the context of verifying confidentiality enforcement for the seL4 microkernel, saving us significant proof and code duplication.
Daniel Matichuk, Toby Murray
Implementing Tactics of Refinement in CRefine
Abstract
Circus is a formal language that combines Z and CSP, providing support for specification of both data and behavioural aspects of concurrent systems. Furthermore, Circus has an associated refinement calculus, which can be used to develop software in a precise and stepwise fashion. Each step is justified by the application of a refinement law (possibly with the discharge of proof obligations). Sometimes, the same laws can be applied in the same manner in different developments or even in different parts of a single development. A strategy to optimize this calculus is to formalise this application as a refinement tactic, which can then be used as a single transformation rule. CRefine was developed to automate the Circus refinement calculus. However, before the work presented here, it did not provide support for refinement tactics. In this paper, we present an extension to CRefine: a new module that automates the process of defining and applying refinement tactics formalised in the tactic language ArcAngel C. Finally, we illustrate the usefulness of the extension in the development of an industrial case study.
Madiel Conserva Filho, Marcel Vinicius Medeiros Oliveira

Tool Papers

JSXM: A Tool for Automated Test Generation
Abstract
The Stream X-machine (SXM) is an intuitive and powerful modelling formalism that extends finite state machines with a memory (data) structure and function-labelled transitions. One of the main strengths of the SXM is its associated testing strategy: this guarantees that, under well defined conditions, all functional inconsistencies between the system under test and the model are revealed. Unfortunately, despite the evident strength of SXM based testing, no tool that convincingly implements this strategy exists. This paper presents such a tool, called JSXM. The JSXM tool supports the animation of SXM models for the purpose of model validation, the automatic generation of abstract test cases from SXM specifications and the transformation of abstract test cases into concrete test cases in the implementation language of the system under test. A special characteristic of the modelling language and of the tool is that it supports the specifications of flat SXM models as well as the integration of interacting SXM models.
Dimitris Dranidis, Konstantinos Bratanis, Florentin Ipate
A Low-Overhead, Value-Tracking Approach to Information Flow Security
Abstract
We present a hybrid approach to information flow security where security violations are detected at execution time. We track secure values and secure locations at run time to prevent problems such as password disclosure in C programs. This analysis is safe in the presence of pointer aliasing. Such problems are hard to solve using static analysis (or lead to many false positives). Our technique works on programs with annotations that identify values and locations that need to be secure. We instrument the annotated program with statements that capture relevant information flow with assertions that detect any violation. This instrumentation does not interfere with the safe assignment of values to variables in the program. The instrumented assertions are invoked only when relevant values or locations are involved. We demonstrate the applicability of our approach by analysing various Linux utilities such as su, sudo, passwd, ftp and ssh. Our experiments show that for safe executions the overhead introduced by our instrumentation is, on average, less than 1%.
Kostyantyn Vorobyov, Padmanabhan Krishnan, Phil Stocks
Backmatter
Metadaten
Titel
Software Engineering and Formal Methods
herausgegeben von
George Eleftherakis
Mike Hinchey
Mike Holcombe
Copyright-Jahr
2012
Verlag
Springer Berlin Heidelberg
Electronic ISBN
978-3-642-33826-7
Print ISBN
978-3-642-33825-0
DOI
https://doi.org/10.1007/978-3-642-33826-7

Premium Partner

    Bildnachweise