contents · contents davide ancona an algebraic approach to mixins and modularity .....2 david...
TRANSCRIPT
Contents
Davide AnconaAn Algebraic Approach to Mixins and Modularity . . . . . . . . . . . . . . . . . . . . . . . . 2
David BasinVerification Based on Monadic Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Don BatoryThe Jakarta Project . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Michel BidoitIf Refinement is The Key, Where is The Key to Refinement? . . . . . . . . . . . . 4
Egon BorgerIndustrial Use of ASMs for System DocumentationA Case Study: The Production Cell Control Program . . . . . . . . . . . . . . . . . . . . 5
Ruth BreuA Loose Approach to OOA Techniques . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Bettina ButhCombining Tools for the Verfication of a Fault-Tolerant System . . . . . . . . . . 8
Christine ChoppyReverse Engineering for Fortran Code Using Algebraic Specifications . . . . . 9
Felix CorneliusClassification and Integration of Formal Specifications forDistributed Systems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Jorge R. CuellarCombining FOL and ω–Automata Methods —A Large Industrial Application . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11
Grit DenkerCommunication of Distributed Objects: A Temporal Logic Approach . . . . .12
Arie van DeursenOrigin Tracking and Software Renovation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .12
i
Theodosis DimitrakosModularisation, Craig-Robinson-Interpolation, andthe Validation and Construction of Refinements . . . . . . . . . . . . . . . . . . . . . . . . 13
Radu GrosuReconciling Real-Time with Asynchronous Message Passing . . . . . . . . . . . . . 15
Maritta HeiselMaking Formal Techniques Applicable for Non-Experts:Agendas and Strategies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
James HookDomain Specific Specification Languages or:Captain Hook Visits the Telephone Company . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Richard JulligSpecware: Support for Formal System Development . . . . . . . . . . . . . . . . . . . . . 17
Alexander KnappA Formal Approach to Object-Oriented Software Engineering . . . . . . . . . . . 18
Ulrike LechnerObject-Oriented Specification of Distributed Systems —Specification Style and Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Michel Lemoine(Semi-)Automatic Test Generation from Rigorous Specifications . . . . . . . . 19
Christian LengauerRegularity =⇒ Parallelism . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Jacques LoeckxHierarchical Constructive Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Antonia Lopesk2 (Refinement morphism = Component morphism) . . . . . . . . . . . . . . . . . . . 22
Tom MaibaumBoiled and Steamed Colimits
Alfio MartiniShedding New Light in the World of Logical Systems . . . . . . . . . . . . . . . . . . . . 23
ii
Annabelle McIverProbabilistic Temporal Logic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Peter OlveczkySpecifying the Boiler in Timed Rewriting Logic . . . . . . . . . . . . . . . . . . . . . . . . . 25
Peter PappinghausIndustrial Use of ASMs for System Documentation . . . . . . . . . . . . . . . . . . . . . 26
Gianna ReggioA Graphic Notation for Formal Specification of Dynamic Systems . . . . . . .26
Peter Y. A. RyanApplying Formal Methods to Security Protocols . . . . . . . . . . . . . . . . . . . . . . . . . 27
Wolfram SchulteA Formal Object-Oriented Method Inspired by Fusion and Object–Z . . . . . 29
Graeme SmithIntegrating Object–Z and CSP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Karl StroetmannUsing Formal Methods for the Validation of Prolog Programs . . . . . . . . . . . 30
Markus WolfAnother Look at Localities and Failures in the π–Calculus, or:Everything May Fail . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .31
iii
Preface
The Seminar “Logic for Systems Engineering”, held at Schloß Dagstuhl dur-ing March 3–7, 1997, was a successor of the Dagstuhl Seminars “LogicalTheory for Program Construction” in 1991 and 19941 The slightly modifiedtitle is intended to stress that program development methods must be inte-grated in a general software development method, if they are to be applicablein practice.
The importance of formal methods for the development of correct softwareis now generally recognized. A few “realistic” case studies have meanwhilebeen carried out. Moreover, the software industry is increasingly interestedin these methodologies.
Main subjects treated during the Seminar were:
• formal specification methods
• formal object-oriented specification techniques
• integration of formal and “pragmatic” software development techniques
• practical applications of formal specification methods
• reuseability
The Seminar focussed on problems, the solution on which is a prerequisitefor industrial applications.
On behalf of all participants the organizers would like to thank the staff ofSchloß Dagstuhl for providing an excellent environment to the conference.
The Organizers
Stefan Jahnichen Jacques Loeckx Martin Wirsing
Seminar-Reports Nr. 7 and 84 are still available at Dagstuhl office.
1
An Algebraic Approach toMixins and Modularity
Davide Ancona
Universita di Genova
I will present a kernel modular language, called MIX(FL), supporting thenotion of mixin module. A mixin is a module which contains deferred com-ponents, i.e. components to be imported from another module; a binary andcommutative operator of merge allows to associate deferred components ofone mixin with the corresponding definitions (if any) of the other. In thisway, mixins allow recursive definitions to span module boundaries. MIX(FL)is a very simple typed module language, supporting separate compilation andproviding a set of constants which are mixin definitions (collections of typeand function declarations and definitions) and five operators for mixins ma-nipulation (merge, freeze, restrict, hide and rename). Hide and rename arestandard operators, whereas freeze and restrict allow to deal with virtualcomponents and redefinition of them by means of overriding. These fiveoperators can be expressed by the combination of three primitive and pow-erful operations (primitive merge, reduct and primitive freeze). The denota-tional semantics of the module language is based on an algebraic approach(i.e. module = algebra, interface = algebraic signature). What is more,the semantics is parametric in (the semantics of) the core language; thisis suggested by the notation MIX(FL), where FL can be replaced by otherlanguages.
2
Verification Based onMonadic Second-Order Logic
David Basin
Universitat Freiburg(Joint work with Nils Klarlund, AT&T Bell Labs)
We present show how WS2S (the weak monadic theory of two successors)provides a language for specifying many kinds of problems in hardware anddistributed computing. We report on experience with a verification toolbased on WS2S, which implements validity checking/counter-model genera-tion based on a reduction of formulas to canonical automata.
The decision problem for WS2S is non-elementary decidable and thus un-likely to be usable in practice. However, we have used our implementation toautomatically verify, or find errors in, a number of circuits studied in the lit-erature. Previously published machine proofs of the same circuits are basedon deduction and may involve substantial interaction with the user. More-over, our approach is orders of magnitude faster for the examples considered.We show why the underlying computations are feasible and how the tool weuse generalizes standard BDD-based hardware reasoning.
The Jakarta Project
Don Batory
University of Texas, Austin
Jakarta is a tool suite for building GenVoca generators — software generatorsthat synthesize applications through component composition. Jakarta pro-vides an extensible version of Java, which supports metaprogramming, i.e.,constructs to create, parameterize, instantiate, and manipulate programs asabstract syntax trees. The core of the suite is Bali, a GenVoca generatorof compilers: customized versions of the Java language and its compiler are
3
synthesized through component composition. Each Bali component encap-sulates a primitive extension to Java, which might be a new programmingconstruct (e.g., templates) or a sophisticated domain-specific GenVoca gen-erator.
If Refinement is The Key,Where is The Key to Refinement?
Michel Bidoit
LSV, CNRS & ENS de Cachan(Joint work with Rolf Hennicker, Ludwig–Maximilians–Universitat
Munchen)
We introduce a concept of behavioural implementation for algebraic specifi-cations which is based on an indistinguishability relation (called behaviouralequality). The central objective of this work is the investigation of proof rulesthat first allow us to establish the correctness of behavioural implementationsin a modular (and stepwise) way and, moreover, are practicable enough to in-duce proof obligations that can be discharged with existing theorem provers.Under certain conditions our proof technique can also be applied for prov-ing the correctness of implementations based on an abstraction equivalencebetween algebras in the sense of Sannella and Tarlecki. The whole approachis presented in the framework of total algebras and of first-order logic withequality.
4
Industrial Use of ASMs for
System Documentation
A Case Study:The Production Cell Control Program
Egon Borger
Universita di Pisa
Abstract State Machines (alias evolving algebras as defined by Y. Gurevich)have been used to specify languages (e.g. Prolog, C++, VHDL) and architec-tures (e.g. PVM, APE100, Transputer, DLX), to validate standard languageimplementations (e.g. of Prolog, Occam), to verify numerous distributed andreal-time protocols, etc.. See [2] for a recent survey and general discussionof the approach.
In this talk, we explain the use the software designer can make of ASMsfor a systematic modular development of well documented programs. Weexemplify the method by an ASM solution of the production cell controlproblem (posed in the case study book Formal Development of Reactive Sys-tems edited by C. Lewerentz and T. Lindner, Springer LNCS 891, 1995).
As starting point we present the ground model which faithfully reflects theproduction cell as informally specified by C. Lewerentz and T. Lindner op. cit.We explain how the information hiding and abstraction mechanisms of ASMsallow the designer to formulate the ground model as an appropriate interfaceto the customer; this provides a possibility to discuss and negotiate with thecustomer, in rigorous yet simple terms of traditional mathematical language,so that one can come to a common understanding of the contract (i.e. of whatthe informal description really means) and of the conditions on its being meteventually by the algorithmic design. The modularity capabilities of ASMsare used to reflect in a direct way the distributed nature of the productioncell.
Starting from this abstract model of the system we define a series of refinedmodels all the way to executable C++ code (which controls successfully theproduction cell simulation environment, running at FZI Karlsruhe). Theability of ASMs to reflect arbitrary abstraction levels facilitates the modular
5
development of different components and a transparent definition of preciseinterfaces through which these components are put together in a distributedenvironment. The mathematical relations between the various models allowus to prove the required properties of the system (safety, liveness etc.) atappropriate abstraction levels. These proofs are given in ordinary mathemat-ical terms, as used by engineers; they are nevertheless amenable, where thisis considered to be necessary for safety-critical reasons, to mechanization inmachine based proof environments like PVS. K. Winter from GMD Berlin isworking on a model checking verification of our proofs.
The hierarchy of refined models, together with the proofs relating the dif-ferent levels, constitute a full documentation of the whole design and makethe executable code amenable to rigorous inspection. This approach, whichcombines modular development with controlled stepwise refinement includ-ing optimizations, provides also an economical way to achieve extendabilityand modifiability for the design of complex systems in a context where costeffective maintenance of the final product is a crucial issue.
The work on the production cell is joint work with my student Luca Mearelli;for a draft version see [3], a revised version which contains also the modelchecking work on our specification done by K. Winter is in preparation. Foranother case study which exemplifies this approach to the design of welldocumented and formally inspectable code see [1].
References
[1] Christoph Beierle, Egon Borger, Igor D- urd-anovic, Uwe Glasser, andElvinia Riccobene, An Evolving Algebra Solution to the Steam-BoilerControl Specification Problem. In: Jean Raymond Abrial, Egon Borger,and Hans Langmaack (Eds.), The Steam-Boiler Case Study Book,Springer LNCS 1996 (to appear)
[2] E. Borger, Why use of evolving algebras for hardware and software engi-neering. In: M. Bartosek, J. Staudek, J. Wiedermann (Eds), SOFSEM’9522nd Seminar on Current Trends in Theory and Practice of Informatics,Springer Lecture Notes In Computer Science, vol. 1012, 1995, pp. 236–271.
