Abstract: This paper presents experiences in applying formal verification to a large industrial piece of software. The area of application is railway interlocking systems which has earlier been addressed in for instance [9], [S], [7J, and [6’J. We try to prove requirements of the program controlling the Swedish railway station Alit&s by using the decision procedure which is based on the patented StUuarck algorithm. While some requirements are easily proved, others are virtually impossible to manage due to a very large potential state space, which is in excess of 10fOOOOO. We present what has been done in order to get, at least, an idea of whether or not such difficult requirements are fnlfilled or not, and we express thoughts on what is needed in order to be able to successfully verify large real-life systems.
{"title":"Automatic verification of railway interlocking systems: a case study","authors":"J. Petersen","doi":"10.1145/298595.298597","DOIUrl":"https://doi.org/10.1145/298595.298597","url":null,"abstract":"Abstract: This paper presents experiences in applying formal verification to a large industrial piece of software. The area of application is railway interlocking systems which has earlier been addressed in for instance [9], [S], [7J, and [6’J. We try to prove requirements of the program controlling the Swedish railway station Alit&s by using the decision procedure which is based on the patented StUuarck algorithm. While some requirements are easily proved, others are virtually impossible to manage due to a very large potential state space, which is in excess of 10fOOOOO. We present what has been done in order to get, at least, an idea of whether or not such difficult requirements are fnlfilled or not, and we express thoughts on what is needed in order to be able to successfully verify large real-life systems.","PeriodicalId":125560,"journal":{"name":"Formal Methods in Software Practice","volume":"207 2 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1998-03-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121273758","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
A major barrier to the use of formal methods in software practice is the difllculty software developers have understanding and applying the methods. To overcome this barrier, a requirements method called SCR (Software Cost Reduction) offers a user-friendly tabular notation to specify software requirements and a collection of easytouse tools that automatically detect many classes of errors in requirements specifications. This paper describes our experience in applying the SCR method and tools to a safety-critical military application-the problems encountered in translating the original contractorproduced software requirements specification into SCR and the lessons learned in applying the SCR technology to a practical system. The short time required to apply the SCR method, the serious safety violation detected, and the working system prototype produced demonstrate the utility and potential cost-effectiveness of SCR for developing safety-critical systems.
{"title":"Applying the SCR requirements method to a weapons control panel: an experience report","authors":"C. Heitmeyer, J. Kirby, B. Labaw","doi":"10.1145/298595.298863","DOIUrl":"https://doi.org/10.1145/298595.298863","url":null,"abstract":"A major barrier to the use of formal methods in software practice is the difllculty software developers have understanding and applying the methods. To overcome this barrier, a requirements method called SCR (Software Cost Reduction) offers a user-friendly tabular notation to specify software requirements and a collection of easytouse tools that automatically detect many classes of errors in requirements specifications. This paper describes our experience in applying the SCR method and tools to a safety-critical military application-the problems encountered in translating the original contractorproduced software requirements specification into SCR and the lessons learned in applying the SCR technology to a practical system. The short time required to apply the SCR method, the serious safety violation detected, and the working system prototype produced demonstrate the utility and potential cost-effectiveness of SCR for developing safety-critical systems.","PeriodicalId":125560,"journal":{"name":"Formal Methods in Software Practice","volume":"12 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1998-03-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121917746","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Finite-state verification (e.g., model checking) provides a powerful means to detect errors that are often subtle and difficult to reproduce. Nevertheless, the transition of this technology from research to practice has been slow. While there are a number of potential causes for reluctance in adopting such formal methods in practice, we believe that a primary cause rests with the fact that practitioners are unfamiliar with specification processes, notations, and strategies. Recent years have seen growing success in leveraging experience with design and coding patterns. We propose a pattern-based approach to the presentation, codification and reuse of property specifications for finite-state verification.
