scispace - formally typeset
Search or ask a question

Showing papers presented at "Formal Methods for Industrial Critical Systems in 2012"


Book ChapterDOI
29 Nov 2012
TL;DR: This chapter contains sections titled: Introduction CENELEC Guidelines Software Procurement in Railway Signaling A Success Story: The B Method Classes of Railway Signaled Equipment Conclusions.
Abstract: This chapter contains sections titled: Introduction CENELEC Guidelines Software Procurement in Railway Signaling A Success Story: The B Method Classes of Railway Signaling Equipment Conclusions References

53 citations


Book ChapterDOI
27 Aug 2012
TL;DR: A correct and complete algorithm for combining several partial results into a fully consolidated validity status for each program property is proposed and it is illustrated how such a framework provides meaningful feedback on partial results.
Abstract: Static analyzers usually return partial results. They can assert that some properties are valid during all possible executions of a program, but generally leave some other properties to be verified by other means. In practice, it is common to combine results from several methods manually to achieve the full verification of a program. In this context, Frama-C is a platform for analyzing C source programs with multiple analyzers. Hence, one analyzer might conclude about properties assumed by another one, in the same environment. We present here the semantical foundations of validity of program properties in such a context. We propose a correct and complete algorithm for combining several partial results into a fully consolidated validity status for each program property. We illustrate how such a framework provides meaningful feedback on partial results.

37 citations


Book ChapterDOI
27 Aug 2012
TL;DR: This paper proposes a set of specification patterns that can be used to express real-time requirements commonly found in the design of reactive systems and provides an integrated model checking tool chain for the verification of timed requirements on TTS, an extension of Time Petri Nets with data variables and priorities.
Abstract: An issue limiting the adoption of model checking technologies by the industry is the ability, for non-experts, to express their requirements using the property languages supported by verification tools This has motivated the definition of dedicated assertion languages for expressing temporal properties at a higher level However, only a limited number of these formalisms support the definition of timing constraints In this paper, we propose a set of specification patterns that can be used to express real-time requirements commonly found in the design of reactive systems We also provide an integrated model checking tool chain for the verification of timed requirements on TTS, an extension of Time Petri Nets with data variables and priorities

35 citations


Book ChapterDOI
27 Aug 2012
TL;DR: This paper reports on integration of a parallel, explicit-state LTL model checker (DiVinE) and a tool for requirements-based verification of aerospace system components (HiLiTE), and the proposed partial toolchain use MATLAB Simulink/Stateflow as the primary design language.
Abstract: Embedded systems have become an inevitable part of control systems in many industrial domains including avionics. The nature of this domain traditionally requires the highest possible degree of system availability and integrity. While embedded systems have become extremely complex and they have been continuously replacing legacy mechanical components, the amount of defects of hardware and software has to be kept to absolute minimum to avoid casualties and material damages. Despite the above-mentioned facts, significant improvements are still required in the validation and verification processes accompanying embedded systems development. In this paper we report on integration of a parallel, explicit-state LTL model checker (DiVinE) and a tool for requirements-based verification of aerospace system components (HiLiTE, a tool implemented and used by Honeywell). HiLiTE and the proposed partial toolchain use MATLAB Simulink/Stateflow as the primary design language. The work has been conducted within the Artemis project industrial Framework for Embedded Systems Tools (iFEST).

32 citations


Book ChapterDOI
27 Aug 2012
TL;DR: A novel technique for checking properties described by finite state machines based on a synergy of three well-known methods: instrumentation, program slicing, and symbolic execution that can be applied as a stand-alone bug finding technique, or to weed out some false positives from an output of another bug-finding tool.
Abstract: We introduce a novel technique for checking properties described by finite state machines. The technique is based on a synergy of three well-known methods: instrumentation, program slicing, and symbolic execution. More precisely, we instrument a given program with a code that tracks runs of state machines representing various properties. Next we slice the program to reduce its size without affecting runs of state machines. And then we symbolically execute the sliced program to find real violations of the checked properties, i.e. real bugs. Depending on the kind of symbolic execution, the technique can be applied as a stand-alone bug finding technique, or to weed out some false positives from an output of another bug-finding tool. We provide several examples demonstrating the practical applicability of our technique.

