## Program Compatibility Approaches (2006)

Venue: | IN PROCEEDINGS OF THE FORMAL METHODS FOR COMPONENTS AND OBJECTS SYMPOSIUM, FMCO 2006 |

Citations: | 4 - 0 self |

### BibTeX

@INPROCEEDINGS{Clarke06programcompatibility,

author = {Edmund Clarke and Natasha Sharygina and Nishant Sinha},

title = { Program Compatibility Approaches},

booktitle = {IN PROCEEDINGS OF THE FORMAL METHODS FOR COMPONENTS AND OBJECTS SYMPOSIUM, FMCO 2006},

year = {2006},

publisher = {}

}

### OpenURL

### Abstract

This paper is a survey of several techniques that have proven useful in establishing compatibility among behaviorally similar programs (e.g., system upgrades, object sub- and supertypes, system components produced by different vendors, etc.). We give a comparative analysis of the techniques by evaluating their applicability to various aspects of the compatibility problem.

### Citations

2638 | Model Checking
- Clarke, Grumberg, et al.
- 1999
(Show Context)
Citation Context ... satisfies the assumption. An algorithms254 E. Clarke, N. Sharygina, and N. Sinha for learning regular sets, L ∗ [1,23], is used to automatically generate these assumptions assisted by a modelchecker =-=[7]-=-. It is assumed that appropriate assumptions have been generated by performing automated A-G reasoning over the assembly before an upgrade occurs. Upon an upgrade, the compatibility check procedure re... |

1502 |
A Discipline of Programming
- Dijkstra
- 1976
(Show Context)
Citation Context ...(¯v) ∧ ¯b ′ = α(¯v ′ ) (1) ˆT is an existential abstraction of T and is also referred to as its may abstraction ˆTmay [24]. We compute this abstraction using the weakest precondition (WP) transformer =-=[13,18]-=- on predicates in P along with an automated theorem prover [15]. Must Predicate Abstraction: Under-approximation. The modified predicate abstraction constructs an under-approximation of the concrete s... |

642 | Construction of abstract state graphs with PVS
- Graf, Saidi
- 1997
(Show Context)
Citation Context ...lowing conditions C1 and C2 hold: (C1) Ci ⊑ M (C2) M ′ ⊑ C ′ is252 E. Clarke, N. Sharygina, and N. Sinha Here M is an over-approximation of Ci and can be constructed by standard predicate abstraction =-=[15]-=-. M ′ is constructed from C ′ i via a modified predicate abstraction which produces an under-approximation of its input C component. We now describe the details of the abstraction steps. Suppose that ... |

586 | Dynamically discovering likely program invariants to support program evolution
- Ernst, Cockrell, et al.
- 2001
(Show Context)
Citation Context ...bility check technique first computes an operational abstraction (summary) of the behaviors of the old component that are used by the rest of the system. The summary is computed using the tool Daikon =-=[14]-=- for automatically inferring program invariants from a representative set of program behaviors and consists of pre- and post-condition tuples for the component. The new component vendor also computes ... |

530 |
Learning Regular Sets from Queries and Counterexamples
- Angluin
- 1987
(Show Context)
Citation Context ...ment assumption for a component automatically and then verify if the rest of the system satisfies the assumption. An algorithms254 E. Clarke, N. Sharygina, and N. Sinha for learning regular sets, L ∗ =-=[1,23]-=-, is used to automatically generate these assumptions assisted by a modelchecker [7]. It is assumed that appropriate assumptions have been generated by performing automated A-G reasoning over the asse... |

505 | A semantics of multiple inheritance
- Cardelli
- 1988
(Show Context)
Citation Context .... Sinha The first clause (cf. Figure 1) addresses the need to relate inherited methods of the subtype to those of the supertype. The first two signature rules are the standard contra/covariance rules =-=[4,3]-=-. The exception rule says that mσ may not throw more exceptions (the exceptions concept is taken from object-oriented programming) than mτ, since a caller of a method on a supertype object should not ... |

435 |
Computer-Aided Verification of Coordinating Processes: The Automata-Theoretic Approach
- Kurshan
- 1994
(Show Context)
Citation Context ...ntee reasoning algorithm, wherein previously generated assumptions before upgrades are reused efficiently to re-validate the new assembly. The framework uses iterative abstraction/refinement paradigm =-=[2,8,17]-=- for both containment and compatibility phases. This approach enabled extraction of relatively simple finite-state models from complex C code. State-event automata (finite automata with both state and... |

393 | Hierarchical Correctness Proofs for Distributed Algorithms
- Lynch, Tuttle
- 1981
(Show Context)
Citation Context ...these automata model both input assumptions about the temporal order of inputs and output guarantees about generation of outputs for the component. In contrast to similar formalisms like I/O automata =-=[20]-=-, the interface automata approach handles both composition and refinement of automata differently. Two automata are said to be compatible if there exists some environment that can provide inputs so th... |

380 | SIMPLIFY: A theorem prover for program checking
- Detlefs, Nelson, et al.
- 2003
(Show Context)
Citation Context ...recisely, the procedure checks if the new abstraction is able to accept as many inputs and produces no more outputs than the old abstraction. This check is performed using the Simplify theorem prover =-=[12]-=-. If the test succeeds, then the new component can be safely used in all situations where the old component was used. Otherwise, the check provides feedback about the incompatibility in terms of speci... |

365 | Interface Automata
- Alfaro, Henzinger
- 2001
(Show Context)
Citation Context ...tutability problem in the context of evolving software systems. Finally, Section 6 provides a comparative evaluation of the presented techniques. 2 Interface Automata Compatibility Interface automata =-=[10]-=- were proposed by Alfaro et al. for capturing the temporal inputoutput (I/O) behaviors of software component interfaces. Given a software component, these automata model both input assumptions about t... |

192 | Distrbution and Abstract Types in Emerald
- Black, Hutchinson, et al.
- 1987
(Show Context)
Citation Context .... Sinha The first clause (cf. Figure 1) addresses the need to relate inherited methods of the subtype to those of the supertype. The first two signature rules are the standard contra/covariance rules =-=[4,3]-=-. The exception rule says that mσ may not throw more exceptions (the exceptions concept is taken from object-oriented programming) than mτ, since a caller of a method on a supertype object should not ... |

175 | Inference of finite automata using homing sequences
- Rivest, Schapire
- 1993
(Show Context)
Citation Context ...ment assumption for a component automatically and then verify if the rest of the system satisfies the assumption. An algorithms254 E. Clarke, N. Sharygina, and N. Sinha for learning regular sets, L ∗ =-=[1,23]-=-, is used to automatically generate these assumptions assisted by a modelchecker [7]. It is assumed that appropriate assumptions have been generated by performing automated A-G reasoning over the asse... |

120 | Interface theories for component-based design
- Alfaro, Henzinger
(Show Context)
Citation Context ...utomata, as defined above, execute asynchronously. The formalism has been extended to synchronous interfaces [6]. A general formalism relating components and their interface models has been developed =-=[11]-=- using the notion of interface automata. 3 Checking Compatibility of Upgrades McCamant and Ernst present a technique [21] to check if upgrades to one or more components in a component assembly (also r... |

113 | Learning assumptions for compositional verification
- Cobleigh, Giannakopoulou, et al.
(Show Context)
Citation Context ...velopers. 5.2 Compatibility Check The compatibility check ensures that the upgraded system satisfies global safety specification. The check relies on an automated assume-guarantee reasoning procedure =-=[9]-=-, where the key idea is to generate an environment assumption for a component automatically and then verify if the rest of the system satisfies the assumption. An algorithms254 E. Clarke, N. Sharygina... |

72 |
Boolean programs: A model and process for software analysis (technical report 2004-14), 2004. Cited 18 March 2006, Available at http://research.microsoft.com/slam
- Ball, Rajamani
(Show Context)
Citation Context ...ntee reasoning algorithm, wherein previously generated assumptions before upgrades are reused efficiently to re-validate the new assembly. The framework uses iterative abstraction/refinement paradigm =-=[2,8,17]-=- for both containment and compatibility phases. This approach enabled extraction of relatively simple finite-state models from complex C code. State-event automata (finite automata with both state and... |

56 |
transition from global to modular temporal reasoning about programs
- In
(Show Context)
Citation Context ... containment phase, this check is performed on finite-state state-event (SE) automaton abstractions from the C components. Automated Assume-Guarantee Reasoning. Assume-guarantee (A-G) based reasoning =-=[22]-=- is a well-known compositional verification technique. The essential idea here is to model-check each component independently by making an assumption about its environment, and then discharge the assu... |

