Results 1  10
of
42
TAME: Using PVS strategies for specialpurpose theorem proving
 Annals of Mathematics and Arti cial Intelligence
, 2000
"... TAME (Timed Automata Modeling Environment), an interface to the theorem proving system PVS, is designed for proving properties of three classes of automata: I/O automata, LynchVaandrager timed automata, and SCR automata. TAME provides templates for specifying these automata, a set of auxiliary theo ..."
Abstract

Cited by 39 (12 self)
 Add to MetaCart
TAME (Timed Automata Modeling Environment), an interface to the theorem proving system PVS, is designed for proving properties of three classes of automata: I/O automata, LynchVaandrager timed automata, and SCR automata. TAME provides templates for specifying these automata, a set of auxiliary theories, and a set of specialized PVS strategies that rely on these theories and on the structure of automata speci cations using the templates. Use of the TAME strategies simpli es the process of proving automaton properties, particularly state and transition invariants. TAME provides two types of strategies: strategies for \automatic " proof and strategies designed to implement \natural " proof steps, i.e., proof steps that mimic the highlevel steps in typical natural language proofs. TAME's \natural " proof steps can be used both to mechanically check hand proofs in a straightforward way and to create proof scripts that can be understood without executing them in the PVS proof checker. Several new PVS features can be used to obtain better control and e ciency in userde ned strategies such asthose used in TAME. This paper describes the TAME strategies, their use, and how their implementation exploits the structure of speci cations and various PVS features. It also describes several features, currently unsupported in PVS, that would either allow additional \natural" proof steps in TAME or allow existing TAME proof steps to be improved. Lessons learned from TAME relevant to the development of similar specialized interfaces to PVS or other theorem provers are discussed.
Using I/O Automata for Developing Distributed Systems
 In Gary T. Leavens and Murali Sitaraman, editors, Foundations of ComponentBased Systems
, 2000
"... This paper describes a new experimental programming language, IOA, for modeling and implementing distributed systems, plus designs for a set of tools to support IOA programming. The language and tools are based on the I/O automaton model for reactive systems, which has been used extensively for rese ..."
Abstract

Cited by 36 (6 self)
 Add to MetaCart
This paper describes a new experimental programming language, IOA, for modeling and implementing distributed systems, plus designs for a set of tools to support IOA programming. The language and tools are based on the I/O automaton model for reactive systems, which has been used extensively for research on distributed algorithms. The language supports structured modeling of distributed systems using sharedaction composition and levels of abstraction. The tools are intended to support system design, several kinds of analysis, and generation of efficient runnable code.
Salsa: Combining Constraint Solvers with BDDs for Automatic Invariant Checking
, 2000
"... . Salsa is an invariant checker for specifications in SAL (the SCR Abstract Language). To establish a formula as an invariant without any user guidance Salsa carries out an induction proof that utilizes tightly integrated decision procedures, currently a combination of BDD algorithms and a const ..."
Abstract

Cited by 30 (9 self)
 Add to MetaCart
. Salsa is an invariant checker for specifications in SAL (the SCR Abstract Language). To establish a formula as an invariant without any user guidance Salsa carries out an induction proof that utilizes tightly integrated decision procedures, currently a combination of BDD algorithms and a constraint solver for integer linear arithmetic, for discharging the verification conditions. The user interface of Salsa is designed to mimic the interfaces of model checkers; i.e., given a formula and a system description, Salsa either establishes the formula as an invariant of the system (but returns no proof) or provides a counterexample. In either case, the algorithm will terminate. Unlike model checkers, Salsa returns a state pair as a counterexample and not an execution sequence. Also, due to the incompleteness of induction, users must validate the counterexamples. The use of induction enables Salsa to combat the state explosion problem that plagues model checkers  it can handle...
On the Need for Practical Formal Methods
 In Formal Techniques in RealTime and RealTime FaultTolerant Systems, Proc., 5th Intern. Symposium (FTRTFT'98
, 1998
"... A controversial issue in the formal methods community is the degree to which mathematical sophistication and theorem proving skills should be needed to apply a formal method. A fundamental assumption of this paper is that formal methods research has produced several classes of analysis that can prov ..."
Abstract

Cited by 21 (2 self)
 Add to MetaCart
A controversial issue in the formal methods community is the degree to which mathematical sophistication and theorem proving skills should be needed to apply a formal method. A fundamental assumption of this paper is that formal methods research has produced several classes of analysis that can prove useful in software development. However, to be useful to software practitioners, most of whom lack advanced mathematical training and theorem proving skills, current formal methods need a number of additional attributes, including more userfriendly notations, completely automatic (i.e., pushbutton) analysis, and useful, easy to understand feedback. Moreover, formal methods need to be integrated into a standard development process. I discuss additional research and engineering that is needed to make the current set of formal methods more practical. To illustrate the ideas, I present several examples, many taken from the SCR (Software Cost Reduction) requirements method, a formal method th...
SCR: A practical approach to building a high assurance COMSEC system
 IN PROC. 15TH ANNUAL COMPUTER SECURITY APPLICATIONS CONF. (ACSAC '99). IEEE COMPUTER
, 1999
"... To date, the tabularbased SCR (Software Cost Reduction) method has been applied mostly to the development of embedded control systems. This paper describes the successful application of the SCR method, including the SCR* toolset, to a different class of system, a COMSEC (Communications Security) de ..."
Abstract

Cited by 19 (11 self)
 Add to MetaCart
To date, the tabularbased SCR (Software Cost Reduction) method has been applied mostly to the development of embedded control systems. This paper describes the successful application of the SCR method, including the SCR* toolset, to a different class of system, a COMSEC (Communications Security) device called CD that must correctly manage encrypted communications. The paper summarizes how the tools in SCR* were used to validate and to debug the SCR specification and to demonstrate that the specification satisfies a set of critical security properties. The development of the CD specification involved many tools in SCR*: a specification editor, a consistency checker, a simulator, the TAME interface to the theorem prover PVS, and various other analysis tools. Our experience provides evidence that use of the SCR* toolset to develop highquality requirements specifications of moderately complex COMSEC systems is both practical and lowcost.
Proving Invariants of I/O Automata with TAME
, 2002
"... This paper describes a specialized interface to PVS called TAME (Timed Automata Modeling Environment) which provides automated support for proving properties of I/O automata. A major goal of TAME is to allow a software developer to use PVS to specify and prove properties of an I/O automaton efficie ..."
Abstract

Cited by 17 (11 self)
 Add to MetaCart
This paper describes a specialized interface to PVS called TAME (Timed Automata Modeling Environment) which provides automated support for proving properties of I/O automata. A major goal of TAME is to allow a software developer to use PVS to specify and prove properties of an I/O automaton efficiently and without first becoming a PVS expert. To accomplish this goal, TAME provides a template that the user completes to specify an I/O automaton and a set of proof steps natural for humans to use for proving properties of automata. Each proof step is implemented by a PVS strategy and possibly some auxiliary theories that support that strategy. We have used the results of two recent formal methods studies as a basis for two case studies to evaluate TAME. In the first formal methods study, Romijn used I/O automata to specify and verify memory and remote procedure call components of a concurrent system. In the second formal methods study, Devillers et al. specified a tree identify protocol (TIP), part of the IEEE 1394 bus protocol, and provided hand proofs of TIP properties. Devillers also used PVS to specify TIP and to check proofs of TIP properties. In our first case study, the third author, a new TAME user with no previous PVS experience, used TAME to create PVS specifications of the I/O automata formulated by Romijn and Devillers et al. and to check their hand proofs. In our second case study, the TAME approach to verification was compared with an alternate approach by Devillers which uses PVS directly.
Model checking the Java MetaLocking algorithm
 In IEEE International Conference on the Engineering of Computer Based Systems. IEEE
, 2000
"... We report on our efforts to use the XMC model checker to model and verify the Java metalocking algorithm. XMC [Ramakrishna et al. 1997] is a versatile and efficient model checker for systems specified in XL, a highly expressive valuepassing language. Metalocking [Agesen et al. 1999] is a highlyopt ..."
Abstract

Cited by 16 (6 self)
 Add to MetaCart
We report on our efforts to use the XMC model checker to model and verify the Java metalocking algorithm. XMC [Ramakrishna et al. 1997] is a versatile and efficient model checker for systems specified in XL, a highly expressive valuepassing language. Metalocking [Agesen et al. 1999] is a highlyoptimized technique for ensuring mutually exclusive access by threads to object monitor queues and, therefore; plays an essential role in allowing Java to offer concurrent access to objects. Metalocking can be viewed as a twotiered scheme. At the upper level, the metalock level, a thread waits until it can enqueue itself on an object’s monitor queue in a mutually exclusive manner. At the lower level, the monitorlock level, enqueued threads race to obtain exclusive access to the object. Our abstract XL specification of the metalocking algorithm is fully parameterized, both on the number of threads M, and the number of objects N. It also captures a sophisticated optimization of the basic metalocking algorithm known as extrafast locking and unlocking of uncontended objects. Using XMC, we show that for a variety of values of M and N, the algorithm indeed provides mutual exclusion and freedom from deadlock and lockout at the metalock level. We also show that, while the monitorlock level of the protocol preserves mutual exclusion and deadlockfreedom, it is not lockoutfree because the protocol’s designers chose to give equal preference to awaiting threads and newly arrived threads.
Analysis of a Biphase Mark Protocol with Uppaal and PVS
"... The biphase mark protocol is a convention for representing both a string of bits and clock edges in a square wave. The protocol is frequently used for communication at the physical level of the ISO/OSI hierarchy, and is implemented on microcontrollers such as the Intel 82530 Serial Communications ..."
Abstract