16 citations


Book ChapterDOI
27 Aug 2012
TL;DR: This paper reports on the experiences made in a running project where the goal is to apply probabilistic model checking techniques and to align the results of the model checker with measurements to predict quantitative properties of low-level OS code.
Abstract: Reliability of low-level operating-system (OS) code is an indispensable requirement. This includes functional properties from the safety-liveness spectrum, but also quantitative properties stating, e.g., that the average waiting time on locks is sufficiently small or that the energy requirement of a certain system call is below a given threshold with a high probability. This paper reports on our experiences made in a running project where the goal is to apply probabilistic model checking techniques and to align the results of the model checker with measurements to predict quantitative properties of low-level OS code.

14 citations


Book ChapterDOI
27 Aug 2012
TL;DR: A proof methodology is presented that extends standard simulation proofs of compiler correctness to ensure that the cost annotations on the source code are sound and precise with respect to an execution cost model of the object code.
Abstract: We present a so-called labelling method to enrich a compiler in order to turn it into a “cost annotating compiler”, that is, a compiler which can lift pieces of information on the execution cost of the object code as cost annotations on the source code. These cost annotations characterize the execution costs of code fragments of constant complexity. The first contribution of this paper is a proof methodology that extends standard simulation proofs of compiler correctness to ensure that the cost annotations on the source code are sound and precise with respect to an execution cost model of the object code.

14 citations


Book ChapterDOI
27 Aug 2012
TL;DR: A model-based risk assessment approach is presented to support the development of health, safety, and environment plans for safe offshore operations, resulting in a formalization of hazardous events that can be used to unambiguously describe the risks of a given offshore operation model.
Abstract: The commercial installation of offshore wind farms is still far from having established standards or procedures and puts high demands on employees who deal with uncertainty and risks. We present a model-based risk assessment approach to support the development of health, safety, and environment (HSE) plans for safe offshore operations. For this purpose, a process model is used to integrate all aspects of these complex and safety-critical operations which involve many different actors, resources, and environmental conditions. On the basis of this model, we are able to identify and precisely describe hazards, quantify their safety impact, and develop risk mitigation means. To this end, we developed methods and tools to support this process, resulting in a formalization of hazardous events that can be used to unambiguously describe the risks of a given offshore operation model. We will demonstrate the feasibility of our approach on a specific offshore scenario.

11 citations


Book ChapterDOI
27 Aug 2012
TL;DR: This paper presents a formal design of a tool for statically establishing the upper bound on the number of executions of objects’ methods in a fragment of object-oriented code and describes the formalization of each of stage of the algorithm.
Abstract: This paper presents a formal design of a tool for statically establishing the upper bound on the number of executions of objects’ methods in a fragment of object-oriented code. The algorithm that our tool employs is a multi-pass interprocedural analysis consisting of data flow and region-based analyses. We describe the formalization of each of stage of the algorithm. This rigorous specification greatly aids the implementation of the tool by removing ambiguities of textual descriptions. There are many applications for information obtained through this method including reasoning about concurrent code, scheduling, code optimization, compositing services, etc. We concentrate on using upper bounds to instrument transactional code that uses a synchronization mechanism based on versioning, and therefore benefits from a priori knowledge about the usage of shared objects within each transaction. To this end we implement a precompiler for Java that analyzes transactions, and injects generated source code to initialize each transaction.

9 citations


Book ChapterDOI
27 Aug 2012
TL;DR: A method for the automatic refinement of single-task timed automaton specifications into microcontroller assembly code is proposed, which copes with parallel inputs and outputs, but is restricted to timedAutomaton specifications with only one clock variable that is reset after each transition.
Abstract: A method for the automatic refinement of single-task timed automaton specifications into microcontroller assembly code is proposed. The outputs of the refinement are an assembly implementation and a timed automaton describing its exact behaviour. Implementation is only possible when all specified timing behaviours can be met by the target microcontroller. Crucially, the implementation does not make the simplifying synchrony assumption, yet correctness with respect to timing is guaranteed. Currently this method copes with parallel inputs and outputs, but is restricted to timed automaton specifications with only one clock variable that is reset after each transition. Further generalization is possible. A tool illustrates the method on a simple example.

9 citations


Book ChapterDOI
27 Aug 2012
TL;DR: In this paper, the authors present a model of the startup phase of the FlexRay protocol in the mCRL2 modeling language, and show how model checking techniques can be used to check that the startup protocol fulfills the requirements.
Abstract: The FlexRay protocol is an upcoming standard in automotive industry. Its specification is finalised and maintained by ISO. It is a time-triggered protocol that uses a fault-tolerant clock synchronisation mechanism. During a startup phase that should be resilient to certain faults, the clocks in the network are synchronised and the protocol is initialised. This paper presents a model of the startup phase of the protocol in the mCRL2 modelling language, and shows how model checking techniques can be used to check that the startup protocol fulfills the requirements. A previously unknown scenario is uncovered in which a single failing node can cause another node, or even the entire network, not to start up.

Book ChapterDOI
27 Aug 2012
TL;DR: A temporal logic formalism based on non-standard analysis is exploited to provide a natural formal semantics to the composition of modules described as Stateflow diagrams and is applied to the formal verification of an example of robotic cell.
Abstract: Industrial systems are made of interacting components, which evolve at very different speeds. This is often dealt with in notations used in the industrial practice, such as Stateflow, through the notion of “zero-time transitions”. These have several drawbacks, especially when building complex models from basic components, whose coordination is complicated by the fact that each element is modeled to be in different states at the same time. We exploit a temporal logic formalism based on non-standard analysis to provide a natural formal semantics to the composition of modules described as Stateflow diagrams. The semantics has been implemented in a fully automated formal verification tool, which we apply to the formal verification of an example of robotic cell.

Book ChapterDOI
27 Aug 2012
TL;DR: A simple but novel range analysis, formulated in terms of linear programming, which calculates ranges without manual intervention is contributed.
Abstract: COTS components are ubiquitous in military, industrial and governmental systems. However, the benefits of reduced development and maintainance costs are compromised by security concerns. Since source code is unavailable, security audits necessarily occur at the binary level. Push-button formal method techniques, such as model checking and abstract interpretation, can support this process by, among other things, inferring ranges of values for registers. Ranges aid the security engineer in checking for vulnerabilities that relate, for example, to integer wrapping, uninitialised variables and buffer overflows. Yet the lack of structure in binaries limits the effectiveness of classical range analyses based on widening. This paper thus contributes a simple but novel range analysis, formulated in terms of linear programming, which calculates ranges without manual intervention.

Book ChapterDOI
27 Aug 2012
TL;DR: It is shown how to systematically construct executable models of publish/subscribe systems based on the Java Messaging Service (JMS), written in the Abstract Behavioural Specification (ABS) language, that capture the essentials of the messaging behavior of the original Java systems, and eliminate details not related to distribution and messages.
Abstract: Distributed systems are hard to program, understand and analyze. Two key sources of complexity are the many possible behaviors of a system, arising from the parallel execution of its distributed nodes, and the handling of asynchronous messages exchanged between nodes. We show how to systematically construct executable models of publish/subscribe systems based on the Java Messaging Service (JMS). These models, written in the Abstract Behavioural Specification (ABS) language, capture the essentials of the messaging behavior of the original Java systems, and eliminate details not related to distribution and messages. We report on jms2abs, a tool that automatically extracts ABS models from the bytecode of JMS systems. Since the extracted models are formal and executable, they allow us to reason about the modeled JMS systems by means of tools built specifically for the modeling language. For example, we have succeeded to apply simulation, termination and resource analysis tools developed for ABS to, respectively, execute, prove termination and infer the resource consumption of the original JMS applications.

Book ChapterDOI
29 Nov 2012
TL;DR: This chapter contains sections titled: Overview Active Networks The Capsule Approach Previous Approaches on Analyzing Active Networks Model Checking Active Networks with SPIN Conclusions Conclusions.
Abstract: This chapter contains sections titled: Overview Active Networks The Capsule Approach Previous Approaches on Analyzing Active Networks Model Checking Active Networks with SPIN Conclusions References

Book ChapterDOI
27 Aug 2012
TL;DR: This paper presents a formal approach of designing software robust against communication latencies that typically occur in distributed embedded systems, and a linear problem approach is employed that transforms elements of data-flow into variables of linear expressions.
Abstract: This paper presents a formal approach of designing software robust against communication latencies that typically occur in distributed embedded systems. In this approach, the software’s data-flow is retimed and scheduled in order to achieve the maximum robustness against possible communication latencies. This robustness is derived individually for a given software and its distribution on a platform’s communication topology. Robustness is interpreted as the guaranteed amount of time, up to which the system does not change its externally observable behavior due to communication latencies. The software’s data-flow is given as a data-flow graph with nodes representing tasks and edges representing communication channels. A linear problem approach is employed that transforms elements of data-flow into variables of linear expressions. An implementation of the approach in the tool Cadmos together with the application on a case example from the automotive software engineering domain shows its practicability.