Bertrand Meyer, Alisa Arkadova, Alexander Kogtenkov
Class invariants — consistency constraints preserved by every operation on objects of a given type — are fundamental to building, understanding and verifying object-oriented programs. For verification, however, they raise difficulties, which have not yet received a generally accepted solution. The present work introduces a proof rule meant to address these issues and allow verification tools to benefit from invariants.
It clarifies the notion of invariant and identifies the three associated problems: callbacks, furtive access and reference leak. As an example, the 2016 Ethereum DAO bug, in which $50 million were stolen, resulted from a callback invalidating an invariant.
The discussion starts with a simplified model of computation and an associated proof rule, demonstrating its soundness. It then removes one by one the three simplifying assumptions, each removal raising one of the three issues, and leading to a corresponding adaptation to the proof rule. The final version of the rule can tackle tricky examples, including “challenge problems” listed in the literature.
类不变式--对给定类型的对象进行的每次操作所保留的一致性约束--是构建、理解和验证面向对象程序的基础。然而,对于验证而言,它们却带来了困难,至今尚未得到普遍认可的解决方案。本作品介绍了一种证明规则,旨在解决这些问题,让验证工具从不变式中受益。它澄清了不变式的概念,并确定了三个相关问题:回调、隐秘访问和引用泄漏。例如,2016 年以太坊 DAO 漏洞导致 5000 万美元被盗,就是回调使不变式失效造成的。讨论从一个简化的计算模型和相关的证明规则开始,证明其合理性。然后逐一移除三个简化假设,每移除一个假设都会引起三个问题中的一个,并导致对证明规则进行相应的调整。最终版本的规则可以解决棘手的例子,包括文献中列出的 "挑战问题"。
{"title":"The concept of class invariant in object-oriented programming","authors":"Bertrand Meyer, Alisa Arkadova, Alexander Kogtenkov","doi":"10.1145/3626201","DOIUrl":"https://doi.org/10.1145/3626201","url":null,"abstract":"<p>Class invariants — consistency constraints preserved by every operation on objects of a given type — are fundamental to building, understanding and verifying object-oriented programs. For verification, however, they raise difficulties, which have not yet received a generally accepted solution. The present work introduces a proof rule meant to address these issues and allow verification tools to benefit from invariants. </p><p>It clarifies the notion of invariant and identifies the three associated problems: callbacks, furtive access and reference leak. As an example, the 2016 Ethereum DAO bug, in which $50 million were stolen, resulted from a callback invalidating an invariant. </p><p>The discussion starts with a simplified model of computation and an associated proof rule, demonstrating its soundness. It then removes one by one the three simplifying assumptions, each removal raising one of the three issues, and leading to a corresponding adaptation to the proof rule. The final version of the rule can tackle tricky examples, including “challenge problems” listed in the literature.</p>","PeriodicalId":50432,"journal":{"name":"Formal Aspects of Computing","volume":"17 1","pages":""},"PeriodicalIF":1.0,"publicationDate":"2024-01-24","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"139555146","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2023-12-01Epub Date: 2023-07-12DOI: 10.1007/s12070-023-04034-3
Louei Darjazini Nahas, Mouhammad Trabulsi, Rama Alsawah, Ahmad Hamsho, Mohammad Sadek Al-Masalmeh, Abdullah Omar
Our study aims to illustrate the clinical picture of otosclerosis in patients and the effect of surgery on the bone conduction thresholds compared to audiometry tests before surgery. A retrospective study included 36 patients that fit the inclusion criteria based on the patient's files and Pure Tone Audiometry of the patients before and after surgery. The questionnaire used is attached at the end of the study. According to Our sample, 77.8% were females, and 22.2% were males. The youngest was 17 years old, the eldest was 61, and the mean age was 38.2 years old. Hearing loss was the most common symptom in 100% of patients, while tinnitus was found in 66.7% and vertigo in 11%. The Injury was bilateral in 72% of the cases. Before surgery, the mean air conduction threshold (ACT) was 54.7 dB, the mean value of the air-bone gap (ABG) was 38.3 dB, and the mean bone conduction threshold (BCT) was 16.1 dB. Meanwhile, after the surgery, the mean BCT was 18.2 dB. Otosclerosis is more common in middle-aged females. Most cases are bilateral. Two-thirds of the cases of hearing loss were associated with tinnitus, while only a few had vertigo. A slight increase was noticed in BCTs after surgeries, especially at 4000 Hz. Stapedectomy caused a noticeable decrease in the values of BCTs on the frequency 4000 Hz. Stapedotomy improved the BCTs after surgery by about 5.3 dB at 4000 Hz.