{"title":"Property specification patterns for finite-state verification","authors":"Matthew B. Dwyer, G. Avrunin, J. Corbett","doi":"10.1145/298595.298598","DOIUrl":"https://doi.org/10.1145/298595.298598","url":null,"abstract":"Finite-state verification (e.g., model checking) provides a powerful means to detect errors that are often subtle and difficult to reproduce. Nevertheless, the transition of this technology from research to practice has been slow. While there are a number of potential causes for reluctance in adopting such formal methods in practice, we believe that a primary cause rests with the fact that practitioners are unfamiliar with specification processes, notations, and strategies. Recent years have seen growing success in leveraging experience with design and coding patterns. We propose a pattern-based approach to the presentation, codification and reuse of property specifications for finite-state verification.","PeriodicalId":125560,"journal":{"name":"Formal Methods in Software Practice","volume":"167 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1998-03-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124678828","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
1. ABSTRACT It is well-known that in general the problem of deciding whether a program halts (or can deadlock) is undecidable. Model checkers, therefore, cannot be applied to arbitrary programs, but work with well-defined abstractions of programs. The feasibility of a verification often depends on the type of abstraction that is made. Abstraction is indeed the most powerful tool that the user of a model checking tool can apply, yet it is often perceived as a temporary inconvenience.
{"title":"Designing executable abstractions","authors":"G. Holzmann","doi":"10.1145/298595.298864","DOIUrl":"https://doi.org/10.1145/298595.298864","url":null,"abstract":"1. ABSTRACT It is well-known that in general the problem of deciding whether a program halts (or can deadlock) is undecidable. Model checkers, therefore, cannot be applied to arbitrary programs, but work with well-defined abstractions of programs. The feasibility of a verification often depends on the type of abstraction that is made. Abstraction is indeed the most powerful tool that the user of a model checking tool can apply, yet it is often perceived as a temporary inconvenience.","PeriodicalId":125560,"journal":{"name":"Formal Methods in Software Practice","volume":"3 4 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1998-03-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"129205236","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
J. Penix, D. E. Martin, Peter Frey, R. Radhakrishnan, P. Alexander, P. Wilsey
Parallelization is a popular technique for improving the performance of discrete event simulation. Due to the complex, distributed nature of parallel simulation algorithms, debugging implemented systems is a daunting, if not impossible task. Developers are plagued with transient errors that prove difEcult to replicate and eliminate. Recently, researchers at The University of Cincinnati developed a parallel simulation kernel, WARPED, implementing a generic parallel discrete event simulator based on the Tie Warp optimistic synchronization algorithm. The intent was to provide a common base from which domain specific simulators can be developed. Due to the complexity of the Tie Warp algorithm and the dependence of many simulators on the simulation kernel’s correctness, a formal specification was developed and verified for critical aspects of the Tie Warp system. This paper dexribes these specifications, their verification and their interaction with the development process.
{"title":"Experiences in verifying parallel simulation algorithms","authors":"J. Penix, D. E. Martin, Peter Frey, R. Radhakrishnan, P. Alexander, P. Wilsey","doi":"10.1145/298595.298600","DOIUrl":"https://doi.org/10.1145/298595.298600","url":null,"abstract":"Parallelization is a popular technique for improving the performance of discrete event simulation. Due to the complex, distributed nature of parallel simulation algorithms, debugging implemented systems is a daunting, if not impossible task. Developers are plagued with transient errors that prove difEcult to replicate and eliminate. Recently, researchers at The University of Cincinnati developed a parallel simulation kernel, WARPED, implementing a generic parallel discrete event simulator based on the Tie Warp optimistic synchronization algorithm. The intent was to provide a common base from which domain specific simulators can be developed. Due to the complexity of the Tie Warp algorithm and the dependence of many simulators on the simulation kernel’s correctness, a formal specification was developed and verified for critical aspects of the Tie Warp system. This paper dexribes these specifications, their verification and their interaction with the development process.","PeriodicalId":125560,"journal":{"name":"Formal Methods in Software Practice","volume":"124 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1998-03-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"131434013","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
1. ABSTRACT In current practice, formal methods are perceived as high-cost activities, and hence their use is recommended primarily for cases warranting the highest possible level of assurance. However, opportunities abound for beneficial applications of formal methods across a broad spectrum of cases, provided low-cost pathways towards their introduction and use can be identified. This premise is illustrated on a fragment of space vehicle requirements. Other researchers have studied fragments similar to this to illustrate various analysis techniques. Here it is shown that judicious choice of representation permits (some) formal analysis to be conducted immediately. Furthermore, this representation is made alluring by automatically generating textual and tabular representations from it. The net result is a low-cost (perhaps even costsavings) approach to manipulating requirements of this nature, with the beneficial side effect of permitting formal analysis of those requirements at no extra cost. 1.1
{"title":"Low-cost pathways towards formal methods use","authors":"M. Feather","doi":"10.1145/298595.298862","DOIUrl":"https://doi.org/10.1145/298595.298862","url":null,"abstract":"1. ABSTRACT In current practice, formal methods are perceived as high-cost activities, and hence their use is recommended primarily for cases warranting the highest possible level of assurance. However, opportunities abound for beneficial applications of formal methods across a broad spectrum of cases, provided low-cost pathways towards their introduction and use can be identified. This premise is illustrated on a fragment of space vehicle requirements. Other researchers have studied fragments similar to this to illustrate various analysis techniques. Here it is shown that judicious choice of representation permits (some) formal analysis to be conducted immediately. Furthermore, this representation is made alluring by automatically generating textual and tabular representations from it. The net result is a low-cost (perhaps even costsavings) approach to manipulating requirements of this nature, with the beneficial side effect of permitting formal analysis of those requirements at no extra cost. 1.1","PeriodicalId":125560,"journal":{"name":"Formal Methods in Software Practice","volume":"3 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1998-03-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124082883","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
1. ABSTRACT Controller Synthesis is an approach to solving reactive control problems by using a compiler (synthesizer) which automatically generates a control program from a description of requirements and a description of the system to be controlled (control problem). We describe the approach and explain its specific properties. An important advantage of Controller Synthesis when compared with other approaches is that the following programs and tools are automatically synthesized from the control problem specification: a correct controller prototype, a simulation covering both environment and controller behavior, a test environment aud au environment observer. The environment observer makes sure that the controller is used in the environment which it is specified for. Another advantage is that the presupposed behavior of the system to be controlled is made explicit and documented as part of the control problem. Controller Synthesis can be applied to a given problem, if it can be specified in the form of a control problem and processed by an existing compiler (synthesizer) for the specification language in use. We explain how Controller Synthesis can be used both as an alternative and a supplement to other approaches. CSLxt is a language for specifying and solving
{"title":"Controller synthesis for the “production cell” case study","authors":"Helmut Melcher, K. Winkelmann","doi":"10.1145/298595.298601","DOIUrl":"https://doi.org/10.1145/298595.298601","url":null,"abstract":"1. ABSTRACT Controller Synthesis is an approach to solving reactive control problems by using a compiler (synthesizer) which automatically generates a control program from a description of requirements and a description of the system to be controlled (control problem). We describe the approach and explain its specific properties. An important advantage of Controller Synthesis when compared with other approaches is that the following programs and tools are automatically synthesized from the control problem specification: a correct controller prototype, a simulation covering both environment and controller behavior, a test environment aud au environment observer. The environment observer makes sure that the controller is used in the environment which it is specified for. Another advantage is that the presupposed behavior of the system to be controlled is made explicit and documented as part of the control problem. Controller Synthesis can be applied to a given problem, if it can be specified in the form of a control problem and processed by an existing compiler (synthesizer) for the specification language in use. We explain how Controller Synthesis can be used both as an alternative and a supplement to other approaches. CSLxt is a language for specifying and solving","PeriodicalId":125560,"journal":{"name":"Formal Methods in Software Practice","volume":"11 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1998-03-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"128469617","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
We report on a case study conducted at DASSAULT ELECTRONIQUE in order to assess the benefits of introducing formal specification and validation in an industrial context, using the IS0 Standard VDM Specification Language (VDMSL) and a commercial toolset marketed by IFAD. The case study is based on a typical example from the terrestrial transportation domain, the door management system of a metro. It focuses on the suitability of the VDM technology for the early software development phases before detailed design, when requirements may be unstable and customer feedback is essential. Particular focus is put on the consistency-checking, animation and early prototyping facilities of the IFAD VDM tools.
{"title":"Formal specification and validation at work: a case study using VDM-SL","authors":"Sten Agerholm, P. Lecoeur, Etienne Reichert","doi":"10.1145/298595.298861","DOIUrl":"https://doi.org/10.1145/298595.298861","url":null,"abstract":"We report on a case study conducted at DASSAULT ELECTRONIQUE in order to assess the benefits of introducing formal specification and validation in an industrial context, using the IS0 Standard VDM Specification Language (VDMSL) and a commercial toolset marketed by IFAD. The case study is based on a typical example from the terrestrial transportation domain, the door management system of a metro. It focuses on the suitability of the VDM technology for the early software development phases before detailed design, when requirements may be unstable and customer feedback is essential. Particular focus is put on the consistency-checking, animation and early prototyping facilities of the IFAD VDM tools.","PeriodicalId":125560,"journal":{"name":"Formal Methods in Software Practice","volume":"124 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1998-03-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"115286441","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The paper introduces a new use for the B method as a means of specifying telecommunication services with the help of abstract machines and, consequently, it defines a formal framework for studying the feature interaction problem. An interaction is defined as a violation of an invariant and is detected when combining two or more abstract machines. The current B method is extended to allow the composition of abstract machines. The B method is supported by sofware that helps the specifier of services and features. We have not only modelled services within the B technology, but we have also extended the possibilities of B through the composition of abstract machines.
{"title":"Service specifications: to B, or not to B","authors":"B. Mermet, D. Méry","doi":"10.1145/298595.298859","DOIUrl":"https://doi.org/10.1145/298595.298859","url":null,"abstract":"The paper introduces a new use for the B method as a means of specifying telecommunication services with the help of abstract machines and, consequently, it defines a formal framework for studying the feature interaction problem. An interaction is defined as a violation of an invariant and is detected when combining two or more abstract machines. The current B method is extended to allow the composition of abstract machines. The B method is supported by sofware that helps the specifier of services and features. We have not only modelled services within the B technology, but we have also extended the possibilities of B through the composition of abstract machines.","PeriodicalId":125560,"journal":{"name":"Formal Methods in Software Practice","volume":"17 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1998-03-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"121249028","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
In this paper, we introduce the eXperimental Estde Compder @EC), a new implementation generator for the specification language Estelle. This tool is experimental in the sense that it has been developed as a platform for the performance-evaluation, optimization, and testing of implementation methods. The special structure of generated implementations allows a very flexible execution model, supporting extensive static and dynamic optimizations. Finally, we report on a case study with the Xpress Transport Protocol (XTP), including quantitative performance data of different implementation methods in comparison to other Estelle code generators.
{"title":"The experimental Estelle Compiler: automatic generation of implementations from formal specifications","authors":"Joachim Thees, R. Gotzhein","doi":"10.1145/298595.298858","DOIUrl":"https://doi.org/10.1145/298595.298858","url":null,"abstract":"In this paper, we introduce the eXperimental Estde Compder @EC), a new implementation generator for the specification language Estelle. This tool is experimental in the sense that it has been developed as a platform for the performance-evaluation, optimization, and testing of implementation methods. The special structure of generated implementations allows a very flexible execution model, supporting extensive static and dynamic optimizations. Finally, we report on a case study with the Xpress Transport Protocol (XTP), including quantitative performance data of different implementation methods in comparison to other Estelle code generators.","PeriodicalId":125560,"journal":{"name":"Formal Methods in Software Practice","volume":"18 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"1998-03-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130836698","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
京公网安备 11010802042870号
京ICP备2023020795号-1
扫码关注我们
求助内容:
应助结果提醒方式: