One of the major advantages of model checking over other formal methods is its ability to generate a counterexample when a model does not satisfy is its specification. A counterexample is an error trace that helps to locate the source of the error. Therefore, the counterexample represents a valuable tool for debugging. In Probabilistic Model Checking (PMC), the task of counterexample generation has a quantitative aspect. Unlike the previous methods proposed for conventional model checking that generate the counterexample as a single path ending with a bad state representing the failure, the task in PMC is completely different. A counterexample in PMC is a set of evidences or diagnostic paths that satisfy a path formula, whose probability mass violates the probability threshold. Counterexample generation is not sufficient for finding the exact source of the error. Therefore, in conventional model checking, many debugging techniques have been proposed to act on the counterexamples generated to locate the source of the error. In PMC, debugging counterexamples is more challenging, since the probabilistic counterexample consists of multiple paths and it is probabilistic. In this article, we propose a debugging technique based on stochastic games to analyze probabilistic counterexamples generated for probabilistic models described as Markov chains in PRISM language. The technique is based mainly on the idea of considering the modules composing the system as players of a reachability game, whose actions contribute to the evolution of the game. Through many case studies, we will show that our technique is very effective for systems employing multiple components. The results are also validated by introducing a debugging tool called GEPCX (Game Explainer of Probabilistic Counterexamples).
与其他形式化方法相比,模型检查的主要优点之一是,当模型不满足其规范时,它能够生成反例。反例是帮助定位错误来源的错误跟踪。因此,反例是一个有价值的调试工具。在概率模型检验(PMC)中,反例生成的任务具有定量化的特点。与之前提出的传统模型检查方法不同,PMC中的任务完全不同,传统模型检查方法将反例生成为以坏状态结束的单个路径,表示失败。PMC中的反例是一组满足路径公式的证据或诊断路径,其概率质量违反概率阈值。反例生成不足以找到错误的确切来源。因此,在传统的模型检查中,提出了许多调试技术来对生成的反例进行操作,以定位错误的来源。在PMC中,调试反例更具挑战性,因为概率反例由多条路径组成,而且是概率性的。在本文中,我们提出了一种基于随机博弈的调试技术来分析PRISM语言中描述为马尔可夫链的概率模型生成的概率反例。该技术主要基于将组成系统的模块视为可达性游戏的玩家的理念,他们的行动有助于游戏的发展。通过许多案例研究,我们将展示我们的技术对于使用多个组件的系统是非常有效的。通过引入一个名为GEPCX (Game Explainer of Probabilistic Counterexamples)的调试工具,结果也得到了验证。
{"title":"A Debugging Game for Probabilistic Models","authors":"Hichem Debbi","doi":"10.1145/3536429","DOIUrl":"https://doi.org/10.1145/3536429","url":null,"abstract":"One of the major advantages of model checking over other formal methods is its ability to generate a counterexample when a model does not satisfy is its specification. A counterexample is an error trace that helps to locate the source of the error. Therefore, the counterexample represents a valuable tool for debugging. In Probabilistic Model Checking (PMC), the task of counterexample generation has a quantitative aspect. Unlike the previous methods proposed for conventional model checking that generate the counterexample as a single path ending with a bad state representing the failure, the task in PMC is completely different. A counterexample in PMC is a set of evidences or diagnostic paths that satisfy a path formula, whose probability mass violates the probability threshold. Counterexample generation is not sufficient for finding the exact source of the error. Therefore, in conventional model checking, many debugging techniques have been proposed to act on the counterexamples generated to locate the source of the error. In PMC, debugging counterexamples is more challenging, since the probabilistic counterexample consists of multiple paths and it is probabilistic. In this article, we propose a debugging technique based on stochastic games to analyze probabilistic counterexamples generated for probabilistic models described as Markov chains in PRISM language. The technique is based mainly on the idea of considering the modules composing the system as players of a reachability game, whose actions contribute to the evolution of the game. Through many case studies, we will show that our technique is very effective for systems employing multiple components. The results are also validated by introducing a debugging tool called GEPCX (Game Explainer of Probabilistic Counterexamples).","PeriodicalId":50432,"journal":{"name":"Formal Aspects of Computing","volume":null,"pages":null},"PeriodicalIF":1.0,"publicationDate":"2022-05-15","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"43494912","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Chenghao Cai, Jing Sun, G. Dobbie, Zhé Hóu, Hadrien Bride, J. Dong, S. Lee
Automated model repair techniques enable machines to synthesise patches that ensure models meet given requirements. B-repair, which is an existing model repair approach, assists users in repairing erroneous models in the B formal method, but repairing large models is inefficient due to successive applications of repair. In this work, we improve the performance of B-repair using simultaneous modifications, repair refactoring, and better classifiers. The simultaneous modifications can eliminate multiple invariant violations at a time so the average time to repair each fault can be reduced. Further, the modifications can be refactored to reduce the length of repair. The purpose of using better classifiers is to perform more accurate and general repairs and avoid inefficient brute-force searches. We conducted an empirical study to demonstrate that the improved implementation leads to the entire model process achieving higher accuracy, generality, and efficiency.