{"title":"The Clinical Picture of Otosclerosis and the Surgery Effect on Bone Conduction Thresholds on Audiograms.","authors":"Louei Darjazini Nahas, Mouhammad Trabulsi, Rama Alsawah, Ahmad Hamsho, Mohammad Sadek Al-Masalmeh, Abdullah Omar","doi":"10.1007/s12070-023-04034-3","DOIUrl":"10.1007/s12070-023-04034-3","url":null,"abstract":"<p><p>Our study aims to illustrate the clinical picture of otosclerosis in patients and the effect of surgery on the bone conduction thresholds compared to audiometry tests before surgery. A retrospective study included 36 patients that fit the inclusion criteria based on the patient's files and Pure Tone Audiometry of the patients before and after surgery. The questionnaire used is attached at the end of the study. According to Our sample, 77.8% were females, and 22.2% were males. The youngest was 17 years old, the eldest was 61, and the mean age was 38.2 years old. Hearing loss was the most common symptom in 100% of patients, while tinnitus was found in 66.7% and vertigo in 11%. The Injury was bilateral in 72% of the cases. Before surgery, the mean air conduction threshold (ACT) was 54.7 dB, the mean value of the air-bone gap (ABG) was 38.3 dB, and the mean bone conduction threshold (BCT) was 16.1 dB. Meanwhile, after the surgery, the mean BCT was 18.2 dB. Otosclerosis is more common in middle-aged females. Most cases are bilateral. Two-thirds of the cases of hearing loss were associated with tinnitus, while only a few had vertigo. A slight increase was noticed in BCTs after surgeries, especially at 4000 Hz. Stapedectomy caused a noticeable decrease in the values of BCTs on the frequency 4000 Hz. Stapedotomy improved the BCTs after surgery by about 5.3 dB at 4000 Hz.</p>","PeriodicalId":50432,"journal":{"name":"Formal Aspects of Computing","volume":"25 1","pages":"3628-3635"},"PeriodicalIF":1.4,"publicationDate":"2023-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"https://www.ncbi.nlm.nih.gov/pmc/articles/PMC10645766/pdf/","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"74000367","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"OA","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The reliability and safety of complex software systems are provided by extracting safety requirements from regulations and operational environments and later specifying these requirements precisely. At the early stage, these extracted safety requirements are informal. Typically, they cope with non-functional requirements. Analysis of early requirements using traditional methods is inadequate because these methods only focus on the WHAT dimension of requirements engineering but do not address the WHY dimension of requirements engineering. In this article, we are using a goal-oriented modelling method called iStar to confront these issues. To ensure that the software system developed fulfils the requirements specified in the early-phase, it is necessary to integrate early-phase requirements with late-phase requirements. To accomplish this task, in this article, we use Z formal method to integrate early-phase requirements with late-phase requirements. This integration synergistically resolves the above issues. As a case study, we use the CBTC moving block interlocking system to illustrate the synergy of the iStar and Z combination on complex software systems. Finally, we verify the developed formal model against LTL safety properties using the ProZ model checking tool.
{"title":"iStar Goal Model to Z Formal Model Translation and Model Checking of CBTC Moving Block Interlocking System","authors":"Lokanna Kadakolmath, Umesh D. Ramu","doi":"10.1145/3633065","DOIUrl":"https://doi.org/10.1145/3633065","url":null,"abstract":"<p>The reliability and safety of complex software systems are provided by extracting safety requirements from regulations and operational environments and later specifying these requirements precisely. At the early stage, these extracted safety requirements are informal. Typically, they cope with non-functional requirements. Analysis of early requirements using traditional methods is inadequate because these methods only focus on the WHAT dimension of requirements engineering but do not address the WHY dimension of requirements engineering. In this article, we are using a goal-oriented modelling method called iStar to confront these issues. To ensure that the software system developed fulfils the requirements specified in the early-phase, it is necessary to integrate early-phase requirements with late-phase requirements. To accomplish this task, in this article, we use Z formal method to integrate early-phase requirements with late-phase requirements. This integration synergistically resolves the above issues. As a case study, we use the CBTC moving block interlocking system to illustrate the synergy of the iStar and Z combination on complex software systems. Finally, we verify the developed formal model against LTL safety properties using the ProZ model checking tool.</p>","PeriodicalId":50432,"journal":{"name":"Formal Aspects of Computing","volume":"44 1","pages":""},"PeriodicalIF":1.0,"publicationDate":"2023-11-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"138517746","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The behavior and architecture of large scale discrete state systems found in computer software and hardware can be specified and analyzed using a particular class of primitive recursive functions. This paper begins with an illustration of the utility of the method via a number of small examples and then via longer specification and verification of the ”Paxos” distributed consensus algorithm[26]. The “sequence maps” are then shown to provide an alternative representation of deterministic state machines and algebraic products of state machines.