6
[3] Luca Mearelli, An evolving algebra model of the production cell. Tesi dilaurea, Dipartimento di Informatica, Universita di Pisa, February 1996.
A Loose Approach to OOA Techniques
Ruth Breu
Technische Universitat Munchen
Object oriented analysis techniques like UML, OMT or OOSE integrate de-scription techniques of various application domains that have been success-fully applied for years in practice like Entity/Relationship diagrams and statetransition diagrams. However, the integration in the context of objects is onlyad-hoc. Many concepts lack of an exact interpretation and the interrelationsbetween the different description techniques remain unclear.
The presented formal foundation aims to overcome these deficiencies by pro-viding an integrated system view. The system to be developed is modelledabstractly by a notion of system models describing the static and dynamicproperties of objects. In particular, the dynamic evolution of a system ofobjects is described by the concept of life cycles. The approach is based onthe ideas of loose modeling. This means that the abstract view of a systemis open for later extensions and modifications and thus is able to cope withincompleteness issues.
In a second step, the different description techniques are mapped onto thissemantic domain. The overall system view obtained is the basis for studyinginterrelations between different description techniques and refinement con-cepts. The description techniques considered are class diagrams for modelingthe static structure of a system, sequence diagrams for modeling exemplaryobject behaviour and state transition diagrams for modeling complete objectbehaviour.
7
Combining Tools for the Verification of aFault-Tolerant System
Bettina Buth, Rachel Cardell-Oliver, Jan Peleska
Universitat Bremen
The formal methods developed over the last decades have been advertisedas a means for improving software quality in general and for increasing con-fidence in safety critical software in particular. Nevertheless, the impact offormal methods on industrial software development is minimal. Many rea-sons are given for this, including their unsuitability for the development oflarge systems (scalability), the dependence on trained staff to apply formalmethods, and the lack of tool support for their application.
In order to complement these efforts it is necessary to gain experience withthe methods by applying them to exemplary but realistic applications inindustrial projects. The aim here is not to support the overall development,but rather to identify crucial components and phases where the effort isjustifiable.
One of our interest here is the investigation of software development ap-proaches with respect to verification support. The starting point for thisresearch is a case study on the design of a fault-tolerant computer systempresented by Peleska. The development in this example is based on an invent-and-verify paradigm, where the design steps are refinements of CSP specifi-cations and processes. Peleska has presented a formal theory to justify thelinks between the different phases of the development method and providedsketches for the proofs involved. In order to provide verification support forthe proof obligations arising we employ a combination of tools:
• HOL for the verification of generic theories, which are used for therefinement of sat-relations,
• PAMELA+PVS for the verification of invariant properties arising forthe proofs that concrete processes satisfy given specification,
• FDR for checking the refinement of processes.
8
Each of the tools is used in a specific phase of the development, but thereis no direct interaction between the tools. This allows to choose freely fromthe tools available.
Reverse Engineering of Fortran CodeUsing Algebraic Specifications
Sophie Cherki], Christine Choppy]]
]Universite Paris-Sud, ]]Universite Nantes
This talk describes an experience in trying to help maintaining existing For-tran 77 code of a large industrial application. Our approach is to start withreverse engineering this code using algebraic specifications to provide an ab-stract description of its functionalities. This implies an active reading of thecode (together with the comments in the code) which lead us to find outinteresting bugs and anomalies.
The resulting algebraic specification consists in a graph of specification mod-ules; the axioms may be first order formulae, but we mainly used conditionalequations. The code of this application is structured in such a way that,most of the time, a module implements a few functionalities. The structureof the algebraic specification reflects this code structure.
The key issues are to find out the signatures and the axioms for the speci-fication modules. Fortran 77 exhibits only predefined types and anonymousarray types. As a consequence, extracting the signature of a specificationassociated to a Fortran module raises various difficulties and we present howto overcome them. Extracting the specification axioms is achieved by meansof identifying unit actions within the code, composing their associated equa-tions, and simplifying the - rather unreadable - resulting expression in orderto obtain axioms that are easier to read (this last step requires the use oftheorem proving).
The resulting specification may serve both as a precise documentation, andas a basis for the development of the new version of the code, where bothuseless code, anomalies and bugs are removed.
9
Classification and Integration of
Formal Specifications forDistributed Systems
Felix Cornelius
Technische Universitat Berlin
A semantic unifying framework is presented aiming at providing a targetfor the main aspects covered by existing formal specification languages for‘dynamic’ systems. It consists of five levels:
DATAS I Languages AlgebrasRELS II Data States RelationsTRANS III D.S. Transformations Relations/FunctionsPROC IV Processes Interface Sets/LTS’sARCH V Architectures Hyper-graphs
Each level is given by a set, inter-relations are expressed by appropriatemappings. The three most important mappings are:
1. Datas : Rs(P ) → P(R(P ))
For each reactive state rs ∈ Rs(P ) (the set of states in the labeledtransition system describing P ) there is a set Datas(rs) of data statesin level II.
2. transform : (→≖) → TRANS
For each transition t in the Labeled Transition System of a processthere is a corresponding transformation on the underlying data state.
3. zoom-in : Nd(N) → (ARCH ∪ PROC)
Each node in the hyper-graph of a distributed process in ARCH cor-responds to a “lower level” process, be it an atomic process in PROC,be it another distributed process in ARCH.
This five level semantic framework is intended to provide a pool, an additionalrole-oriented semantics for arbitrary specification documents. Hence, it is astructured integration platform for partial specifications.
10
Combining FOL and ω-Automata Methods —A Large Industrial Application
Jorge R Cuellar
Siemens AG, Munchen
If you were an civil engineer, trying to apply mathematical methods (generalmath. methods, control theory, integral operators, PDE’s, linear algebra) tosolve a real life problem, perhaps you will start at a high abstraction leveland go down the ladder to a very concrete setting where you are left withsolving eigenvalue problems for matrices or with other forms of calculations.
On the example of a large industrial example, the author suggests that thisis also possible in the world of Formal Methods. You may safely combine themethods of Gurevich, Lamport, Pnueli, Cousot-Cousot, Wonham, and manyothers.
For many reasons (synthesis, controllability, I/O, etc.) it is not too reason-able to restrict yourself to only one method. You may start with EvolvingAlgebras (ASM’s), but at a certain point it is reasonable to restrict yourselfto, say, TLA or LTL and then further to FOL and later to an intuitionisticsetting or to S1S to compile your implementation.
In our example the idea is first to represent the system as restrictions on thesequences of events (typically as automata) and events as transition relationson (auxiliary) variables. These relations are given as the conjunction of a setof FOL-constraints. Later, ideas of abstract interpretation are used for thepurpose of compilation.
11
Communication of Distributed Objects:A Temporal Logic Approach
Grit Denker
Technische Universitat Braunschweig(Joint work with Hans-Dieter Ehrich)
We present fundamentals of an approach to object oriented specification ofdistributed systems. In contrast to most of the work existing in this fieldabout network of processors, hardware, etc., our concern is the high-levelspecification of distributed systems. We do not assume global time for con-current object systems. For specifying such systems we propose DTL, adistributed temporal logic. The main contribution is that DTL is capableof specifying complex constraints about the behavior of concurrent systemswithout explicitely talking about concurrency. In particular, we introducedifferent kinds of synchronous communication in distributed systems such asdeferred and immediate call, and deferred and immediate execution. Theideas are illustrated by examples given in TROLL, a formal object orientedspecification language.
Origin Tracking and Software Renovation
Arie van Deursen
CWI Amsterdam
Legacy systems are software systems that resist change. Software renova-tion is an activity aiming at improving legacy systems such that becomemore adaptable, or at actually carrying out required mass modifications. Atypical renovation is the year-2000 problem. Tools for carrying out year-2000 conversions look for initial date infections (seeds, such as suspiciouskeywords), propagate these through MOVEs and CALLs, try to reduce thenumber of infections found, and then (semi)-automatically modify the codeusing a widening or windowing approach.
12
Of great importance for year-2000 conversions and software renovation is anaccurate data flow analysis tool that can be easily connected to all source lan-guages used in the system to be renovated. In the context of the ASF+SDFformalism, the DHAL Data Flow High Abstraction Language has been pro-posed. Languages are easily mapped to DHAL and on top of DHAL severalelementary data flow operations such as goto elimination and alias propaga-tion have been defined.
Origin tracking is a general technique concerned with linking back analysisresults, obtained for example from DHAL operations to the original sourcecode. For transformations expressed in a functional style (using, e.g., termrewriting), origin information can be maintained automatically. For eachreduction, origin annotations in the reduct are constructed in a way thatdepends on the form of the rewrite rule applied. We discuss several ap-proaches (syntax-directed, common subterms, collapse-variables, any-to-top,non-linear rules), as well as their use in typical specifications occurring in arenovation setting.
Modularisation,
Craig-Robinson Interpolation and
the Validation and Construction ofRefinements
Theodosis Dimitrakos
Imperial College, London
The encapsulation of specification refinement in terms of implementationsteps (‘canonic-steps’) has been matured, within the last 15 years, as a‘logical/proof-theoretic’ counterpart of the ‘algebraic/semantical’ approachto (formal) specification refinement. One contribution of this approach torefinement is establishment of a close relation between the compossibility ofrefinements (modularisation) and some interpolation properties of the under-lying formalism.
13
In this talk I present a straightforward generalisation of th an implemen-tation step to an arbitrary Entailment System (alias: π-Institution) whichis then followed by analogous generalisation of the Craig-Robinson Interpo-lation (CRI) property. CRI can be viewed as a combination of Robinson’sConsistency Theorem with Craig Interpolation Lemma and turns out to besimilar to what is sometimes called ‘Splitting Interpolation’. Modularisation,in this framework, is shown to coincide with the preservation under pushoutsof a (closed under composition) class of faithful theory interpretations. Theexistence of Craig-Robinson Interpolants consequently shown to be a neces-sary and sufficient condition for the preservation of faithful (conservative)theory morphisms under pushouts and, therefore, a necessary and sufficientcondition for the general case of Modularisation.
The Uniform version of Craig-Robinson Interpolation (UCRI) is also shownto facilitate the computation and mechanical validation of data refinements.Unfortunately, this particular UCRI is absent from most ‘expressive’ logicsthat are currently used. (Classical Propositional & Heyting’s IntuitionisticLogic have UCRI, but Equational, First Order Classical/Intuitionistic do nothave UCRI).
To compensate for this inadequacy, I present a generic method to extendconservatively a large class of Entailment Systems with which have someversion of CRI to corresponding Entailment Systems which have a UCRI.This extension is accompanied by a (mechanisable) method to , validateand, in some cases, to construct correct refinements.
Refinement on the Entailment System of Classical First Order logic is pre-sented as a case study. Classical first order logic, has CRI but lacks UCRI.The extension method results to a weak Second Order entailment which isconservative over the first order origin and has a adequately strong version ofUCRI. The validation and construction of refinements are, then performedon the weak Second Order Entailment System (‘development logic’) whereasthe specification takes place in the First Order subentailment (‘specificationlogic’).
14
Reconciling Real-Time withAsynchronous Message Passing
Radu Grosu
Technische Universitat Munchen(Joint work with Manfred Broy, Cornel Klein)
At first sight, real-time and asynchronous message passing like in SDL andROOM seem to be incompatible. Indeed these languages fail to model real-time constraints accurately. In this talk, we show how to reconcile real-timewith asynchronous message passing, by using an assumption which is sup-ported by every mailing system throughout the world, namely that messagesare time-stamped with their sending and arrival time. This assumption al-lows us to develop a formalism which is adequate to model and to specifyreal-time constraints. The proposed formalism is shown at work on a smallreal-time example.
Making Formal Techniques Applicablefor Non-Experts: Agendas and Strategies
Maritta Heisel
Technische Universitat Berlin
Using formal techniques in software development may lead to a considerablegain in product quality because formal techniques make it possible to expressand eventually prove semantic properties of the developed products (e.g.,specifications, designs, programs, or test cases). A formal method should notonly consist of a formal language with a rigorously defined semantics, butalso include methodological support for its application.
I present two concepts designed to support non-experts in using formal tech-niques. The first concept of an agenda provides guidance for the applicationof formal techniques without the need for machine support. An agenda is a
15
list of activities to be performed when carrying out some task in the context ofsoftware engineering. Each step of an agenda is associated with an expressionof the formalism to be used. Steps may also have associated validation condi-tions that provide application independent checks of the developed product.If the context in which a formal technique is to be applied is made sufficientlyprecise, agendas can be quite detailed. This is demonstrated by an agendafor specifying safety-critical software.
The second concept of a strategy aims at a machine supported applicationof formal techniques and a partial automation of software development ac-tivities. Strategies are a generic knowledge representation mechanism forformally representing knowledge about software development activities (thatmay be informally expressed using agendas). Simpler strategies can be com-bined to more powerful ones with strategicals. Strategies can be representedin a modular way, which makes them implementable in conventional pro-gramming languages. An abstract problem solving algorithm and a genericsystem architecture provide uniform implementation concepts for systemssupporting strategy-based software development activities. All in all, strate-gies provide a comprehensive, formalism-independent and flexible frameworkfor supporting the application of formal techniques by machine.
Agendas and strategies can be used to support various development tasks andformalisms. Examples are the specification acquisition, design of softwaresystems using architectural styles, and program synthesis.
Domain Specific Specification Languages or:Captain Hook Visits the Telephone Company
James Hook
Pacific Software Research CenterOregon Graduate Institute of Science and Technology
The talk presents a technique for the definition of domain specific languagesin the context of a domain engineering process being applied at Lucent Tech-nologies/Bell Labs. The talk is in four parts. Chapter 1, in which Captain
16
Hook prepares to hunt the illusive domain-specific language, outlines Soft-ware Design Automation (SDA), a collection of the techniques for findingpotential specification languages in the workplace and capturing them withformal definitions. Chapter 2, in which Captain Hook visits the TelephoneCompany, outlines Weiss’ domain engineering process, Family Abstraction,Specification and Translation (FAST), being applied jointly by researchersand developers at Lucent and discusses experiences to date with the integra-tion of FAST and SDA. Chapter 3, in which Captain Hook shows his creationto Gyro Gearloose, presents technical details of the application of monads inthe structure of a software component generator based on a domain specificlanguage developed using the SDA process. The Talk concludes with Chapter4, in which Captain Hook dreams of his future visit to the telephone company.This chapter discusses general and specific opportunities and challenges forthe effective integration of formal methods and engineering practice.
Specware:Support for Formal System Development
Richard Jullig
Kestrel Institute, Palo Alto
Specware is an attempt to realize the best of formal methods research ina software development environment. It represents a synergy of decades ofresearch in formal specifications—algebraic specification and general logics—and abstract mathematical theories originally invented for dealing with com-plex structures—category theory and sheaf theory.
Specware is a tool that supports the modular construction of formal specifi-cations and the stepwise and componentwise refinement of such specificationsinto executable code. Specware may be viewed as a visual interface to anabstract data type providing a suite of composition and transformation op-erators for building specifications, refinements, code modules, etc. This viewhas been realized in the system by directly implementing the formal founda-tions of Specware: category theory, sheaf theory, algebraic specification and
17
general logics. The language of category theory results in a highly param-eterized, robust, and extensible architecture that can scale to system-levelsoftware construction.
Software development in Specware is characterized by two tenets: descriptionand composition. In Specware, we always deal with descriptions, i.e., a col-lection of properties, of the artifact that we ultimately wish to build. Thesedescriptions are progressively refined by adding more properties, until we canexhibit a model or witness (usually a program) which satisfies these proper-ties. Descriptions in Specware are written in one of several logics. Specwarehandles complexity and scale by providing composition operators which allowbigger descriptions to be put together from smaller ones. The colimit oper-ation from category theory is pervasively used for composing structures ofvarious kinds in Specware. Besides composition operators, one needs book-keeping facilities and information presentation at various abstraction levels.Specware uses category theory for bookkeeping and abstraction.
A Formal Approach toObject-Oriented Software Engineering
Alexander Knapp, Martin Wirsing
Ludwig–Maximilians–Universitat Munchen
The goal of this talk is to show how formal specifications can be integratedinto one of the current pragmatic object-oriented software development meth-ods. Jacobson’s method OOSE (“Object-Oriented Software-Engineering”) iscombined with object-oriented algebraic specifications by extending objectand interaction diagrams with formal annotations. The specifications arebased on Meseguer’s Rewriting Logic and are written in an extension of thelanguage Maude by process expressions. As a result any such diagram canbe associated with a formal specification, proof obligations ensuring invari-ant properties can be automatically generated, and the refinement relationsbetween documents on different abstraction levels can be formally stated andproved. Finally, we provide a schematic translation of the specification toJava and thus an automatic generation of an object-oriented implementation.
18
Object-Oriented Specification of
Distributed Systems —Specification Style and Method
Ulrike Lechner
Universitat Passau
The object-oriented specification language Maude has proven itself to be ex-pressive. However the object model of Maude is very unconventional. We usealternative specification formalisms, algebraic and coalgebraic specificationsand the µ-calculus to reason about the object model, the properties of Maudespecifications and in particular the properties that are inherited via the setof object-oriented reuse and structuring concepts developed for Maude.
(Semi-)Automatic Test Generation fromRigorous Specifications
Marielle Doche, Michel Lemoine, Christel Seguin
ONERA CERT, Toulouse
One of the main problem the industry is faced with is the accuracy of testingaccordingly the specifications that have been built. Indeed it is very commonfor industry to subcontract software from informal requirements documentand informal specifications. Moreover because the confidence in the softwareit receives back is not high enough, the industry is used to develop some test-ing specification in a second step, independently of the informal specificationit provided to the subcontractor.
The talk is mainly dedicated to the applicability, at an industrial level, ofsome formal methods in a new way, in order to derive test in a (semi) au-tomatic manner from formal specifications that must be built from someinformal requirements.
19
Starting from an existing design (an Automatic Teller Machine communicat-ing through a connection line with a Central System) we have developed aformal Z specification composed of 3 corresponding (semi) independent statespaces. We then transform each operation (on state space) into a DisjunctiveNormal Form of sub-operations, each one containing only AND-operators.Each sub-operation is no more than a “Test Class” from which “Test Data”are classically derived.
Because this 1st step is only able to help the designer to find out independent“Test Data” it is necessary to complement it with a 2nd formal specificationallowing to specify the dynamic behavior of the system. For that purpose wehave used TRIO, a 1st order logic including some temporal logic capacity. Wethen specify some temporal constraints we would like the dynamic behaviormeets. Because TRIO works with a “temporal window” (from Now to “n”time units in the future or from “n” time units in the past down to “m” timeunits in the future) it is possible to derive ALL the “models” (sequences ofassignments of values) that satisfy the temporal constraints.
Combinatorial explosion is avoided because values are restricted to these onescomputed in the 1st step and because the considered “temporal window” isshort enough.
The talk emphasizes as well the usefulness of combining two “compatible”formal notations, each one providing some accurate ”by product”.
Regularity =↽ Parallelism
Christian Lengauer
Universitat Passau
We develop parallel versions of two programs for the polynomial product:
1. A nested loop program. Here, we are employing a geometrical space-time mapping model, the polytope model, in which nested loop pro-grams can be parallelized automatically, optimizing some stated ob-jective function like the number of parallel steps (execution time), the
20
number of processors, the number of communication channels, etc. Theformal techniques employed in this method are linear algebra and lin-ear programming. We present two parallel programs, each with a lineartime and space complexity.
2. A divide-and-conquer program. Here we are considering a modificationof the space-time mapping model for loop parallelization to obtain aparallel loop program for Karatcuba’s polynomial product. The reasonto choose divide-and-conquer over nested loops is to achieve a sublineartime complexity (at the expense of an increased number of processors).
The objective of the presentation is to discuss the strengths and weaknessesof the space-time mapping approach to the parallelization of loops and re-currences. Papers on this topic can be obtained on the Web under:
http://www.uni-passau.de/~lengauer/
Hierarchical Constructive Specifications
Jacques Loeckx
Universitat Saarbrucken
Constructive specifications have been described in [1]. While their semanticsis defined operationally they may—alternatively—be viewed as initial spec-ifications satisfying a number of constraints. One of these constraints, the“termination constraint”, guarantees the existence of a reduction ordering.This constraint is automatically verified when the operatioins are defined in a“primitive recursive way”. In other cases it may be difficult to find a suitablereduction ordering.
Hierarchical constructive specifications are constructive specifications satis-fying an additional constraint: informally speaking, the different operationshave to be defined “successively”. The goal of this talk is to present a verysimple and intuitive proof method for the verification of the termination
21
constraint of these specifications. The method presents similarities with theproof method described in [2]. As a difference it is model-oriented ratherthan presentation-oriented. Hence, contrasting with the method presentedin [2] it has not been developed as an automatic proof method; on the otherhand, it leads to proofs that are intuitively clear and easy to understand.
References
[1] Loeckx J., Ehrich H.-D., Wolf M. Specification of Abstract Data Types,Wiley-Teubner, 1996.
[2] Arts Th., Giesl J.. Termination of Constructor Systems, Internal ReportIBN 95/34, Technische Hochschule Darmstadt, 1995.k2 (Refinement morphism =
Component morphism)
Antonia Lopes
University of Lisbon(Joint work with Jose Luiz Fiadeiro)
When several components are interconnected together to form a complex sys-tem, the overall behaviour of a system depends on the individual behaviourof its components.
In general, components are described in terms of the behaviour they ensureto have in any context and, hence, composition is given by conjunction,i.e. the properties of a system are given by the conjunction of the propertiesof its components. In this case, the system also acts as a refinement of itscomponents in the sense that all their properties are preserved.
In the action-based approach to systems specification, it is not satisfactoryto describe a system only in terms of the behaviour it ensures to have in any
22
context. Since communication is based on the synchronisation of actions, asystem cannot guarantee to have a liveness property in any context, unless itmakes some assumptions on its environment. An alternative to the assump-tion commitment style of specification is to consider that systems are alsodescribed in terms of the behaviour they are willing to have when working asa component of a larger system. In this case, the willingness properties of acomplex system are not given by the conjunction of the willingness propertiesof its components and, thus, the notion of refinement does not coincide withthe notion of component of.
We illustrate this approach using a Modal Action Logic to specify the safetyproperties that a system ensures to have and the readiness properties (a kindof required nondeterminism) that a system is willing to have.
Shedding New Light inthe World of Logical Systems
Alfio Martini
Technische Universitat Berlin
The notion of an Institution is here taken as the precise formulation for thenotion of a logical system. By using elementary tools from the core of cat-egory theory, we are able to reveal the underlying mathematical structureslying “behind” the logical formulation of the satisfaction condition, and bydoing so, to get a both suitable and deeper understanding of the institutionconcept. This allows us to systematically approach the problem of describingand analyzing relations between logical systems, as well as to redesign thenotion of an institution to a purely categorical level, so that the satisfactioncondition becomes a functorial (and natural) transformation from specifica-tions to (subcategories of) models. This systematic procedure is also appliedto discuss and give a natural description for the notion of an institution mor-phism. The last technical discussion is a careful and detailed analysis of twoexamples, which tries, as an outcome, to outline how the new categorical in-sights could help in guiding the development of a unifying theory for relationsbetween logical systems.
23
Accepted for publication in CTCS’97 (Conference on Category Theory inComputer Science)
Probabilistic Temporal Logic
Annabelle McIver
Oxford University
Various attempts have been made to extend temporal logic to include prob-abilistic reasoning, with mixed success. For example Feldman and Harel [1]present a probabilistic dynamic logic which covers probabilistic choice, butwithout nondeterminism; and Hart and Sharir [2] construct a probabilisticpropositional logic which deals only with properties that hold with probabil-ity 1.
Our recent work [5] (following eg Jones [3]) is based on expectations ratherthan explicit probability distributions, and its smooth extension of predicatetransformers seems to hold the key to a similar extension of temporal logic,including both nondeterminism (extending [1]) and ‘proper’ probabilities (ly-ing strictly between 0 and 1, extending [2]).
In particular the theory of probabilistic predicate transformers [5] leads natu-rally to a reformulation of Morris’ weakest-precondition-based temporal logic[4]. By defining appropriate generalisations of the predicate operators (im-plication, conjunction and disjunction) on the space of expectations, likewisemany of the laws of standard temporal logic generalise also, making for apractical tool for the calculation of temporal properties and their associatedprobabilities.
Finally the interpretation of the ‘probabilistic formulae’ over (probabilistic)transition systems has lead to some startling insights into the operationalinterpretation of (even non-probabilistic) temporal operators, in terms ofgames.
24
References
[1] Feldman and Harel, A Probabilistic Dynamic Logic, Journal of ComputerSystem Sciences 28, 193–215 (1984).
[2] Hart and Sharir, Probabilistic Propositional Temporal Logics, Informa-tion and Control, 70, 97–155 (1986).
[3] Jones, C. Probabilistic Non-determinism, Doctoral Thesis, 1990.
[4] Morris, J. M. Temporal Predicate Transformers and Fair Termination,Acta Informatica 27, 287–313 (1990).
[5] Morgan, McIver and Seidel. Probabilistic Predicate Transformers, ACMTransactions on Programming Languages and Systems, 18, (3) 325–353,(1996).
Specifying the Boiler inTimed Rewriting Logic
Peter Olveczky], Piotr Kosiuczenko]], Martin Wirsing]]
]University of Bergen, ]]Ludwig–Maximilians–UniversitatMunchen
In this talk crucial parts of our object-oriented algebraic solution of thesteam-boiler specification problem are presented. The solution is written inTimed Maude. Timed Maude is a specification language under developmentwhere the static parts of the specified system are described by equationalspecifications, whereas the behaviour of a process is described by timed termrewriting. Timed Maude is based on Meseguer’s Maude language, and itsunderlying logic is timed rewriting logic, an extension of rewriting logic todeal with hard real-time systems.
25
Industrial Use of ASMs forSystem Documentation
Peter Pappinghaus], Egon Borger]]
]Siemens AG, ]]Universita di Pisa
We report on ongoing work using ASMs to document the basic functionalityof an existing large software system implemented in C++. The software to bedocumented is the toolset TRANSIT (TRain ANalysis and SImulation Toolset) developed and used at Siemens for the simulation of railway systems(cf. SIGNAL + DRAHT (88) 3/96).
The system consists of several components communicating with each otherby a message passing mechanism. One of the goals of the work is to specifythese components on a level of abstraction appropriate to express constraintsabout this interaction, which currently are not made explicit.
A Graphic Notation forFormal Specification of Dynamic Systems
Gianna Reggio
Universita di Genova
Given an already established formal specification method for reactive sys-tems, we develop an alternative graphic notation for its specifications to im-prove the writing and the understanding of such specifications and, hopefully,the acceptance of the method by industrial users.
26
Applying Formal Methods toSecurity Protocols
Peter Y. A. Ryan
DRA Malvern
We present an overview of the aims and key results of a 3 year research pro-gramme on the application of ”mainstream” formal methods to the analysisand design of security protocols. By ”security protocol” we mean a prescribedinteraction between nodes of a distributed network that uses cryptographicmechanisms such as encryption, hashing, digital signatures etc to achievecertain security requirements. These can include:
• Authentication
• Confidentiality
• Key-exchange
• Integrity
• Anonymity
• Non-repudiation
The attraction of such protocols from the point of view of formal analysisis that they are very compact yet have to satisfy subtle properties in a hos-tile environment. They are, in Roger Needham’s phrase: “typically 3 linesprogrammes that people still succeed in getting wrong”.