54 |
Orna Grumberg, Somesh Jha, Yuan Lu, and Helmut Veith. Counterexample-guided abstraction refinement
- Clarke
- 2000
(Show Context)
Citation Context ...ntee reasoning algorithm, wherein previously generated assumptions before upgrades are reused efficiently to re-validate the new assembly. The framework uses iterative abstraction/refinement paradigm =-=[2,8,17]-=- for both containment and compatibility phases. This approach enabled extraction of relatively simple finite-state models from complex C code. State-event automata (finite automata with both state and... |

40 | Efficient weakest preconditions
- Leino
- 2005
(Show Context)
Citation Context ...(¯v) ∧ ¯b ′ = α(¯v ′ ) (1) ˆT is an existential abstraction of T and is also referred to as its may abstraction ˆTmay [24]. We compute this abstraction using the weakest precondition (WP) transformer =-=[13,18]-=- on predicates in P along with an automated theorem prover [15]. Must Predicate Abstraction: Under-approximation. The modified predicate abstraction constructs an under-approximation of the concrete s... |

33 | Synchronous and bidirectional component interfaces. volume 2404
- Chakrabarti, Alfaro, et al.
- 2002
(Show Context)
Citation Context ...Q � Q ′ � P � P ′ , it is sufficient to check Q � P and Q ′ � P ′ , separately. Interface automata, as defined above, execute asynchronously. The formalism has been extended to synchronous interfaces =-=[6]-=-. A general formalism relating components and their interface models has been developed [11] using the notion of interface automata. 3 Checking Compatibility of Upgrades McCamant and Ernst present a t... |

25 | Early identification of incompatibilities in multi-component upgrades
- McCamant, Ernst
- 2004
(Show Context)
Citation Context ...al formalism relating components and their interface models has been developed [11] using the notion of interface automata. 3 Checking Compatibility of Upgrades McCamant and Ernst present a technique =-=[21]-=- to check if upgrades to one or more components in a component assembly (also referred to as an application) are compatible with the other components in the assembly. More precisely, their work seeks ... |

14 |
Overview of ComFoRT: A model checking reasoning framework
- Ivers, Sharygina
- 2004
(Show Context)
Citation Context ...T ′ is closed by making membership queries and the algorithm repeats from Step 2. 5.3 Case Studies The compatibility check phase for checking component substitutability was implemented in the COMFORT =-=[16]-=- framework. COMFORT extracts abstract component SE models from C programs using predicate abstraction and performs automated A-G reasoning on them. If the compatibility check returns a counterexample,... |

14 | Behavioral subtyping using invariants and constraints
- Liskov, Wing
- 1999
(Show Context)
Citation Context ...assessment of compatibility between different components remains a challenging task. A limited answer to the component compatibility problem can be given by traditional type systems. It is well known =-=[19]-=-, however, that type checking, while very useful, captures only a small part of what it means for a program to be correct. Instead it is necessary to establish a stronger requirement that ensures the ... |

10 | Dynamic component substitutability analysis
- Chaki, Clarke, et al.
- 2005
(Show Context)
Citation Context ... superand subtype objects. Liskov and Wing report a number of successful examples where the subtype relation was useful in validating several benchmarks. 5 Substitutability Check Our own earlier work =-=[5]-=- gives an automated and compositional procedure to solve the substitutability problem in the context of evolving software systems. Checking substitutability is defined as verifying whether (i) any upd... |

4 |
Grumberg O., “Monotonic Abstraction-Refinement for CTL
- Shoham
- 2004
(Show Context)
Citation Context ...ation ˆ T( ¯b, ¯b ′ ) as follows: ˆT( ¯b, ¯b ′ )=∃¯v, ¯v ′ : T(¯v, ¯v ′ ) ∧ ¯b = α(¯v) ∧ ¯b ′ = α(¯v ′ ) (1) ˆT is an existential abstraction of T and is also referred to as its may abstraction ˆTmay =-=[24]-=-. We compute this abstraction using the weakest precondition (WP) transformer [13,18] on predicates in P along with an automated theorem prover [15]. Must Predicate Abstraction: Under-approximation. T... |