We describe a case-study in which formal methods were used to verify an important responsiveness property of a distributed database system which is used heavily at Ericsson in a number of recent products. One of the aims of the project was to verify the actual running code which is written in the distributed functional language Erlang. In a joint project between SICS and Ericsson we have over the past few years been developing a tableau-based verication tool for Erlang of considerable scope. In particular, we are capable of addressing -- on the level of running program code -- systems with unbounded behaviour along the many dimensions in which this happens in "real" programs, involving datatypes, recursive control structures, error handling and recovery, initialisation, and dynamic process creation. The database lookup manager considered here contains most of these features, giving rise to innite state behaviour which is not very adequately handled using model checking o...

This paper presents an overview of the main results of the project "Verification of Erlang Programs", which is funded by the Swedish Business Development Agency (NUTEK) and by Ericsson within the ASTEC (Advanced Software TEChnology) initiative. Its main outcome is the Erlang Verification Tool (EVT), a theorem prover which assists in obtaining proofs that Erlang applications satisfy their correctness requirements formulated as behavioural properties in a modal logic with recursion. We give a summary of the verification framework as supported by EVT, discuss reasoning principles essential for successful proofs such as inductive and compositional reasoning, and an ecient treatment of side-effect-free code. The experiences of applying the tool in an industrial case study are summarised, and an approach for supporting verification in the presence of program libraries is outlined. EVT is essentially...

We argue that, by supporting a mixture of “compositional” and “structural” styles of proof, sequent-based proof systems provide a useful framework for the formal verification of processes. As a worked example, we present a sequent calculus for establishing that processes from a process algebra satisfy assertions in Hennessy-Milner logic. The main novelty lies in the use of the operational semantics to derive introduction rules, on the left and right of sequents, for the operators of the process calculus. This gives a generic proof system applicable to any process algebra with an operational semantics specified in the GSOS format. Using a general algebraic notion of GSOS model, we prove a completeness theorem for the cut-free fragment of the proof system, thereby establishing the admissibility of the cut rule. Under mild (and necessary) conditions on the process algebra, an ω-completeness result, relative to the “intended” model of closed process terms, follows.

The behavior of concurrent and parallel programs can be specified in a functional style. We introduced a relational model for synthesizing abstract parallel imperative programs earlier. In this paper we investigate the applicability of the specification and verification tools of the model for proving temporal properties of concrete programs written in a pure functional language, in Concurrent Clean. Destructive updates preserving referential transparency are possible by using so called unique types. Clean programs perform I/O by accessing their unique environment. We present a methodology for proving safety and liveness properties of concurrent, interleaved Clean Object I/O processes and show examples for verification of simple Clean programs.

The present paper presents an overview of the main results of the ASTEC project Verification of Erlang Programs, focusing in particular on the Erlang verification tool. This is a theorem-proving tool which assists in obtaining proofs that Erlang applications satisfy their correctness requirements formulated in a specification logic. We give a summary of the verification framework as supported by the tool, discuss reasoning principles essential for successful verification such as inductive and compositional reasoning, and an efficient treatment of side-effect-free code. The experiences of applying the verification tool in an industrial case study are summarised, and an approach for supporting verification in the presence of program libraries is outlined. The verification tool is essentially a classical proof assistant, or theorem-proving tool, requiring users to intervene in the proof process at crucial steps such as stating program invariants. However, the tool offers considerable support for au...

The behavior of concurrent and parallel programs can be speci ed in a functional style. We introduced a relational model for synthesizing abstract parallel imperative programs this way earlier. In this paper we investigate the applicability of the speci cation and veri cation tools of the model for proving temporal properties of concrete programs written in a pure functional language, in Concurrent Clean. Destructive updates preserving referential transparency are possible in this language by using the so called unique types. For example Clean programs perform I/O by accessing their unique environment. Furthermore, dynamic types of Clean make it possible to load some pieces of the program during run-time. We present a methodology for proving safety and liveness properties of concurrent, interleaved Clean Object I/O processes that also use dynamic types and show simple examples for veri cation of correctness of such Clean programs.

In this talk we present the verification of a simple distributed algorithm which has been implemented in the Erlang programming language [1]. The network topology considered in the verification example is a linked list of processes. The correctness properties of the algorithm are expressed in the modal -calculus extended with data. For proving that the program satisfies its specification, we use the Erlang Verification Tool [3] (henceforth EVT), a general purpose proof assistant tool in which a small-step operational semantics of Erlang has been embedded. The underlying proof system is a Gentzen-style one, with a particular emphasis on a "lazy" scheme for fixed point induction and proof rules for compositional reasoning [2].

Several years of experience with the functional language Erlang have learned Ericsson that it is highly beneficial to use this language for programming control software for large systems. Systems that could not be built before, have been constructed in less time and with fewer lines of code than one would need with conventional languages. The success of Ericsson in the business area of telephone switches is partly because of their solid fault tolerant architecture, both in hardware and in software. A lot of time and money have been invested in the development of this fault tolerant architecture, all to catch these errors that are overlooked in numerous tests. By using Erlang and its extensive libraries, the number of these uncaught errors decreases; the fault recovery mechanism of the system is used less. One saves on maintenance costs and the overall performance of a system increases. The additional use of formal verifiation aims on reducing even more the number of uncaught errors.