The main thrust of the programme has been the use of CSP to formalisethe network, the nodes, and the hostile agent(s). The security propertiescan also be elegantly formalised in CSP and then refinement checks can beconducted to establish whether or not the system refines the property inquestion. These checks are conducted in a highly automated fashion usingthe CSP model-checker FDR. If the check fails, FDR returns a counter-example that in effect details an attack on the protocol. The model-checkeroperates by exhaustively checking all (essentially distinct) behaviours of thetwo processes.
27
Once the specification has been established the approach is thus highly au-tomated. Considerable ingenuity may be required of course to compress themodels to keep the state space size small enough for model-checking to workwhilst ensuring that no significant behaviours are lost.
The effectiveness of this approach has been demonstrated by, for example,the finding of a number of novel attacks on well-known protocols, most no-tably Lowe’s uncovering of an attack on the Needham-Schroeder Public-keyprotocol. This protocol had previously been considered to be secure sinceit’s publication some 17 years earlier and indeed had been “proven” secureusing the BAN-logic.
The application of the concepts and of the concepts and techniques to otherareas such as safety-critical and fault-tolerant systems is also outlined. Forexample the concept of non-interference used in security to formalise the ab-sence of information flow can be adapted the weaker notion of non-disruptionthat neatly formalises the concept of fault resilience.
In summary: it has been shown that:
• security protocols are a very fruitful application area for formal meth-ods,
• Model-checking techniques can be highly effective,
• formal methods can yield valuable results at reasonable cost as long asthe application is chosen carefully and tools and techniques are suitablymatched.
28
A Formal Object-Oriented MethodInspired by Fusion and Object–Z
Wolfram Schulte
Universitat Ulm
We present a new formal OO method, called Fox, which is a synergetic com-bination of the semi-formal Fusion method and the formal specification lan-guage Object–Z. To manage complexity and to foster seperation of concerns,Fox distinguishes between analysis and design. In each phase structure andbehaviour specifications are developed step-by-step. The specifications maybe graphical or textual. We give proof obligations to guarantee that the de-veloped models are formally consistent and complete, and that the resultingsystem conforms to the original specification. By walking through a simpleexample—a graph editor—we illustrate the application of Fox.
Integrating Object–Z and CSP
Graeme Smith
Technische Universitat Berlin
While most specification languages can be used to specify entire systems, few,if any, are particularly suited to modelling all aspects of such systems. Theformal development of particularly large, or complex, systems can, therefore,often be facilited by the use of more than one formal specification language.
This talk presents a method of formally specifying concurrent systems us-ing the object-oriented state-based specification language Object–Z togetherwith CSP. The rationale is that Object–Z provides a convenient method ofmodelling the complex data structures needed to define component processes,and CSP enables the concise specification of process interaction. The advan-tage of Object–Z over more traditional state-based languages such as Z is thatits class structure provides a construct easily identifiable with CSP processes.The basis of the integration is a semantics of Object–Z classes identical to
29
that of CSP processes. This enables classes specified in Object–Z to be useddirectly within the CSP part of the specification.
The approach uses the exisiting languages without altering their syntax orsemantics. This makes it accessible to users who are already familiar withthe languages and also enables the use of tools and methods of verificationand refinement developed for them.
Using Formal Methods for theValidation of Prolog Programs
Karl Stroetmann
Siemens AG(Joint work with Thomas Glaß and Martin Muller)
So far, attempts to apply formal methods for the verification of software hadonly a very limited success. This is mainly due to the excessive costs associ-ated with interactive formal proofs. The situation is different in those areaswhere automatic proof systems can be applied, e.g. in hardware verification.It is therefore argued that in order to apply formal methods we should shiftour attention from verification to validation and apply automated theoremproving to the static analysis of software.
This idea is demonstrated with the programming language Prolog. To thisend, Prolog is extended with a type system. Furthermore, a new declar-ative semantics that describes the effects of the cut operator faithfully isintroduced. Using this semantics it is possible to check the completenessand consistency of a Prolog program with the help of an automatic theoremprover. The industrial evaluation of this idea has shown that this approachdoes increase the quality of software dramatically without increasing its cost.
30
Another Look at Localities and Failuresin the π-Calculus or: Everything May Fail
Markus Wolf
Universitat Saarbrucken
In 1994 Amadio and Prasad introduced an extension of the π-calculus for han-dling located processes, channels and failure of locations, [1]. This seemed tobe an interesting setting to study mobile objects. Unfortunately, the calculusassumes one permanent or non-failing location which does not correspond tothe intuition that every location may fail. While removing the assumptionand trying to model a mobile process it turned out that it is not possibleto model mobility that is robust under failure of the original location of aprocess. However, it is easy to model the situation adequately if one movesto a higher-order version of the located π-calculus. This seems to contradictSangiorgi’s result [2] that every process of the higher-order π-calculus can becompiled to a process of normal π-calculus exhibiting essentially the same be-haviour. Using Sangiorgi compilation on a mobile process in the higher-orderlocated setting yields essentially the mobile process in the first-order locatedsetting which is bot robust under failure. Hence a notion of bisimulation, asfor example in [1], which does not observe failed locations would distinguishthe two processes.
References
[1] R. Amadio, S. Prasad. Localities and Failures. In P. S. Thiagarajan (ed.),Proc. 14th Conf. Foundations of Software Technology and TheoreticalComputer Science (LNCS 880). Springer, Berlin, 1994, pp. 205–216.
[2] Davide Sangiorgi. Expressing Mobility in Process Algebras: First-Orderand Higher-Order Paradigms. PhD Thesis, University of Edinburgh, 1992.
31