Pub Date : 2014-11-20DOI: 10.14279/tuj.eceasst.70.982
M. Mohaqeqi, M. Mousavi, Walid Taha
For systematic and automatic testing of cyber-physical systems, in which a set of test cases is generated based on a formal specification, a number of notions of conformance testing have been proposed. In this paper, we review two existing theories of conformance testing for cyber-physical systems and compare them. We point out their fundamental differences, and prove under which assumptions they
{"title":"Conformance Testing of Cyber-Physical Systems: A Comparative Study","authors":"M. Mohaqeqi, M. Mousavi, Walid Taha","doi":"10.14279/tuj.eceasst.70.982","DOIUrl":"https://doi.org/10.14279/tuj.eceasst.70.982","url":null,"abstract":"For systematic and automatic testing of cyber-physical systems, in which a set of test cases is generated based on a formal specification, a number of notions of conformance testing have been proposed. In this paper, we review two existing theories of conformance testing for cyber-physical systems and compare them. We point out their fundamental differences, and prove under which assumptions they","PeriodicalId":115235,"journal":{"name":"Electron. Commun. Eur. Assoc. Softw. Sci. Technol.","volume":"23 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-11-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129826876","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2014-11-20DOI: 10.14279/tuj.eceasst.70.983
Petr Ročkai, J. Barnat, L. Brim
We present an extension of the DIVINE software model checker to support programs with exception handling. The extension consists of two parts, a language-neutral implementation of the LLVM exception-handling instructions, and an adaptation of the C++ runtime for the DIVINE/LLVM exception model. This constitutes an important step towards support of both the full C++ specification and towards verification of real-world C++ programs using a software model checker. Additionally, we show how these extensions can be used to elegantly implement other features with non-local control transfer, most importantly the longjmp function in C.
{"title":"Model Checking C++ with Exceptions","authors":"Petr Ročkai, J. Barnat, L. Brim","doi":"10.14279/tuj.eceasst.70.983","DOIUrl":"https://doi.org/10.14279/tuj.eceasst.70.983","url":null,"abstract":"We present an extension of the DIVINE software model checker to support programs with exception handling. The extension consists of two parts, a language-neutral implementation of the LLVM exception-handling instructions, and an adaptation of the C++ runtime for the DIVINE/LLVM exception model. This constitutes an important step towards support of both the full C++ specification and towards verification of real-world C++ programs using a software model checker. Additionally, we show how these extensions can be used to elegantly implement other features with non-local control transfer, most importantly the longjmp function in C.","PeriodicalId":115235,"journal":{"name":"Electron. Commun. Eur. Assoc. Softw. Sci. Technol.","volume":"10 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-11-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"132744262","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2014-11-20DOI: 10.14279/tuj.eceasst.70.984
Ali Jafari, E. Khamespanah, M. Sirjani, H. Hermanns
Many real-time distributed applications exhibit probabilistic and non-deterministic behaviors. In this paper, we introduce Probabilistic Timed Rebeca (PTRebeca) as an actor-based language for modeling probabilistic distributed real-time systems with asynchronous message passing. We pro- pose the semantics of PTRebeca model in Timed Markov Decision Process (TMDP), the integral semantics of probabilistic timed automaton (PTA) with one digital clock. To analyze PTRebeca models, we develop a tool set to au- tomatically generate a TMDP model from a PTRebeca model in the form of the input language of PRISM model checker. We use PRISM for performance analysis of PTRebeca models against expected reachability and probabilistic reachability properties. We show the applicability of our approach using a few case studies and experimental results.
{"title":"Performance Analysis of Distributed and Asynchronous Systems using Probabilistic Timed Actors","authors":"Ali Jafari, E. Khamespanah, M. Sirjani, H. Hermanns","doi":"10.14279/tuj.eceasst.70.984","DOIUrl":"https://doi.org/10.14279/tuj.eceasst.70.984","url":null,"abstract":"Many real-time distributed applications exhibit probabilistic and non-deterministic behaviors. In this paper, we introduce Probabilistic Timed Rebeca (PTRebeca) as an actor-based language for modeling probabilistic distributed real-time systems with asynchronous message passing. We pro- pose the semantics of PTRebeca model in Timed Markov Decision Process (TMDP), the integral semantics of probabilistic timed automaton (PTA) with one digital clock. To analyze PTRebeca models, we develop a tool set to au- tomatically generate a TMDP model from a PTRebeca model in the form of the input language of PRISM model checker. We use PRISM for performance analysis of PTRebeca models against expected reachability and probabilistic reachability properties. We show the applicability of our approach using a few case studies and experimental results.","PeriodicalId":115235,"journal":{"name":"Electron. Commun. Eur. Assoc. Softw. Sci. Technol.","volume":"11 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-11-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121167133","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2014-11-20DOI: 10.14279/tuj.eceasst.70.981
R. D. Landtsheer, C. Ponsard, Nicolas Devos
Smartcards are security critical devices requiring a high assurance verification approach. Although formal techniques can be used at design or even at development stages, such systems have to undergo a traditional hardware-in-the-loop testing phase. This phase is subject to two key requirements: achieving exhaustive transition coverage of the behavior of the system under test, and minimizing the testing time. In this context, testing time is highly bound to a specific hardware reset operation. Model-based testing is the adequate approach given the availability of a precise model of the system behavior and its ability to produce high quality coverage while optimizing some cost criterion. %l'argument n'est pas convainquant. This paper presents an original algorithm addressing this problem by reformulating it as an integer programming problem to make a graph Eulerian. The associated cost criterion captures both the number of resets and the total length of the test suite, as an auxiliary objective. The algorithm ensures transition coverage. An implementation of the algorithm was developed, benchmarked, and integrated into an industrial smartcard testing framework. A validation case study from this domain is also presented. The approach can of course be applied to any other domains with similar reset-related testing constraints.
{"title":"A Constraint-Solving Approach for Achieving Minimal-Reset Transition Coverage of Smartcard Behaviour","authors":"R. D. Landtsheer, C. Ponsard, Nicolas Devos","doi":"10.14279/tuj.eceasst.70.981","DOIUrl":"https://doi.org/10.14279/tuj.eceasst.70.981","url":null,"abstract":"Smartcards are security critical devices requiring a high assurance verification approach. Although formal techniques can be used at design or even at development stages, such systems have to undergo a traditional hardware-in-the-loop testing phase. This phase is subject to two key requirements: achieving exhaustive transition coverage of the behavior of the system under test, and minimizing the testing time. In this context, testing time is highly bound to a specific hardware reset operation. Model-based testing is the adequate approach given the availability of a precise model of the system behavior and its ability to produce high quality coverage while optimizing some cost criterion. %l'argument n'est pas convainquant. This paper presents an original algorithm addressing this problem by reformulating it as an integer programming problem to make a graph Eulerian. The associated cost criterion captures both the number of resets and the total length of the test suite, as an auxiliary objective. The algorithm ensures transition coverage. An implementation of the algorithm was developed, benchmarked, and integrated into an industrial smartcard testing framework. A validation case study from this domain is also presented. The approach can of course be applied to any other domains with similar reset-related testing constraints.","PeriodicalId":115235,"journal":{"name":"Electron. Commun. Eur. Assoc. Softw. Sci. Technol.","volume":"46 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-11-20","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133544173","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2014-11-18DOI: 10.14279/tuj.eceasst.70.973
Sven Reimer, M. Sauer, Paolo Marin, B. Becker
QBF formulae are usually considered in prenex form, i.e. the quantifierblock is completely separated from the propositional part of the QBF.Among others, the semantics of the QBF is defined by the sequence ofthe variables within the prefix, where existentially quantifiedvariables depend on all universally quantified variables stated to theleft. In this paper we extend that classical definition and consider a newquantification type which we call soft variable. The idea is toallow a flexible position and quantifier type for these variables.Hence the type of quantifier of the soft variable can also bealtered. Based on this concept, we present an optimization problemseeking an optimal prefix as defined by user-given preferences. We statean algorithm based on MaxQBF, and present several applications – mainlyfrom verification area – which can be naturally translated into theoptimization problem for QBF with soft variables. We further implementeda prototype solver for this formalism, and compare our approach toprevious work, that differently from ours does not guarantee optimalityand completeness.