{"title":"Fast Automated Abstract Machine Repair Using Simultaneous Modifications and Refactoring","authors":"Chenghao Cai, Jing Sun, G. Dobbie, Zhé Hóu, Hadrien Bride, J. Dong, S. Lee","doi":"10.1145/3536430","DOIUrl":"https://doi.org/10.1145/3536430","url":null,"abstract":"Automated model repair techniques enable machines to synthesise patches that ensure models meet given requirements. B-repair, which is an existing model repair approach, assists users in repairing erroneous models in the B formal method, but repairing large models is inefficient due to successive applications of repair. In this work, we improve the performance of B-repair using simultaneous modifications, repair refactoring, and better classifiers. The simultaneous modifications can eliminate multiple invariant violations at a time so the average time to repair each fault can be reduced. Further, the modifications can be refactored to reduce the length of repair. The purpose of using better classifiers is to perform more accurate and general repairs and avoid inefficient brute-force searches. We conducted an empirical study to demonstrate that the improved implementation leads to the entire model process achieving higher accuracy, generality, and efficiency.","PeriodicalId":50432,"journal":{"name":"Formal Aspects of Computing","volume":null,"pages":null},"PeriodicalIF":1.0,"publicationDate":"2022-05-14","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"44005672","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
M. Bouwman, Djurre van der Wal, B. Luttik, M. Stoelinga, A. Rensink
We present a case study on the application of formal methods in the railway domain. The case study is part of the FormaSig project, which aims to support the development of EULYNX — a European standard defining generic interfaces for railway equipment — using formal methods. We translate the semi-formal SysML models created within EULYNX to formal mCRL2 models. By adopting a model-centric approach in which a formal model is used both for analyzing the quality of the EULYNX specification and for automated compliance testing, a high degree of traceability is achieved. The target of our case study is the EULYNX Point subsystem interface. We present a detailed catalog of the safety requirements, and provide counterexamples that show that some of them do not hold without specific fairness assumptions. We also use the mCRL2 model to generate both random and guided tests, which we apply to a third-party software simulator. We share metrics on the coverage and execution time of the tests, which show that guided testing outperforms random testing. The test results indicate several discrepancies between the model and the simulator. One of these discrepancies is caused by a fault in the simulator, the others are caused by false positives, i.e. an over-approximation of fail verdicts by our test setup.
{"title":"A Case in Point: Verification and Testing of a EULYNX Interface","authors":"M. Bouwman, Djurre van der Wal, B. Luttik, M. Stoelinga, A. Rensink","doi":"10.1145/3528207","DOIUrl":"https://doi.org/10.1145/3528207","url":null,"abstract":"We present a case study on the application of formal methods in the railway domain. The case study is part of the FormaSig project, which aims to support the development of EULYNX — a European standard defining generic interfaces for railway equipment — using formal methods. We translate the semi-formal SysML models created within EULYNX to formal mCRL2 models. By adopting a model-centric approach in which a formal model is used both for analyzing the quality of the EULYNX specification and for automated compliance testing, a high degree of traceability is achieved. The target of our case study is the EULYNX Point subsystem interface. We present a detailed catalog of the safety requirements, and provide counterexamples that show that some of them do not hold without specific fairness assumptions. We also use the mCRL2 model to generate both random and guided tests, which we apply to a third-party software simulator. We share metrics on the coverage and execution time of the tests, which show that guided testing outperforms random testing. The test results indicate several discrepancies between the model and the simulator. One of these discrepancies is caused by a fault in the simulator, the others are caused by false positives, i.e. an over-approximation of fail verdicts by our test setup.","PeriodicalId":50432,"journal":{"name":"Formal Aspects of Computing","volume":null,"pages":null},"PeriodicalIF":1.0,"publicationDate":"2022-05-10","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"47554306","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Stella Simić, A. Bemporad, Omar Inverso, M. Tribastone
We consider the problem of estimating the numerical accuracy of programs with operations in fixed-point arithmetic and variables of arbitrary, mixed precision, and possibly non-deterministic value. By applying a set of parameterised rewrite rules, we transform the relevant fragments of the program under consideration into sequences of operations in integer arithmetic over vectors of bits, thereby reducing the problem as to whether the error enclosures in the initial program can ever exceed a given order of magnitude to simple reachability queries on the transformed program. We describe a possible verification flow and a prototype analyser that implements our technique. We present an experimental evaluation on a particularly complex industrial case study, including a preliminary comparison between bit-level and word-level decision procedures.
{"title":"Tight Error Analysis in Fixed-point Arithmetic","authors":"Stella Simić, A. Bemporad, Omar Inverso, M. Tribastone","doi":"10.1145/3524051","DOIUrl":"https://doi.org/10.1145/3524051","url":null,"abstract":"We consider the problem of estimating the numerical accuracy of programs with operations in fixed-point arithmetic and variables of arbitrary, mixed precision, and possibly non-deterministic value. By applying a set of parameterised rewrite rules, we transform the relevant fragments of the program under consideration into sequences of operations in integer arithmetic over vectors of bits, thereby reducing the problem as to whether the error enclosures in the initial program can ever exceed a given order of magnitude to simple reachability queries on the transformed program. We describe a possible verification flow and a prototype analyser that implements our technique. We present an experimental evaluation on a particularly complex industrial case study, including a preliminary comparison between bit-level and word-level decision procedures.","PeriodicalId":50432,"journal":{"name":"Formal Aspects of Computing","volume":null,"pages":null},"PeriodicalIF":1.0,"publicationDate":"2022-05-04","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"46062211","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Andreas Humenberger, Daneshvar Amrollahi, N. Bjørner, L. Kovács
Provably correct software is one of the key challenges of our software-driven society. Program synthesis—the task of constructing a program satisfying a given specification—is one strategy for achieving this. The result of this task is then a program that is correct by design. As in the domain of program verification, handling loops is one of the main ingredients to a successful synthesis procedure. We present an algorithm for synthesizing loops satisfying a given polynomial loop invariant. The class of loops we are considering can be modeled by a system of algebraic recurrence equations with constant coefficients, thus encoding program loops with affine operations among program variables. We turn the task of loop synthesis into a polynomial constraint problem by precisely characterizing the set of all loops satisfying the given invariant. We prove soundness of our approach, as well as its completeness with respect to an a priori fixed upper bound on the number of program variables. Our work has applications toward synthesizing loops satisfying a given polynomial loop invariant—program verification—as well as generating number sequences from algebraic relations. To understand viability of the methodology and heuristics for synthesizing loops, we implement and evaluate the method using the Absynth tool.
{"title":"Algebra-Based Reasoning for Loop Synthesis","authors":"Andreas Humenberger, Daneshvar Amrollahi, N. Bjørner, L. Kovács","doi":"10.1145/3527458","DOIUrl":"https://doi.org/10.1145/3527458","url":null,"abstract":"Provably correct software is one of the key challenges of our software-driven society. Program synthesis—the task of constructing a program satisfying a given specification—is one strategy for achieving this. The result of this task is then a program that is correct by design. As in the domain of program verification, handling loops is one of the main ingredients to a successful synthesis procedure. We present an algorithm for synthesizing loops satisfying a given polynomial loop invariant. The class of loops we are considering can be modeled by a system of algebraic recurrence equations with constant coefficients, thus encoding program loops with affine operations among program variables. We turn the task of loop synthesis into a polynomial constraint problem by precisely characterizing the set of all loops satisfying the given invariant. We prove soundness of our approach, as well as its completeness with respect to an a priori fixed upper bound on the number of program variables. Our work has applications toward synthesizing loops satisfying a given polynomial loop invariant—program verification—as well as generating number sequences from algebraic relations. To understand viability of the methodology and heuristics for synthesizing loops, we implement and evaluate the method using the Absynth tool.","PeriodicalId":50432,"journal":{"name":"Formal Aspects of Computing","volume":null,"pages":null},"PeriodicalIF":1.0,"publicationDate":"2022-04-07","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"44325415","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
In recent years, we have witnessed a proliferation of approaches that integrate several modeling, verification, simulation, and testing techniques. Such approaches facilitate more versatile and efficient analysis of modern computation-intensive systems. They provide powerful support for the analysis of different functional and non-functional properties of the systems, various hardware and software components, and their interaction, as well as the design and validation of diverse aspects of system behavior. iFM 2020 solicited high-quality papers reporting novel research results as well as tool papers and experience reports. The Program Committee (PC) received 63 submissions and selected 24 for publication, of which 2 were short papers. The conference was held online due to the COVID-19 pandemic. We received fantastic support from the general chair, Carlo Furia, and his team, allowing the virtual conference to proceed smoothly and efficiently. For this we are very thankful. Here is a collection of the extended versions of the best papers from the iFM 2020 conference that have been selected by the PC. The articles cover a broad spectrum of topics, describing formal verification of a file system for flash memory down to system-level code, error analysis of the arithmetic operations as a means of controlling error propagation, and loop synthesis from loop invariants via reductions to polynomial constraint problems. The three accepted articles are listed below:
{"title":"Introduction to the Special Section on iFM 2020","authors":"Brijesh Dongol, E. Troubitsyna","doi":"10.1145/3546592","DOIUrl":"https://doi.org/10.1145/3546592","url":null,"abstract":"In recent years, we have witnessed a proliferation of approaches that integrate several modeling, verification, simulation, and testing techniques. Such approaches facilitate more versatile and efficient analysis of modern computation-intensive systems. They provide powerful support for the analysis of different functional and non-functional properties of the systems, various hardware and software components, and their interaction, as well as the design and validation of diverse aspects of system behavior. iFM 2020 solicited high-quality papers reporting novel research results as well as tool papers and experience reports. The Program Committee (PC) received 63 submissions and selected 24 for publication, of which 2 were short papers. The conference was held online due to the COVID-19 pandemic. We received fantastic support from the general chair, Carlo Furia, and his team, allowing the virtual conference to proceed smoothly and efficiently. For this we are very thankful. Here is a collection of the extended versions of the best papers from the iFM 2020 conference that have been selected by the PC. The articles cover a broad spectrum of topics, describing formal verification of a file system for flash memory down to system-level code, error analysis of the arithmetic operations as a means of controlling error propagation, and loop synthesis from loop invariants via reductions to polynomial constraint problems. The three accepted articles are listed below:","PeriodicalId":50432,"journal":{"name":"Formal Aspects of Computing","volume":null,"pages":null},"PeriodicalIF":1.0,"publicationDate":"2022-03-31","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"48574476","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
When developing file systems, caching is a common technique to achieve a performant implementation. Integrating write-back caches is not primarily a problem for functional correctness, but is critical for proving crash safety. Since parts of written data are stored in volatile memory, special care has to be taken when integrating write-back caches to guarantee that a power cut during a running operation leads to a consistent state. This article shows how non-order-preserving caches can be added to a virtual file system switch (VFS) and gives a novel crash-safety criterion matching the characteristics of such caches. Broken down to individual files, a power cut can be explained by constructing an alternative run, where all writes since the last synchronization of that file have written a prefix. VFS caches have been integrated modularly into Flashix, a verified file system for flash memory, and both functional correctness and crash-safety of this extension have been verified with the interactive theorem prover KIV.
{"title":"Verification of Crashsafe Caching in a Virtual File System Switch","authors":"Stefan Bodenmüller, G. Schellhorn, W. Reif","doi":"10.1145/3523737","DOIUrl":"https://doi.org/10.1145/3523737","url":null,"abstract":"When developing file systems, caching is a common technique to achieve a performant implementation. Integrating write-back caches is not primarily a problem for functional correctness, but is critical for proving crash safety. Since parts of written data are stored in volatile memory, special care has to be taken when integrating write-back caches to guarantee that a power cut during a running operation leads to a consistent state. This article shows how non-order-preserving caches can be added to a virtual file system switch (VFS) and gives a novel crash-safety criterion matching the characteristics of such caches. Broken down to individual files, a power cut can be explained by constructing an alternative run, where all writes since the last synchronization of that file have written a prefix. VFS caches have been integrated modularly into Flashix, a verified file system for flash memory, and both functional correctness and crash-safety of this extension have been verified with the interactive theorem prover KIV.","PeriodicalId":50432,"journal":{"name":"Formal Aspects of Computing","volume":null,"pages":null},"PeriodicalIF":1.0,"publicationDate":"2022-03-26","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"47014395","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2021-12-01DOI: 10.1007/s00165-021-00563-2
Maxime Cordy, Sami Lazreg, Mike Papadakis, Axel Legay
{"title":"Statistical model checking for variability-intensive systems: applications to bug detection and minimization","authors":"Maxime Cordy, Sami Lazreg, Mike Papadakis, Axel Legay","doi":"10.1007/s00165-021-00563-2","DOIUrl":"https://doi.org/10.1007/s00165-021-00563-2","url":null,"abstract":"","PeriodicalId":50432,"journal":{"name":"Formal Aspects of Computing","volume":null,"pages":null},"PeriodicalIF":1.0,"publicationDate":"2021-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"46794170","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2021-12-01DOI: 10.1007/s00165-021-00569-w
Wolfgang Ahrendt, S. L. Tapia Tarifa, Heike Wehrheim
{"title":"Editorial","authors":"Wolfgang Ahrendt, S. L. Tapia Tarifa, Heike Wehrheim","doi":"10.1007/s00165-021-00569-w","DOIUrl":"https://doi.org/10.1007/s00165-021-00569-w","url":null,"abstract":"","PeriodicalId":50432,"journal":{"name":"Formal Aspects of Computing","volume":null,"pages":null},"PeriodicalIF":1.0,"publicationDate":"2021-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"49089444","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}
Pub Date : 2021-12-01DOI: 10.1007/s00165-021-00565-0
Jordi Cabot, Heike Wehrheim, E. Boiten
{"title":"Editorial","authors":"Jordi Cabot, Heike Wehrheim, E. Boiten","doi":"10.1007/s00165-021-00565-0","DOIUrl":"https://doi.org/10.1007/s00165-021-00565-0","url":null,"abstract":"","PeriodicalId":50432,"journal":{"name":"Formal Aspects of Computing","volume":null,"pages":null},"PeriodicalIF":1.0,"publicationDate":"2021-12-01","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":null,"resultStr":null,"platform":"Semanticscholar","paperid":"44033606","PeriodicalName":null,"FirstCategoryId":null,"ListUrlMain":null,"RegionNum":4,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":"","EPubDate":null,"PubModel":null,"JCR":null,"JCRName":null,"Score":null,"Total":0}