Cited by 15 (1 self)
 Add to MetaCart
The biphase mark protocol is a convention for representing both a string of bits and clock edges in a square wave. The protocol is frequently used for communication at the physical level of the ISO/OSI hierarchy, and is implemented on microcontrollers such as the Intel 82530 Serial Communications Controller. An important property of the protocol is that bit strings of arbitrary length can be transmitted reliably, despite differences in the clock rates of sender and receiver (drift), variations of the clock rates (jitter), and distortion of the signal after generation of an edge. In this article, we show how the protocol can be modelled naturally in terms of timed automata. We use the model checker Uppaal to derive the maximal tolerances on the clock rates, for different instances of the protocol, and to support the general parametric verification that we formalized using the proof assistant PVS. Based on the derived parameter constraints we propose instances of BMP that are correct (at least in our model) but have a faster bit rate than the instances that are commonly implemented in hardware.
Deriving Tabular EventBased Specifications from GoalOriented Requirements Models
 In RE’03
, 2003
"... Goaloriented methods are increasingly popular for elaborating software requirements. They provide systematic support for incrementally building intentional, structural and operational models of the software and its environment together with various techniques for early analysis, e.g., to manage con ..."
Abstract

Cited by 14 (4 self)
 Add to MetaCart
Goaloriented methods are increasingly popular for elaborating software requirements. They provide systematic support for incrementally building intentional, structural and operational models of the software and its environment together with various techniques for early analysis, e.g., to manage conflicting goals or anticipate abnormal environment behaviors that prevent goals from being achieved. On the other hand, tabular eventbased methods are wellestablished for specifying operational requirements for control software. They provide sophisticated techniques and tools for late analysis of software behavior models through, e.g., simulation, model checking or table exhaustiveness checks. The paper proposes to take the best out of these two worlds to engineer requirements for control software. It presents a technique for deriving eventbased specifications, written in the SCR tabular language, from operational specifications built according to the KAOS goaloriented method. The technique consists in a series of transformation steps each of which resolves semantic, structural or syntactic differences between the KAOS source language and the SCR target language. Some of these steps need human intervention and illustrate the kind of semantic subtleties that need to be taken into account when integrating multiple formalisms. As a result of our technique SCR specifiers may use upstream goalbased processes à la KAOS for the incremental elaboration, early analysis, organization and documentation of their tables while KAOS modelers may use downstream tables à la SCR for later analysis of the behavior models derived from goal specifications.
TestSuite Reduction for Model Based Tests: Effects on Test Quality and Implications for Testing
 in 19th IEEE International Conference on Automated Software Engineering (ASE'04
, 2004
"... Model checking techniques can be successfully employed as a test case generation technique to generate tests from formal models. The number of tests cases produced, however, is typically large for complex coverage criteria such as MCDC. Testsuite reduction can provide us with a smaller set of test ..."
Abstract

Cited by 13 (3 self)
 Add to MetaCart
Model checking techniques can be successfully employed as a test case generation technique to generate tests from formal models. The number of tests cases produced, however, is typically large for complex coverage criteria such as MCDC. Testsuite reduction can provide us with a smaller set of test cases that preserve the original coverage—often a dramatically smaller set. One potential drawback with testsuite reduction is that this might affect the quality of the testsuite in terms of fault finding. Previous empirical studies provide conflicting evidence on this issue. To further investigate the problem and determine its effect when testing formal models of software, we performed an experiment using a large case example of a Flight Guidance System, generated reduced testsuites for a variety of structural coverage criteria while preserving coverage, and recorded their fault finding effectiveness. Our results show that the size of the specification based testsuites can be dramatically reduced and that the fault detection of the reduced testsuites is adversely affected. In this report we describe our experiment, analyze the results, and discuss the implications for testing based on formal specifications.