Results 1  10
of
655
Bandera: Extracting Finitestate Models from Java Source Code
 IN PROCEEDINGS OF THE 22ND INTERNATIONAL CONFERENCE ON SOFTWARE ENGINEERING
, 2000
"... Finitestate verification techniques, such as model checking, have shown promise as a costeffective means for finding defects in hardware designs. To date, the application of these techniques to software has been hindered by several obstacles. Chief among these is the problem of constructing a fini ..."
Abstract

Cited by 654 (33 self)
 Add to MetaCart
Finitestate verification techniques, such as model checking, have shown promise as a costeffective means for finding defects in hardware designs. To date, the application of these techniques to software has been hindered by several obstacles. Chief among these is the problem of constructing a finitestate model that approximates the executable behavior of the software system of interest. Current bestpractice involves handconstruction of models which is expensive (prohibitive for all but the smallest systems), prone to errors (which can result in misleading verification results), and difficult to optimize (which is necessary to combat the exponential complexity of verification algorithms). In this paper, we describe an integrated collection of program analysis and transformation components, called Bandera, that enables the automatic extraction of safe, compact finitestate models from program source code. Bandera takes as input Java source code and generates a program model in the input language of one of several existing verification tools; Bandera also maps verifier outputs back to the original source code. We discuss the major components of Bandera and give an overview of how it can be used to model check correctness properties of Java programs.
A Foundation for Actor Computation
 Journal of Functional Programming
, 1998
"... We present an actor language which is an extension of a simple functional language, and provide a precise operational semantics for this extension. Actor configurations represent open distributed systems, by which we mean that the specification of an actor system explicitly takes into account the in ..."
Abstract

Cited by 262 (53 self)
 Add to MetaCart
(Show Context)
We present an actor language which is an extension of a simple functional language, and provide a precise operational semantics for this extension. Actor configurations represent open distributed systems, by which we mean that the specification of an actor system explicitly takes into account the interface with external components. We study the composability of such systems. We define and study various notions of testing equivalence on actor expressions and configurations. The model we develop provides fairness. An important result is that the three forms of equivalence, namely, convex, must, and may equivalences, collapse to two in the presence of fairness. We further develop methods for proving laws of equivalence and provide example proofs to illustrate our methodology.
Problemoriented software engineering
, 2006
"... This paper introduces a formal conceptual framework for software development, based on a problemoriented perspective that stretches from requirements engineering through to program code. In a software problem the goal is to develop a machine—that is, a computer executing the software to be develope ..."
Abstract

Cited by 150 (12 self)
 Add to MetaCart
This paper introduces a formal conceptual framework for software development, based on a problemoriented perspective that stretches from requirements engineering through to program code. In a software problem the goal is to develop a machine—that is, a computer executing the software to be developed—that will ensure satisfaction of the requirement in the problem world. We regard development steps as transformations by which problems are moved towards software solutions. Adequacy arguments are built as problem transformations are applied: adequacy arguments both justify proposed development steps and establish traceability relationships between problems and solutions. The framework takes the form of a sequent calculus. Although itself formal, it can accommodate both formal and informal steps in development. A number of transformations are presented, and illustrated by application to small examples.
Design of Embedded Systems: Formal Models, Validation, and Synthesis
 PROCEEDINGS OF THE IEEE
, 1999
"... This paper addresses the design of reactive realtime embedded systems. Such systems are often heterogeneous in implementation technologies and design styles, for example by combining hardware ASICs with embedded software. The concurrent design process for such embedded systems involves solving the ..."
Abstract

Cited by 127 (9 self)
 Add to MetaCart
(Show Context)
This paper addresses the design of reactive realtime embedded systems. Such systems are often heterogeneous in implementation technologies and design styles, for example by combining hardware ASICs with embedded software. The concurrent design process for such embedded systems involves solving the specification, validation, and synthesis problems. We review the variety of approaches to these problems that have been taken.
Formal verification in hardware design: A survey
, 1997
"... In recent years, formal methods have emerged as an alternative approach to ensuring the quality and correctness of hardware designs, overcoming some of the limitations of traditional validation techniques such as simulation and testing. There are two main aspects to the application of formal methods ..."
Abstract

Cited by 113 (0 self)
 Add to MetaCart
In recent years, formal methods have emerged as an alternative approach to ensuring the quality and correctness of hardware designs, overcoming some of the limitations of traditional validation techniques such as simulation and testing. There are two main aspects to the application of formal methods in a design process: The formal framework used to specify desired properties of a design, and the verification techniques and tools used to reason about the relationship between a specification and a corresponding implementation. We survey a variety of frameworks and techniques which have been proposed in the literature and applied to actual designs. The specification frameworks we describe include temporal logics, predicate logic, abstraction and refinement, as well as containment between!regular languages. The verification techniques presented include model checking, automatatheoretic techniques, automated theorem proving, and approaches that integrate the above methods.
HOL Light: A tutorial introduction
 Proceedings of the First International Conference on Formal Methods in ComputerAided Design (FMCAD’96), volume 1166 of Lecture Notes in Computer Science
, 1996
"... HOL Light is a new version of the HOL theorem prover. While retaining the reliability and programmability of earlier versions, it is more elegant, lightweight, powerful and automatic; it will be the basis for the Cambridge component of the HOL2000 initiative to develop the next generation of HOL th ..."
Abstract

