Directed model checking algorithms focus computation resources in the error-prone areas of concurrent systems. The algorithms depend on some empirical analysis to report their performance gains. Recent work characterizes the hardness of models used in the analysis as an estimated number of paths in the model that contain an error. This hardness metric is computed using a stateless random walk. We show that this is not a good hardness metric because models labeled hard with a stateless random walk metric have easily discoverable errors with a stateful randomized search. We present an analysis which shows that a hardness metric based on a stateful randomized search is a tighter bound for hardness in models used to benchmark explicit state directed model checking techniques. Furthermore, we convert easy models into hard models as measured by our new metric by pushing the errors deeper in the system and manipulating the number of threads that actually manifest an error.
{"title":"Hardness for Explicit State Software Model Checking Benchmarks","authors":"Neha Rungta, Eric Mercer","doi":"10.1109/SEFM.2007.23","DOIUrl":"https://doi.org/10.1109/SEFM.2007.23","url":null,"abstract":"Directed model checking algorithms focus computation resources in the error-prone areas of concurrent systems. The algorithms depend on some empirical analysis to report their performance gains. Recent work characterizes the hardness of models used in the analysis as an estimated number of paths in the model that contain an error. This hardness metric is computed using a stateless random walk. We show that this is not a good hardness metric because models labeled hard with a stateless random walk metric have easily discoverable errors with a stateful randomized search. We present an analysis which shows that a hardness metric based on a stateful randomized search is a tighter bound for hardness in models used to benchmark explicit state directed model checking techniques. Furthermore, we convert easy models into hard models as measured by our new metric by pushing the errors deeper in the system and manipulating the number of threads that actually manifest an error.","PeriodicalId":212544,"journal":{"name":"Fifth IEEE International Conference on Software Engineering and Formal Methods (SEFM 2007)","volume":"118 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-10-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127962977","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Stream X-machines have been used to specify real systems requiring to represent complex data structures. One of the advantages of using stream X-machines to specify a system is that it is possible to produce a test set that, under certain conditions, detects all the faults of an implementation. In this paper we present a formal framework to test temporal behaviors in systems where temporal aspects are critical. Temporal requirements are expressed by means of random variables and affect the duration of actions. Implementation relations are presented as well as a method to determine the conformance of an implementation with respect to a specification by applying a test set.
{"title":"Testing conformance on Stochastic Stream X-Machines","authors":"Mercedes G. Merayo, M. Núñez","doi":"10.1109/SEFM.2007.41","DOIUrl":"https://doi.org/10.1109/SEFM.2007.41","url":null,"abstract":"Stream X-machines have been used to specify real systems requiring to represent complex data structures. One of the advantages of using stream X-machines to specify a system is that it is possible to produce a test set that, under certain conditions, detects all the faults of an implementation. In this paper we present a formal framework to test temporal behaviors in systems where temporal aspects are critical. Temporal requirements are expressed by means of random variables and affect the duration of actions. Implementation relations are presented as well as a method to determine the conformance of an implementation with respect to a specification by applying a test set.","PeriodicalId":212544,"journal":{"name":"Fifth IEEE International Conference on Software Engineering and Formal Methods (SEFM 2007)","volume":"5 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-10-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"117343248","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
In computer science and software engineering, formal methods are mathematically-based techniques for the specification, development and verification of software and hardware systems. They therefore establish the satisfaction of a specification by a system semantics. Abstract interpretation is a theory of sound approximation of mathematical structures, in particular those involved in the description of the behavior of computer systems. It allows the systematic derivation of sound methods and algorithms for approximating undecidable or highly complex problems in various areas of computer science (semantics, verification and proof, model- checking, static analysis, program transformation and optimization, typing, software steganography, etc.). Its main current application is on the safety and security of complex hardware and software computer systems.
{"title":"The Role of Abstract Interpretation in Formal Methods","authors":"P. Cousot","doi":"10.1109/SEFM.2007.42","DOIUrl":"https://doi.org/10.1109/SEFM.2007.42","url":null,"abstract":"In computer science and software engineering, formal methods are mathematically-based techniques for the specification, development and verification of software and hardware systems. They therefore establish the satisfaction of a specification by a system semantics. Abstract interpretation is a theory of sound approximation of mathematical structures, in particular those involved in the description of the behavior of computer systems. It allows the systematic derivation of sound methods and algorithms for approximating undecidable or highly complex problems in various areas of computer science (semantics, verification and proof, model- checking, static analysis, program transformation and optimization, typing, software steganography, etc.). Its main current application is on the safety and security of complex hardware and software computer systems.","PeriodicalId":212544,"journal":{"name":"Fifth IEEE International Conference on Software Engineering and Formal Methods (SEFM 2007)","volume":"350 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-10-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124307474","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
In this paper, we present a theory for the evaluation of test cases with respect to formal specifications. In particular, we use the specification language CSP-CASL to define and evaluate black-box tests for reactive systems. Using loose semantics and three-valued test oracles, our approach is well-suited to deal with the refinement of specifications. In a structured development process of computational systems, abstract specifications are gradually refined into more concrete ones. With our approach, it is possible to develop test cases already from very abstract and basic specifications, and to reuse them later on in more refined systems.