{"title":"QBF with Soft Variables","authors":"Sven Reimer, M. Sauer, Paolo Marin, B. Becker","doi":"10.14279/tuj.eceasst.70.973","DOIUrl":"https://doi.org/10.14279/tuj.eceasst.70.973","url":null,"abstract":"QBF formulae are usually considered in prenex form, i.e. the quantifierblock is completely separated from the propositional part of the QBF.Among others, the semantics of the QBF is defined by the sequence ofthe variables within the prefix, where existentially quantifiedvariables depend on all universally quantified variables stated to theleft. In this paper we extend that classical definition and consider a newquantification type which we call soft variable. The idea is toallow a flexible position and quantifier type for these variables.Hence the type of quantifier of the soft variable can also bealtered. Based on this concept, we present an optimization problemseeking an optimal prefix as defined by user-given preferences. We statean algorithm based on MaxQBF, and present several applications – mainlyfrom verification area – which can be naturally translated into theoptimization problem for QBF with soft variables. We further implementeda prototype solver for this formalism, and compare our approach toprevious work, that differently from ours does not guarantee optimalityand completeness.","PeriodicalId":115235,"journal":{"name":"Electron. Commun. Eur. Assoc. Softw. Sci. Technol.","volume":"15 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-11-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116735445","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2014-11-18DOI: 10.14279/tuj.eceasst.70.977
J. Sproston
A stochastic hybrid system contains a collection of interacting discrete and continuous components, subject to random behaviour. The formal verification of a stochastic hybrid system often comprises a method for the generation of a finite-state probabilistic system which either represents exactly the behaviour of the stochastic hybrid system, or which approximates conservatively its behaviour. We extend such abstraction-based formal verification of stochastic hybrid systems in two ways. Firstly, we generalise previous results by showing how bisimulation-based abstractions of non-probabilistic hybrid automata can be lifted to the setting of probabilistic hybrid automata, a subclass of stochastic hybrid systems in which probabilistic choices can be made with respect to finite, discrete alternatives only. Secondly, we consider the problem of obtaining approximate abstractions for discrete-time stochastic systems in which there are continuous probabilistic choices with regard to the slopes of certain system variables. We restrict our attention to the subclass of such systems in which the approximate abstraction of such a system, obtained using the previously developed techniques of Fraenzle et al., results in a probabilistic rectangular hybrid automaton, from which in turn a finite-state probabilistic system can be obtained. We illustrate this technique with an example, using the probabilistic model checking tool PRISM.
{"title":"Exact and Approximate Abstraction for Classes of Stochastic Hybrid Systems","authors":"J. Sproston","doi":"10.14279/tuj.eceasst.70.977","DOIUrl":"https://doi.org/10.14279/tuj.eceasst.70.977","url":null,"abstract":"A stochastic hybrid system contains a collection of interacting discrete and continuous components, subject to random behaviour. The formal verification of a stochastic hybrid system often comprises a method for the generation of a finite-state probabilistic system which either represents exactly the behaviour of the stochastic hybrid system, or which approximates conservatively its behaviour. We extend such abstraction-based formal verification of stochastic hybrid systems in two ways. Firstly, we generalise previous results by showing how bisimulation-based abstractions of non-probabilistic hybrid automata can be lifted to the setting of probabilistic hybrid automata, a subclass of stochastic hybrid systems in which probabilistic choices can be made with respect to finite, discrete alternatives only. Secondly, we consider the problem of obtaining approximate abstractions for discrete-time stochastic systems in which there are continuous probabilistic choices with regard to the slopes of certain system variables. We restrict our attention to the subclass of such systems in which the approximate abstraction of such a system, obtained using the previously developed techniques of Fraenzle et al., results in a probabilistic rectangular hybrid automaton, from which in turn a finite-state probabilistic system can be obtained. We illustrate this technique with an example, using the probabilistic model checking tool PRISM.","PeriodicalId":115235,"journal":{"name":"Electron. Commun. Eur. Assoc. Softw. Sci. Technol.","volume":"73 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-11-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116933176","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2014-11-18DOI: 10.14279/tuj.eceasst.70.975
L. Hatvani, Alexandre David, C. Seceleanu, P. Pettersson
Adjusting to resource changes, dynamic environmental conditions, or new usage modes are some of the reasons why real-time embedded systems need to be adaptive. This requires a rigorous framework for designing such systems, to ensure that the adaptivity does not result in invalidating the system's real-time constraints. To address this need, we have recently introduced adaptive task automata, a frame- work for modeling, verification, and schedulability analysis in adaptive, hard real-time embedded systems, assuming a fixed-priority scheduler. In this work, we extend the adaptive task automata framework to incorporate the earliest-deadline-first scheduling policy, as well as enable implementation of any other dynamic scheduling policy. To prove the decidability of our model, and at the same time maintain a manageable degree of conciseness, we show an encoding of our model as a network of timed automata with clock updates. To support this, we also show that reachability in our class of timed automata with updates is decidable. Our contribution helps to streamline the process of designing safety critical adaptive embedded systems.
{"title":"Adaptive Task Automata with Earliest-Deadline-First Scheduling","authors":"L. Hatvani, Alexandre David, C. Seceleanu, P. Pettersson","doi":"10.14279/tuj.eceasst.70.975","DOIUrl":"https://doi.org/10.14279/tuj.eceasst.70.975","url":null,"abstract":"Adjusting to resource changes, dynamic environmental conditions, or new usage modes are some of the reasons why real-time embedded systems need to be adaptive. This requires a rigorous framework for designing such systems, to ensure that the adaptivity does not result in invalidating the system's real-time constraints. To address this need, we have recently introduced adaptive task automata, a frame- work for modeling, verification, and schedulability analysis in adaptive, hard real-time embedded systems, assuming a fixed-priority scheduler. In this work, we extend the adaptive task automata framework to incorporate the earliest-deadline-first scheduling policy, as well as enable implementation of any other dynamic scheduling policy. To prove the decidability of our model, and at the same time maintain a manageable degree of conciseness, we show an encoding of our model as a network of timed automata with clock updates. To support this, we also show that reachability in our class of timed automata with updates is decidable. Our contribution helps to streamline the process of designing safety critical adaptive embedded systems.","PeriodicalId":115235,"journal":{"name":"Electron. Commun. Eur. Assoc. Softw. Sci. Technol.","volume":"58 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-11-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"133179507","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2014-11-18DOI: 10.14279/tuj.eceasst.70.970
Paolo Arcaini, A. Gargantini, E. Riccobene
In runtime verification, operational models describing the expected system behavior offer some advantages with respect to declarative specifications of properties, especially when designers are more accustomed to them. However, nondeterminism in the specification usually affects performances of those operational methods that explicitly represent all the possible conformant states. In this paper, we tackle the problem of dealing with nondeterminism in an operational runtime verification approach based on the use of Abstract State Machines (ASMs). We propose an SMT-based technique in which ASM computations are symbolically represented and conformance verification is performed by means of satisfability checking. Experiments show that, in most of the cases, the symbolic approach performs better than a technique for ASM-based runtime verification explicitly representing the conformant states.
{"title":"Using SMT for dealing with nondeterminism in ASM-based runtime verification","authors":"Paolo Arcaini, A. Gargantini, E. Riccobene","doi":"10.14279/tuj.eceasst.70.970","DOIUrl":"https://doi.org/10.14279/tuj.eceasst.70.970","url":null,"abstract":"In runtime verification, operational models describing the expected system behavior offer some advantages with respect to declarative specifications of properties, especially when designers are more accustomed to them. However, nondeterminism in the specification usually affects performances of those operational methods that explicitly represent all the possible conformant states. In this paper, we tackle the problem of dealing with nondeterminism in an operational runtime verification approach based on the use of Abstract State Machines (ASMs). We propose an SMT-based technique in which ASM computations are symbolically represented and conformance verification is performed by means of satisfability checking. Experiments show that, in most of the cases, the symbolic approach performs better than a technique for ASM-based runtime verification explicitly representing the conformant states.","PeriodicalId":115235,"journal":{"name":"Electron. Commun. Eur. Assoc. Softw. Sci. Technol.","volume":"86 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-11-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128377521","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2014-11-18DOI: 10.14279/tuj.eceasst.70.968
E. M. Hahn, A. Hartmanns, H. Hermanns
Stochastic timed automata are an expressive formal model for hard and soft real-time systems. They support choices and delays that can be deterministic, nondeterministic or stochastic. Stochastic choices and delays can be based on arbitrary discrete and continuous distributions. In this paper, we present an analysis approach for stochastic timed automata based on abstraction and probabilistic model checking. It delivers upper/lower bounds on maximum/minimum reachability probabilities and expected cumulative reward values. Based on theory originally developed for stochastic hybrid systems, it is the first fully automated model checking technique for stochastic timed automata. Using an implementation as part of the Modest Toolset and four varied examples, we show that the approach works in practice and present a detailed evaluation of its applicability, its efficiency, and current limitations.
{"title":"Reachability and Reward Checking for Stochastic Timed Automata","authors":"E. M. Hahn, A. Hartmanns, H. Hermanns","doi":"10.14279/tuj.eceasst.70.968","DOIUrl":"https://doi.org/10.14279/tuj.eceasst.70.968","url":null,"abstract":"Stochastic timed automata are an expressive formal model for hard and soft real-time systems. They support choices and delays that can be deterministic, nondeterministic or stochastic. Stochastic choices and delays can be based on arbitrary discrete and continuous distributions. In this paper, we present an analysis approach for stochastic timed automata based on abstraction and probabilistic model checking. It delivers upper/lower bounds on maximum/minimum reachability probabilities and expected cumulative reward values. Based on theory originally developed for stochastic hybrid systems, it is the first fully automated model checking technique for stochastic timed automata. Using an implementation as part of the Modest Toolset and four varied examples, we show that the approach works in practice and present a detailed evaluation of its applicability, its efficiency, and current limitations.","PeriodicalId":115235,"journal":{"name":"Electron. Commun. Eur. Assoc. Softw. Sci. Technol.","volume":"70 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-11-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130639736","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2014-11-18DOI: 10.14279/tuj.eceasst.70.976
G. Broadfoot
I attended my first software conference in 1968; it was organised by NATO with the title “The Software Crisis.” Many of the papers presented then could have been written yesterday; the problems of the software industry in producing reliable, correct software in the face of increasing complexity and shrinking time to market pressures have not fundamentally changed that much. In the intervening years as a community we have developed various tactics for trying to minimise software errors. Advances in theorem proving and model checking are good examples of systematic efforts to improve software correctness. Nevertheless, it remains the case that such approaches are rarely if ever encountered in the industrial workplace, with the possible exception of some safety critical domains, such as the software controlling nuclear power plants. In spite advances in formal methods and supporting tools, the tools available to programmers for verifying assertions about program execution are complex and require knowledge and skills that most practicing programmers do not have. Formal proofs remain difficult to construct, especially for anything but the simplest of programs. Merely constructing assertions to characterise program correctness is a difficult challenge. In 1998, I conceived the idea of combing model checking, code generation and the specification approach of Sequence-based Specification together to form an integrated software design platform for developing software components whose design (implementation) would be formally verified for correctness with respect to its specification. Other general correctness properties such as freedom from deadlocks, non-determinism, incomplete cases, etc. would also be verified. Verification would be performed by automatically translating Sequence-based specifications into semanti- cally equivalent CSP process algebra and then applying the model-checking engine FDR2. After verification was completed, semantically equivalent source code would be generated in one of several supported high-level languages. These ideas were developed further together with Philippa Hopcroft and in 2003 a company was founded to develop a commercial implementation of a development platform based on these ideas. In this talk, I will present an overview of the develop-ment platform and the technologies used. I will then discuss the experience gained during 10 years of trying to introduce this approach into industry and the lessons learned along the way.
{"title":"The highs and lows of deploying Formal Methods in Industry","authors":"G. Broadfoot","doi":"10.14279/tuj.eceasst.70.976","DOIUrl":"https://doi.org/10.14279/tuj.eceasst.70.976","url":null,"abstract":"I attended my first software conference in 1968; it was organised by NATO with the title “The Software Crisis.” Many of the papers presented then could have been written yesterday; the problems of the software industry in producing reliable, correct software in the face of increasing complexity and shrinking time to market pressures have not fundamentally changed that much. In the intervening years as a community we have developed various tactics for trying to minimise software errors. Advances in theorem proving and model checking are good examples of systematic efforts to improve software correctness. Nevertheless, it remains the case that such approaches are rarely if ever encountered in the industrial workplace, with the possible exception of some safety critical domains, such as the software controlling nuclear power plants. In spite advances in formal methods and supporting tools, the tools available to programmers for verifying assertions about program execution are complex and require knowledge and skills that most practicing programmers do not have. Formal proofs remain difficult to construct, especially for anything but the simplest of programs. Merely constructing assertions to characterise program correctness is a difficult challenge. In 1998, I conceived the idea of combing model checking, code generation and the specification approach of Sequence-based Specification together to form an integrated software design platform for developing software components whose design (implementation) would be formally verified for correctness with respect to its specification. Other general correctness properties such as freedom from deadlocks, non-determinism, incomplete cases, etc. would also be verified. Verification would be performed by automatically translating Sequence-based specifications into semanti- cally equivalent CSP process algebra and then applying the model-checking engine FDR2. After verification was completed, semantically equivalent source code would be generated in one of several supported high-level languages. These ideas were developed further together with Philippa Hopcroft and in 2003 a company was founded to develop a commercial implementation of a development platform based on these ideas. In this talk, I will present an overview of the develop-ment platform and the technologies used. I will then discuss the experience gained during 10 years of trying to introduce this approach into industry and the lessons learned along the way.","PeriodicalId":115235,"journal":{"name":"Electron. Commun. Eur. Assoc. Softw. Sci. Technol.","volume":"65 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2014-11-18","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124934490","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: