A Shape Graph Logic and A Shape System

Analysis and verification of pointer programs are still difficult problems so far. This paper uses a shape graph logic and a shape system to solve these problems in two stages. First, shape graphs at every program point are constructed using an analysis tool. Then, they are used to support the verification of other properties （e.g., orderedness）. Our prototype supports automatic verification of programs manipulating complex data structures such as splay trees, treaps, AVL trees and AA trees, etc. The proposed shape graph logic, as an extension to Hoare logic, uses shape graphs directly as assertions. It can be used in the analysis and verification of programs manipulating mutable data structures. The benefit using shape graphs as assertions is that it is convenient for acquiring the relations between pointers in the verification stage. The proposed shape system requires programmers to provide lightweight shape declarations in recursive structure type declarations. It can help rule out programs that construct shapes deviating from what programmers expect （reflected in shape declarations） in the analysis stage. As a benefit, programmers need not provide specifications （e.g., pre-/post-conditions, loop invariants） about pointers. Moreover, we present a method doing verification in the second stage using traditional Hoare logic rules directly by eliminating aliasing with the aid of shape graphs. Thus, verification conditions could be discharged by general theorem provers.     

Automatically refining partial specifications for heap-manipulating programs

Automatically verifying heap-manipulating programs is a challenging task, especially when dealing with complex data structures with strong invariants, such as sorted lists and AVL/red–black trees. The verification process can greatly benefit from human assistance through specification annotations, but this process requires intellectual effort from users and is error-prone. In this paper, we propose a new approach to program verification that allows users to provide only partial specification to methods. Our approach will then refine the given annotation into a more complete specification by discovering missing constraints. The discovered constraints may involve both numerical and multi-set properties that could be later confirmed or revised by users. We further augment our approach by requiring partial specification to be given only for primary methods. Specifications for loops and auxiliary methods can then be systematically discovered by our augmented mechanism, with the help of information propagated from the primary methods. Our work is aimed at verifying beyond shape properties, with the eventual goal of analysing full functional properties for pointer-based data structures. Initial experiments have confirmed that we can automatically refine partial specifications with non-trivial constraints, thus making it easier for users to handle specifications with richer properties.     

Procedure-Level Verification of Real-time Concurrent Systems

We want to develop verification techniques for real-time concurrent system specifications with high-level behavior structures. This work identifies two common engineering guidelines respected in the development of real-world software projects, structured programming and local autonomy in concurrent systems, and experiments with special verification algorithm based on those engineering wisdoms. The algorithm we have adopted respects the integrity of program structures, treats each procedure as an entity instead of as a group of statements, allows local state space search to exploit the local autonomy in concurrent systems without calculating the Cartesian products of local state spaces, and derives from each procedure declaration characteristic information which can be utilized in the verification process anywhere the procedure is invoked. We have endeavored to implement our idea, test it against an abstract extension of a real-world protocol in a mobile communication environment, and report the data.     

Computing with words in formal methods

Formal methods are used to improve the quality of complex computer software by means of documenting system specifications in a precise and structured manner, the most popular specification language for formal methods is Z. However, based on classical set theory and classical logic, this mathematical language can only deal effectively with well‐defined problems. This is a disadvantage that classical set operators and classical predicate logic can offer to formal methods. In this paper, the theory of fuzzy information granulation is discussed with an attempt to build toward flexible formal software specifications in which many aspects of human reasoning and natural language can be effectively addressed in mathematical terms. In other words, the tolerance of imprecision necessarily required in many real‐life software systems can be represented in the clear and structured mathematics of the fuzzy information granulation theory within the extended framework of formal methods. © 2000 John Wiley & Sons, Inc.     

A requirements modeling language and its logic

This paper describes some aspects of a Requirements Modeling Language (RML) which can be used in the initial phases of software development. RML is based on the idea that a requirements specification should embody a conceptual world model and that the language for expressing it should provide facilities for organizing and abstracting details, yet at the same time have qualities such as precision, consistency and clarity.RML has a number of novel features including assertion classes, the treatment of time and various abbreviation techniques, all integrated into one uniform object-oriented framework. The precise semantics of these and other features are provided in this paper by relating RML to a logic involving time. This demonstrates that a language can offer highly structured and convenient mechanisms for requirements specifications while having solid mathematical underpinnings.     

Neural fuzzy logic programming

A foundational development of propositional fuzzy logic programs is presented. Fuzzy logic programs are structured knowledge bases including uncertainties in rules and facts. The precise specifications of uncertainties have a great influence on the performance of the knowledge base. It is shown how fuzzy logic programs can be transformed to neural networks, where adaptations of uncertainties in the knowledge base increase the reliability of the program and are carried out automatically.     