{"title":"Specification-based testing for refinement","authors":"Temesghen Kahsai, M. Roggenbach, H. Schlingloff","doi":"10.1109/SEFM.2007.38","DOIUrl":"https://doi.org/10.1109/SEFM.2007.38","url":null,"abstract":"In this paper, we present a theory for the evaluation of test cases with respect to formal specifications. In particular, we use the specification language CSP-CASL to define and evaluate black-box tests for reactive systems. Using loose semantics and three-valued test oracles, our approach is well-suited to deal with the refinement of specifications. In a structured development process of computational systems, abstract specifications are gradually refined into more concrete ones. With our approach, it is possible to develop test cases already from very abstract and basic specifications, and to reuse them later on in more refined systems.","PeriodicalId":212544,"journal":{"name":"Fifth IEEE International Conference on Software Engineering and Formal Methods (SEFM 2007)","volume":"15 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-10-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"125745838","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The design of efficient software supporting concurrent access to shared data is a challenging task. Often such programs will have at their core algorithms which utilise conceptual locks to restrict access to the data, and which are significantly more complex than their sequential (non-concurrent) counterparts. Lock-free algorithms, which have been developed to avoid problems such as priority inversion and deadlock, are more complex still due to the larger scope for interference between processes. These algorithms become even more complex when further mechanisms are added to achieve good performance under a wide range of workloads. In this paper we present a lock-free algorithm that efficiently manages interference on a shared stack, by allowing complementary stack operations to be eliminated without altering the stack. The algorithm we present is based on a published algorithm due to Hendler, Shavit and Yerushalmi (2004), and incorporates simplifications and improvements that we discovered while attempting to verify the original algorithm. We present a high-level view of the formal verification of our algorithm, which was machine-checked using the PVS theorem prover.
{"title":"A Scalable Lock-Free Stack Algorithm and its Verification","authors":"R. Colvin, L. Groves","doi":"10.1109/SEFM.2007.2","DOIUrl":"https://doi.org/10.1109/SEFM.2007.2","url":null,"abstract":"The design of efficient software supporting concurrent access to shared data is a challenging task. Often such programs will have at their core algorithms which utilise conceptual locks to restrict access to the data, and which are significantly more complex than their sequential (non-concurrent) counterparts. Lock-free algorithms, which have been developed to avoid problems such as priority inversion and deadlock, are more complex still due to the larger scope for interference between processes. These algorithms become even more complex when further mechanisms are added to achieve good performance under a wide range of workloads. In this paper we present a lock-free algorithm that efficiently manages interference on a shared stack, by allowing complementary stack operations to be eliminated without altering the stack. The algorithm we present is based on a published algorithm due to Hendler, Shavit and Yerushalmi (2004), and incorporates simplifications and improvements that we discovered while attempting to verify the original algorithm. We present a high-level view of the formal verification of our algorithm, which was machine-checked using the PVS theorem prover.","PeriodicalId":212544,"journal":{"name":"Fifth IEEE International Conference on Software Engineering and Formal Methods (SEFM 2007)","volume":"1 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-09-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130404471","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
In most software development projects, it is not feasible for developers to handle explicitly all possible unusual events which may occur during program execution, such as arithmetic overflow, highly unusual environment conditions, heap memory or call stack exhaustion, or asynchronous thread cancellation. Modern programming languages provide unchecked exceptions to deal with these circumstances safely and with minimal programming overhead. However, reasoning about programs in the presence of unchecked exceptions is difficult, especially in a multithreaded setting where the system should survive the failure of a subsystem. We propose a static verification approach for multithreaded programs with unchecked exceptions. Our approach is an extension of the Spec# verification methodology for object-oriented programs. It verifies that objects encapsulating shared resources are always ready to be disposed of, by allowing ownership transfers to other threads only through well-nested parallel execution operations. Also, the approach prevents developers from relying on invariants that may have been broken by a failure. We believe the programming style enforced by our approach leads to better programs, even in the absence of formal verification. The proposed approach enables developers using mainstream languages to gain some of the benefits of approaches based on isolated sub-processes. We believe this is the first verification approach that soundly verifies common exception handling and locking patterns in the presence of unchecked exceptions.