Distributed and composite systems, parallel and concurrent computation, and real-time behavior can all be specified naturally with these methods - which require neither extensions to the classical state machine model nor any axiomatic methods or other techniques from formal logic or other foundational methods. Compared to state diagrams or tables or the standard set-tuple-transition-maps, sequence maps are more concise and better suited to describing the behavior and compositional architecture of computer systems. Staying strictly within the boundaries of classical deterministic state machines anchors the methods to the algebraic structures of automata and makes the specifications faithful to engineering practice.
{"title":"State machines for large scale computer software and systems","authors":"Victor Yodaiken","doi":"10.1145/3633786","DOIUrl":"https://doi.org/10.1145/3633786","url":null,"abstract":"<p>The behavior and architecture of large scale discrete state systems found in computer software and hardware can be specified and analyzed using a particular class of primitive recursive functions. This paper begins with an illustration of the utility of the method via a number of small examples and then via longer specification and verification of the ”Paxos” distributed consensus algorithm[26]. The “sequence maps” are then shown to provide an alternative representation of deterministic state machines and algebraic products of state machines. </p><p>Distributed and composite systems, parallel and concurrent computation, and real-time behavior can all be specified naturally with these methods - which require neither extensions to the classical state machine model nor any axiomatic methods or other techniques from formal logic or other foundational methods. Compared to state diagrams or tables or the standard set-tuple-transition-maps, sequence maps are more concise and better suited to describing the behavior and compositional architecture of computer systems. Staying strictly within the boundaries of classical deterministic state machines anchors the methods to the algebraic structures of automata and makes the specifications faithful to engineering practice.</p>","PeriodicalId":50432,"journal":{"name":"Formal Aspects of Computing","volume":"96 1","pages":""},"PeriodicalIF":1.0,"publicationDate":"2023-11-22","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"138517752","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
As the microblogging service Twitter becomes an increasingly popular tool for politicians and general users to comment on and discuss politics, researchers increasingly turn to the relationship between tweets mentioning parties or candidates and their ...
{"title":"Introduction to the Special Collection from FASE 2021","authors":"Esther Guerra, Mariëlle Stoelinga","doi":"10.1145/3626206","DOIUrl":"https://doi.org/10.1145/3626206","url":null,"abstract":"As the microblogging service Twitter becomes an increasingly popular tool for politicians and general users to comment on and discuss politics, researchers increasingly turn to the relationship between tweets mentioning parties or candidates and their ...","PeriodicalId":50432,"journal":{"name":"Formal Aspects of Computing","volume":"46 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-09-30","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"135031707","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Branching bisimilarity is a well-known equivalence relation for labelled transition systems. Based on this equivalence relation, with an additional simple rootedness condition, a congruence relation for CCS processes can be obtained. However, neither branching bisimilarity nor the corresponding congruence relation preserves divergence, and it is still a question whether, based on a divergence-preserving variant of branching bisimilarity, a divergence-preserving congruence relation for CCS processes can be obtained by introducing the same simple rootedness condition. In this paper we present a partial solution by showing that rooted divergence-preserving branching bisimilarity is preserved under the usual CCS operators including prefixing, summation, parallel composition, relabelling, restriction, and (weakly) guarded recursion.