Cited by 109 (11 self)
 Add to MetaCart
(Show Context)
HOL Light is a new version of the HOL theorem prover. While retaining the reliability and programmability of earlier versions, it is more elegant, lightweight, powerful and automatic; it will be the basis for the Cambridge component of the HOL2000 initiative to develop the next generation of HOL theorem provers. HOL Light is written in CAML Light, and so will run well even on small machines, e.g. PCs and Macintoshes with a few megabytes of RAM. This is in stark contrast to the resourcehungry systems which are the norm in this field, other versions of HOL included. Among the new features of this version are a powerful simplifier, effective first order automation, simple higherorder matching and very general support for inductive and recursive definitions.
Full functional verification of linked data structures
 In ACM Conf. Programming Language Design and Implementation (PLDI
, 2008
"... We present the first verification of full functional correctness for a range of linked data structure implementations, including mutable lists, trees, graphs, and hash tables. Specifically, we present the use of the Jahob verification system to verify formal specifications, written in classical high ..."
Abstract

Cited by 101 (19 self)
 Add to MetaCart
(Show Context)
We present the first verification of full functional correctness for a range of linked data structure implementations, including mutable lists, trees, graphs, and hash tables. Specifically, we present the use of the Jahob verification system to verify formal specifications, written in classical higherorder logic, that completely capture the desired behavior of the Java data structure implementations (with the exception of properties involving execution time and/or memory consumption). Given that the desired correctness properties include intractable constructs such as quantifiers, transitive closure, and lambda abstraction, it is a challenge to successfully prove the generated verification conditions. Our Jahob verification system uses integrated reasoning to split each verification condition into a conjunction of simpler subformulas, then apply a diverse collection of specialized decision procedures,
Stackbased Access Control and Secure Information Flow
, 2003
"... Access control mechanisms are often used with the intent of enforcing confidentiality and integrity policies, but few rigorous connections have been made between information flow and runtime access control. The Java virtual machine and the .NET runtime system provide a dynamic access control mechani ..."
Abstract

Cited by 98 (18 self)
 Add to MetaCart
Access control mechanisms are often used with the intent of enforcing confidentiality and integrity policies, but few rigorous connections have been made between information flow and runtime access control. The Java virtual machine and the .NET runtime system provide a dynamic access control mechanism in which permissions are granted to program units and a runtime mechanism checks permissions of code in the calling chain. We investigate a design pattern by which this mechanism can be used to achieve confidentiality and integrity goals: a single interface serves callers of more than one security level and dynamic access control prevents release of high information to low callers. Programs fitting this pattern would be rejected by previous flow analyses. We give a static analysis that admits them, using permissiondependent security types. The analysis is given for a classbased objectoriented language with features including inheritance, dynamic binding, dynamically allocated mutable objects, type casts and recursive types. The analysis is shown to ensure a noninterference property formalizing confidentiality and integrity.
A Decision Procedure for an Extensional Theory of Arrays
 In 16th IEEE Symposium on Logic in Computer Science
, 2001
"... A decision procedure for a theory of arrays is of interest for applications in formal verification, program analysis, and automated theoremproving. This paper presents a decision procedure for an extensional theory of arrays and proves it correct. 1. ..."
Abstract

Cited by 84 (15 self)
 Add to MetaCart
(Show Context)
A decision procedure for a theory of arrays is of interest for applications in formal verification, program analysis, and automated theoremproving. This paper presents a decision procedure for an extensional theory of arrays and proves it correct. 1.
Automatic Generation of Program Specifications
 In ISSTA 2002, Proceedings of the 2002 International Symposium on Software Testing and Analysis
, 2002
"... Producing specifications by dynamic (runtime) analysis of program executions is potentially unsound, because the analyzed executions may not fully characterize all possible executions of the program. In practice, how accurate are the results of a dynamic analysis? This paper describes the results of ..."
Abstract

Cited by 82 (16 self)
 Add to MetaCart
Producing specifications by dynamic (runtime) analysis of program executions is potentially unsound, because the analyzed executions may not fully characterize all possible executions of the program. In practice, how accurate are the results of a dynamic analysis? This paper describes the results of an investigation into this question, determining how much specifications generalized from program runs must be changed in order to be verified by a static checker.