{"title":"Sound reasoning about unchecked exceptions","authors":"B. Jacobs, Peter Müller, F. Piessens","doi":"10.1109/SEFM.2007.36","DOIUrl":"https://doi.org/10.1109/SEFM.2007.36","url":null,"abstract":"In most software development projects, it is not feasible for developers to handle explicitly all possible unusual events which may occur during program execution, such as arithmetic overflow, highly unusual environment conditions, heap memory or call stack exhaustion, or asynchronous thread cancellation. Modern programming languages provide unchecked exceptions to deal with these circumstances safely and with minimal programming overhead. However, reasoning about programs in the presence of unchecked exceptions is difficult, especially in a multithreaded setting where the system should survive the failure of a subsystem. We propose a static verification approach for multithreaded programs with unchecked exceptions. Our approach is an extension of the Spec# verification methodology for object-oriented programs. It verifies that objects encapsulating shared resources are always ready to be disposed of, by allowing ownership transfers to other threads only through well-nested parallel execution operations. Also, the approach prevents developers from relying on invariants that may have been broken by a failure. We believe the programming style enforced by our approach leads to better programs, even in the absence of formal verification. The proposed approach enables developers using mainstream languages to gain some of the benefits of approaches based on isolated sub-processes. We believe this is the first verification approach that soundly verifies common exception handling and locking patterns in the presence of unchecked exceptions.","PeriodicalId":212544,"journal":{"name":"Fifth IEEE International Conference on Software Engineering and Formal Methods (SEFM 2007)","volume":"5 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-09-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"127914281","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Recent work has demonstrated that symbolic execution techniques can serve as a basis for formal analysis capable of automatically checking heap-manipulating software components against strong interface specifications. In this paper, we present an enhancement to existing symbolic execution algorithms for object-oriented programs that significantly improves upon the algorithms currently implemented in Bogor/Kiasan and JPF. To motivate and justify the new strategy for handling heap data in our enhanced approach, we present a significant empirical study of the performance of related algorithms and an interesting case counting analysis of the heap shapes that can appear in several widely used Java data structure packages.
{"title":"Towards A Case-Optimal Symbolic Execution Algorithm for Analyzing Strong Properties of Object-Oriented Programs","authors":"Xianghua Deng, Robby, J. Hatcliff","doi":"10.1109/SEFM.2007.43","DOIUrl":"https://doi.org/10.1109/SEFM.2007.43","url":null,"abstract":"Recent work has demonstrated that symbolic execution techniques can serve as a basis for formal analysis capable of automatically checking heap-manipulating software components against strong interface specifications. In this paper, we present an enhancement to existing symbolic execution algorithms for object-oriented programs that significantly improves upon the algorithms currently implemented in Bogor/Kiasan and JPF. To motivate and justify the new strategy for handling heap data in our enhanced approach, we present a significant empirical study of the performance of related algorithms and an interesting case counting analysis of the heap shapes that can appear in several widely used Java data structure packages.","PeriodicalId":212544,"journal":{"name":"Fifth IEEE International Conference on Software Engineering and Formal Methods (SEFM 2007)","volume":"38 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-09-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134551104","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Component compatibility and substitutability are widely recognized as the main issues in component- based software engineering (CBSE). Most of existing approaches suffer from the problem of component adaptation. Indeed, components compatibility and substitutability are performed component-to- component without taking into account the context. This paper proposes a new framework where more flexible component protocols compatibility and substitutability relations that depend on the context (environment) can be defined. The proposed approach is based on the notion of component protocol's usability, that is a component such that there exists an environment ensuring the completion and / or the proper termination of the composition of the involved component protocol and that environment. Two optimistic protocols compatibility relations together with two optimistic protocols behavioral subtyping relations related to the principle of substitutability are proposed. Moreover, behavioral refinement of component protocols is studied, and a link between protocols refinement and their usability is established. The soundness of the approach is shown.
{"title":"Flexible Behavioural Compatibility and Substitutability for Component Protocols: A Formal Specification","authors":"N. Hameurlain","doi":"10.1109/SEFM.2007.19","DOIUrl":"https://doi.org/10.1109/SEFM.2007.19","url":null,"abstract":"Component compatibility and substitutability are widely recognized as the main issues in component- based software engineering (CBSE). Most of existing approaches suffer from the problem of component adaptation. Indeed, components compatibility and substitutability are performed component-to- component without taking into account the context. This paper proposes a new framework where more flexible component protocols compatibility and substitutability relations that depend on the context (environment) can be defined. The proposed approach is based on the notion of component protocol's usability, that is a component such that there exists an environment ensuring the completion and / or the proper termination of the composition of the involved component protocol and that environment. Two optimistic protocols compatibility relations together with two optimistic protocols behavioral subtyping relations related to the principle of substitutability are proposed. Moreover, behavioral refinement of component protocols is studied, and a link between protocols refinement and their usability is established. The soundness of the approach is shown.","PeriodicalId":212544,"journal":{"name":"Fifth IEEE International Conference on Software Engineering and Formal Methods (SEFM 2007)","volume":"250 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-09-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"116392910","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The storage of votes is a critical component of any voting system. In traditional systems there is a high level of transparency in the mechanisms used to store votes, and thus a reasonable degree of trustworthiness in the security of the votes in storage. This degree of transparency is much more difficult to attain in electronic voting systems, and so the specific mechanisms put in place to ensure the security of stored votes require much stronger verification in order for them to be trusted by the public. There are many desirable properties that one could reasonably expect a vote store to exhibit. From the point of view of security, we argue that tamper-evident storage is one of the most important requirements: the changing, or deletion of already validated and stored votes should be detectable; as should the addition of unauthorised votes after the election is concluded. We propose the application of formal methods (in this paper, event- B) for guaranteeing, through construction, the correctness of a vote store with respect to the requirement for tamper- evident storage. We illustrate the utility of our refinement- based approach by verifying - through the application of a reusable formal design pattern - a store design that uses a specific PROM technology and applies a specific encoding mechanism.
{"title":"Formal verification of tamper-evident storage for e-voting","authors":"Dominique Cansell, John Paul Gibson, D. Méry","doi":"10.1109/SEFM.2007.21","DOIUrl":"https://doi.org/10.1109/SEFM.2007.21","url":null,"abstract":"The storage of votes is a critical component of any voting system. In traditional systems there is a high level of transparency in the mechanisms used to store votes, and thus a reasonable degree of trustworthiness in the security of the votes in storage. This degree of transparency is much more difficult to attain in electronic voting systems, and so the specific mechanisms put in place to ensure the security of stored votes require much stronger verification in order for them to be trusted by the public. There are many desirable properties that one could reasonably expect a vote store to exhibit. From the point of view of security, we argue that tamper-evident storage is one of the most important requirements: the changing, or deletion of already validated and stored votes should be detectable; as should the addition of unauthorised votes after the election is concluded. We propose the application of formal methods (in this paper, event- B) for guaranteeing, through construction, the correctness of a vote store with respect to the requirement for tamper- evident storage. We illustrate the utility of our refinement- based approach by verifying - through the application of a reusable formal design pattern - a store design that uses a specific PROM technology and applies a specific encoding mechanism.","PeriodicalId":212544,"journal":{"name":"Fifth IEEE International Conference on Software Engineering and Formal Methods (SEFM 2007)","volume":"105 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-09-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"124740769","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The sequence diagram is one of the most popular behaviour modelling languages which offers an intuitive and visual way of describing expected behaviour of object-oriented software. Much research work has investigated ways of providing a formal semantics for sequence diagrams. However, these proposed semantics may not properly interpret sequence diagrams when lifelines do not correspond to threads of controls. In this paper, we address this problem and propose a thread-tag based sequence diagram as a solution. A formal, partially ordered multiset based semantics for the thread-tag based sequence diagrams is proposed.
{"title":"A Thread-tag Based Semantics for Sequence Diagrams","authors":"Haitao Dan, R. Hierons, S. Counsell","doi":"10.1109/SEFM.2007.3","DOIUrl":"https://doi.org/10.1109/SEFM.2007.3","url":null,"abstract":"The sequence diagram is one of the most popular behaviour modelling languages which offers an intuitive and visual way of describing expected behaviour of object-oriented software. Much research work has investigated ways of providing a formal semantics for sequence diagrams. However, these proposed semantics may not properly interpret sequence diagrams when lifelines do not correspond to threads of controls. In this paper, we address this problem and propose a thread-tag based sequence diagram as a solution. A formal, partially ordered multiset based semantics for the thread-tag based sequence diagrams is proposed.","PeriodicalId":212544,"journal":{"name":"Fifth IEEE International Conference on Software Engineering and Formal Methods (SEFM 2007)","volume":"72 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2007-09-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"130082091","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":0,"RegionCategory":"","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}