{"title":"Rooted Divergence-Preserving Branching Bisimilarity is a Congruence for Guarded CCS","authors":"Quan Sun, David N. Jansen, Xinxin Liu, Wei Zhang","doi":"10.1145/3625564","DOIUrl":"https://doi.org/10.1145/3625564","url":null,"abstract":"Branching bisimilarity is a well-known equivalence relation for labelled transition systems. Based on this equivalence relation, with an additional simple rootedness condition, a congruence relation for CCS processes can be obtained. However, neither branching bisimilarity nor the corresponding congruence relation preserves divergence, and it is still a question whether, based on a divergence-preserving variant of branching bisimilarity, a divergence-preserving congruence relation for CCS processes can be obtained by introducing the same simple rootedness condition. In this paper we present a partial solution by showing that rooted divergence-preserving branching bisimilarity is preserved under the usual CCS operators including prefixing, summation, parallel composition, relabelling, restriction, and (weakly) guarded recursion.","PeriodicalId":50432,"journal":{"name":"Formal Aspects of Computing","volume":"49 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-09-29","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"135246737","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
James Baxter, Gustavo Carvalho, Ana Cavalcanti, Francisco Rodrigues Júnior
A robot affects and is affected by its environment, so that typically its behaviour depends on properties of that environment. For verification, we need to formalise those properties. Modelling the environment is very challenging, if not impossible, but we can capture assumptions. Here, we present RoboWorld, a domain-specific controlled natural language with a process algebraic semantics that can be used to define (a) operational requirements, and (b) environment interactions of a robot. RoboWorld is part of the RoboStar framework for verification of robotic systems. In this paper, we define RoboWorld’s syntax and hybrid semantics, and illustrate its use for capturing operational requirements, for automatic test generation, and for proof. We also present a tool that supports the writing of RoboWorld documents. Since RoboWorld is a controlled natural language, it complements the other RoboStar notations in being accessible to roboticists, while at the same time benefitting from a formal semantics to support rigorous verification (via testing and proof).
{"title":"RoboWorld: verification of robotic systems with environment in the loop","authors":"James Baxter, Gustavo Carvalho, Ana Cavalcanti, Francisco Rodrigues Júnior","doi":"10.1145/3625563","DOIUrl":"https://doi.org/10.1145/3625563","url":null,"abstract":"A robot affects and is affected by its environment, so that typically its behaviour depends on properties of that environment. For verification, we need to formalise those properties. Modelling the environment is very challenging, if not impossible, but we can capture assumptions. Here, we present RoboWorld, a domain-specific controlled natural language with a process algebraic semantics that can be used to define (a) operational requirements, and (b) environment interactions of a robot. RoboWorld is part of the RoboStar framework for verification of robotic systems. In this paper, we define RoboWorld’s syntax and hybrid semantics, and illustrate its use for capturing operational requirements, for automatic test generation, and for proof. We also present a tool that supports the writing of RoboWorld documents. Since RoboWorld is a controlled natural language, it complements the other RoboStar notations in being accessible to roboticists, while at the same time benefitting from a formal semantics to support rigorous verification (via testing and proof).","PeriodicalId":50432,"journal":{"name":"Formal Aspects of Computing","volume":"51 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-09-27","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"135537395","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
This special collection arose from the 17th International Conference on integrated Formal Methods (iFM) held in beautiful Lugano, Switzerland, hosted by the Software Institute of USI Università della Svizzera italiana.
这个特别的集合来自于在瑞士美丽的卢加诺举行的第17届集成形式方法国际会议(iFM),该会议由USI university della Svizzera italiana软件研究所主办。
{"title":"Introduction to the Special Collection from iFM 2022","authors":"Rosemary Monahan, Maurice H. ter Beek","doi":"10.1145/3622995","DOIUrl":"https://doi.org/10.1145/3622995","url":null,"abstract":"This special collection arose from the 17th International Conference on integrated Formal Methods (iFM) held in beautiful Lugano, Switzerland, hosted by the Software Institute of USI Università della Svizzera italiana.","PeriodicalId":50432,"journal":{"name":"Formal Aspects of Computing","volume":"57 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-09-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134957824","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
The analysis of behavioral models is of high importance for cyber-physical systems, as the systems often encompass complex behavior based on, e.g., concurrent components with mutual exclusion or probabilistic failures on demand. The rule-based formalism of Probabilistic Timed Graph Transformation Systems (PTGTSs) is a suitable choice when the models representing states of the system can be understood as graphs and timed and probabilistic behavior is important. However, model checking PTGTSs is limited to systems with rather small state spaces. We present an approach for the analysis of large-scale systems modeled as PTGTSs by systematically decomposing their state spaces into manageable fragments. To obtain qualitative and quantitative analysis results for a large-scale system, we verify that results obtained for its fragments serve as overapproximations for the corresponding results of the large-scale system. Hence, our approach allows for the detection of violations of qualitative and quantitative safety properties for the large-scale system under analysis. We consider a running example in which shuttles drive on tracks of a large-scale topology and autonomously coordinate their local behavior with other shuttles nearby. For this running example, we verify that (a) shuttles can always make the expected forward progress using several properties, (b) shuttles never collide, and (c) shuttles are unlikely to execute emergency brakes in two scenarios. In our evaluation, we apply an implementation of our approach in the tool AutoGraph to our running example.
{"title":"Compositional Analysis of Probabilistic Timed Graph Transformation Systems","authors":"Maria Maximova, Sven Schneider, Holger Giese","doi":"10.1145/3572782","DOIUrl":"https://doi.org/10.1145/3572782","url":null,"abstract":"The analysis of behavioral models is of high importance for cyber-physical systems, as the systems often encompass complex behavior based on, e.g., concurrent components with mutual exclusion or probabilistic failures on demand. The rule-based formalism of Probabilistic Timed Graph Transformation Systems (PTGTSs) is a suitable choice when the models representing states of the system can be understood as graphs and timed and probabilistic behavior is important. However, model checking PTGTSs is limited to systems with rather small state spaces. We present an approach for the analysis of large-scale systems modeled as PTGTSs by systematically decomposing their state spaces into manageable fragments. To obtain qualitative and quantitative analysis results for a large-scale system, we verify that results obtained for its fragments serve as overapproximations for the corresponding results of the large-scale system. Hence, our approach allows for the detection of violations of qualitative and quantitative safety properties for the large-scale system under analysis. We consider a running example in which shuttles drive on tracks of a large-scale topology and autonomously coordinate their local behavior with other shuttles nearby. For this running example, we verify that (a) shuttles can always make the expected forward progress using several properties, (b) shuttles never collide, and (c) shuttles are unlikely to execute emergency brakes in two scenarios. In our evaluation, we apply an implementation of our approach in the tool AutoGraph to our running example.","PeriodicalId":50432,"journal":{"name":"Formal Aspects of Computing","volume":"34 1","pages":"0"},"PeriodicalIF":0.0,"publicationDate":"2023-09-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"134989485","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Zhang Feng, Leping Zhang, Yongwang Zhao, Liu Yang, Sun Jun
ARINC 653 as the de facto standard of partitioning operating systems has been applied in many safety-critical domains. The multi-core version of ARINC 653, ARINC 653 Part1-4 (Version 4), provides support for services to be utilized with a module that contains multiple processor cores. Formal specification and analysis of this standard document could provide a rigorous specification and uncover concealed errors in the textual description of service requirements. This paper proposes a specification method for concurrency on a multi-core platform using Event-B and a refinement structure for the complicated ARINC 653 Part1-4, provides a comprehensive, stepwise refinement-based Event-B specification with seven refinement layers, and then performs formal proof and analysis in RODIN. We verify that the errors discovered in the single-core version standard (ARINC 653 Part1-3) also exist in the ARINC 653 Part1-4 during the formal specification and analysis.
{"title":"Refinement-Based Specification and Analysis of Multi-Core ARINC 653 Using Event-B","authors":"Zhang Feng, Leping Zhang, Yongwang Zhao, Liu Yang, Sun Jun","doi":"10.1145/3617183","DOIUrl":"https://doi.org/10.1145/3617183","url":null,"abstract":"ARINC 653 as the de facto standard of partitioning operating systems has been applied in many safety-critical domains. The multi-core version of ARINC 653, ARINC 653 Part1-4 (Version 4), provides support for services to be utilized with a module that contains multiple processor cores. Formal specification and analysis of this standard document could provide a rigorous specification and uncover concealed errors in the textual description of service requirements. This paper proposes a specification method for concurrency on a multi-core platform using Event-B and a refinement structure for the complicated ARINC 653 Part1-4, provides a comprehensive, stepwise refinement-based Event-B specification with seven refinement layers, and then performs formal proof and analysis in RODIN. We verify that the errors discovered in the single-core version standard (ARINC 653 Part1-3) also exist in the ARINC 653 Part1-4 during the formal specification and analysis.","PeriodicalId":50432,"journal":{"name":"Formal Aspects of Computing","volume":" ","pages":""},"PeriodicalIF":1.0,"publicationDate":"2023-08-21","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"42169495","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
扫码关注我们
求助内容:
应助结果提醒方式:
京公网安备 11010802042870号