The Control Layer in Open Mechanized Reasoning Systems: Annotations and Tactics

We are interested in developing a methodology for integrating mechanized reasoning systems such as Theorem Provers, Computer Algebra Systems, and Model Checkers. Our approach is to provide a framework for specifying mechanized reasoning systems and to use specifications as a starting point for integration. We build on the work presented by Giunchigliaet al. (1994) which introduces the notion of Open Mechanized Reasoning Systems (OMRS) as a specification framework for integrating reasoning systems. An OMRS specification consists of three components: the logic component, the control component, and the interaction component. In this paper we focus on the control level. We propose to specify the control component by first adding control knowledge to the data structures representing the logic by means of annotations and then by specifying proof strategies via tactics. To show the adequacy of the approach we present and discuss a structured specification of constraint contextual rewriting as a set of cooperating specialized reasoning modules.     

Overview of ERATO Minato Project: The Art of Discrete Structure Manipulation between Science and Engineering

Discrete structure manipulation is a fundamental technique for solving many kinds of problems. Recently, BDD (Binary Decision Diagram) and ZDD (Zero-suppressed BDD) attract a great deal of attention, because they efficiently represent and manipulate large-scale combinational logic data, which are the basic discrete structures in various fields of applications, including system verification/optimization, knowledge discovery, statistical analysis, etc. Last year, the author proposed a new research project to focus on BDDs/ZDDs. In this proposal, as a new viewpoint of BDD/ZDD-based techniques, we intended to organize an integrated method of algebraic operations for manipulating various types of discrete structures, and to construct standard techniques for efficiently solving large-scale and practical problems. Fortunately, the proposal was accepted by JST (Japan Science and Technology Agency) as an ERATO (Exploratory Research for Advanced Technology) project, one of the prestigious projects in Japan. In this article, we present an overview of our research project. Our project aims to develop “The Art” of discrete structure manipulation between Science and Engineering.     

CLPS–B – A constraint solver to animate a B specification

This paper proposes an approach to evaluating B formal specifications using constraint logic programming with sets (CLPS). This approach is used to animate and generate test sequences from B formal specifications. The solver, called CLPS–B, is described in terms of constraint domains, consistency verification, and constraint propagation. It is more powerful than most constraint systems because it allows the domain of variable to contain other variables, which increases the level of abstraction. The constrained state propagates the nondeterminism of the B specifications and reduces the number of states in a reachability graph. We illustrate this approach by comparing the constrained state graph exploration with the concrete one in a simple example – process scheduler. We also describe the automated test generation method that uses the CLPS–B solver to better control combinational explosion.     

On construction of a library of formally verified low-level arithmetic functions

Arithmetic functions are used in many important computer programs such as computer algebra systems and cryptographic software. The latter are critical applications whose correct implementation deserves to be formally guaranteed. They are also computation-intensive applications, so that programmers often resort to low-level assembly code to implement arithmetic functions. We propose an approach for the construction of a library of formally verified low-level arithmetic functions. To build our library, we first introduce a formalization of data structures for signed multi-precision arithmetic in low-level programs. We use this formalization to verify the implementation of several primitive arithmetic functions using Separation logic, an extension of Hoare logic to deal with pointers. Since this direct style of formal verification leads to technically involved specifications, we also propose for larger functions to show a formal simulation relation between pseudo-code and assembly. This style of verification is illustrated with a concrete implementation of the binary extended gcd algorithm.     

A Case Study on Applying a Tool for Automated System Analysis Based on Modular Specifications Written in TRIO

An effective means for analyzing and reasoning on software systems is to use formal specifications to simulate their execution. The simulation traces can be used for specification testing and reused for functional testing of the system later in the development process. It is widely acknowledged that, to deal with the complexity of industrial-size systems, specifications must be structured into modules providing abstraction mechanisms and clear interfaces. In our past work, we defined and implemented a method for simulating specifications written in the TRIO temporal logic language, and applied it to functional testing of time-critical industrial systems. In the present paper, we report on a case study with a tool that analyzes TRIO specifications by taking advantage of their modular structure, so as to overcome the well-known state-explosion problem and make the proposed method really scalable. We discuss the fundamental operations and the algorithms on which the tool is based. Then, we illustrate its use in a realistic case study, inspired from an industrial application. Finally, we comment on the overall results in terms of usability of the tool and effectiveness of the approach, and we outline future improvements.     

Automated verification of the FreeRTOS scheduler in Hip/Sleek

Automated verification of operating system kernels is a challenging problem, partly due to the use of shared mutable data structures. In this paper, we show how we can automatically verify memory safety and functional correctness properties of the task scheduler component of the FreeRTOS kernel using the verification system Hip/Sleek. We show how some of Hip/Sleek features such as user-defined predicates and lemmas make the specifications highly expressive and the verification process viable. To the best of our knowledge, this is the first code-level verification of memory safety and functional correctness properties of the FreeRTOS scheduler. The outcome of our experiment confirms that Hip/Sleek can indeed be used to verify code that is used in production. Moreover, since the properties that we verify are quite general, we envisage that the same approach can be adopted to verify components of other operating systems.     

Efficient monitoring of parametric context-free patterns

Recent developments in runtime verification and monitoring show that parametric regular and temporal logic specifications can be efficiently monitored against large programs. However, these logics reduce to ordinary finite automata, limiting their expressivity. For example, neither can specify structured properties that refer to the call stack of the program. While context-free grammars (CFGs) are expressive and well-understood, existing techniques for monitoring CFGs generate large runtime overhead in real-life applications. This paper demonstrates that monitoring parametric CFGs is practical (with overhead on the order of 12% or lower in most cases). We present a monitor synthesis algorithm for CFGs based on an LR(1) parsing algorithm, modified to account for good prefix matching. In addition, a logic-independent mechanism is introduced to support matching against the suffixes of execution traces.     

Probabilistic guarantees for high-level robot behavior in the presence of sensor error

This paper presents an approach for reasoning about the effects of sensor error on high-level robot behavior. We consider robot controllers that are synthesized from high-level, temporal logic task specifications, such that the resulting robot behavior is guaranteed to satisfy these specifications when assuming perfect sensors and actuators. We relax the assumption of perfect sensing, and calculate the probability with which the controller satisfies a set of temporal logic specifications. We consider parametric representations, where the satisfaction probability is found as a function of the model parameters, and numerical representations, allowing for the analysis of large examples. We also consider models in which some parts of the environment and sensor have unknown transition probabilities, in which case we can determine upper and lower bounds for the probability. We illustrate our approach with two examples that provide insight into unintuitive effects of sensor error that can inform the specification design process.     

Quantitative Analysis With the Probabilistic Model Checker PRISM

Probabilistic model checking is a formal verification technique for establishing the correctness, performance and reliability of systems which exhibit stochastic behaviour. As in conventional verification, a precise mathematical model of a real-life system is constructed first, and, given formal specifications of one or more properties of this system, an analysis of these properties is performed. The exploration of the system model is exhaustive and involves a combination of graph-theoretic algorithms and numerical methods. In this paper, we give a brief overview of the probabilistic model checker PRISM (www.cs.bham.ac.uk/~dxp/prism) implemented at the University of Birmingham. PRISM supports a range of probabilistic models and specification languages based on temporal logic, and has been recently extended with costs and rewards. We describe our experience with using PRISM to analyse a number of case studies from a wide range of application domains. We demonstrate the usefulness of probabilistic model checking techniques in detecting flaws and unusual trends, focusing mainly on the quantitative analysis of a range of best, worst and average-case system characteristics.     

Verifying data refinements using a model checker

In this paper, we consider how refinements between state-based specifications (e.g., written in Z) can be checked by use of a model checker. Specifically, we are interested in the verification of downward and upward simulations which are the standard approach to verifying refinements in state-based notations. We show how downward and upward simulations can be checked using existing temporal logic model checkers.In particular, we show how the branching time temporal logic CTL can be used to encode the standard simulation conditions. We do this for both a blocking, or guarded, interpretation of operations (often used when specifying reactive systems) as well as the more common non-blocking interpretation of operations used in many state-based specification languages (for modelling sequential systems). The approach is general enough to use with any state-based specification language, and we illustrate how refinements between Z specifications can be checked using the SAL CTL model checker using a small example.     

Constructor-based observational logic

This paper focuses on the integration of reachability and observability concepts within an algebraic, institution-based framework. In the first part of this work, we develop the essential ingredients that are needed to define the constructor-based observational logic institution, called COL, which takes into account both the generation- and observation-oriented aspects of software systems. The underlying paradigm of our approach is that the semantics of a specification should be as loose as possible to capture all its correct realizations. We also consider the “black box” semantics of a specification which is useful to study the behavioral properties a user can observe when he/she is experimenting with the system.In the second part of this work, we develop proof techniques for structured COL-specifications. For this purpose we introduce an institution encoding from the COL institution to the institution of many-sorted first-order logic with equality and sort-generation constraints. Using this institution encoding, we can then reduce proofs of consequences of structured specifications built over COL to proofs of consequences of structured specifications written in a simple subset of the algebraic specification language Casl. This means, in particular, that any inductive theorem prover, such as e.g. the Larch Prover or PVS, can be used to prove theorems over structured COL-specifications.