Showing papers on "Promela published in 2000"

Model Checking JAVA Programs Using Java Pathfinder

Abstract: This paper describes a translator called Java PathFinder (Jpf), which translates from Java to Promela, the modeling language of the Spin model checker. Jpf translates a given Java program into a Promela model, which then can be model checked using Spin. The Java program may contain assertions, which are translated into similar assertions in the Promela model. The Spin model checker will then look for deadlocks and violations of any stated assertions. Jpf generates a Promela model with the same state space characteristics as the Java program. Hence, the Java program must have a finite and tractable state space. This work should be seen in a broader attempt to make formal methods applicable within NASA’s areas such as space, aviation, and robotics. The work is a continuation of an effort to formally analyze, using Spin, a multi-threaded operating system for the Deep-Space 1 space craft, and of previous work in applying existing model checkers and theorem provers to real applications.

SPIN Model Checking and Software Verification

Abstract: ion of Communication Channels in Promela: A Case Study . . . . . . 187 Elena Fersman and Bengt Jonsson (Uppsala University)

On-the-Fly Conformance Testing using Spin

Abstract: In this paper we report on the construction of a tool for conformance testing based on Spin. The Spin tool has been adapted such that it can derive the building blocks for constructing test cases, called test primitives, from systems described in Promela. The test primitives support the on-the-fly conformance testing process. Traditional derivation of tests from formal specifications suffers from the state-space explosion problem. Spin is one of the most advanced model checkers with respect to handling large state spaces. This advantage of Spin has been used for the derivation of test primitives from a Promela description. To reduce the state space, we introduce the on-the-fly testing framework. One of the components within this framework is the Primer. The Primer is responsible for deriving test primitives from a model of a system according to a well-defined and complete testing theory. Algorithms are presented which enable us to derive test primitives from a Promela description. These algorithms have been implemented in the adapted version of the Spin tool which acts as the Primer in the framework. Promising experiments have been carried out on an example case study. As a result of this study it is concluded that it is possible to derive test primitives automatically from Promela descriptions, construct test cases from these test primitives, and execute the test cases on-the-fly.

Formal Analysis of the Remote Agent Before and After Flight

Abstract: This paper describes two separate efforts that used the SPIN model checker to verify deep space autonomy flight software. The first effort occurred at the beginning of a spiral development process and found five concurrency errors early in the design cycle that the developers acknowledge would not have been found through testing. This effort required a substantial manual modeling effort involving both abstraction and translation from the prototype LISP code to the PROMELA language used by SPIN. This experience and others led to research to address the gap between formal method tools and the development cycle used by software developers. The Java PathFinder tool which directly translates from Java to PROMELA was developed as part of this research, as well as automatic abstraction tools. In 1999 the flight software flew on a space mission, and a deadlock occurred in a sibling subsystem to the one which was the focus of the first verification effort. A second quick-response "cleanroom" verification effort found the concurrency error in a short amount of time. The error was isomorphic to one of the concurrency errors found during the first verification effort. The paper demonstrates that formal methods tools can find concurrency errors that indeed lead to loss of spacecraft functions, even for the complex software required for autonomy. Second, it describes progress in automatic translation and abstraction that eventually will enable formal methods tools to be inserted directly into the aerospace software development cycle.

Verification of time partitioning in the DEOS scheduler kernel

Abstract: This paper describes an experiment to use the Spin model checking system to support automated verification of time partitioning in the Honeywell DEOS real-time scheduling kernel. The goal of the experiment was to investigate whether model checking could be used to find a subtle implementation error that was originally discovered and fixed during the standard formal review process. To conduct the experiment, a core slice of the DEOS scheduling kernel was first translated without abstraction from C++ into Promela (the input language for Spin). We constructed an abstract “test-driver” environment and carefully introduced several abstractions into the system to support verification. Several experiments were run to attempt to verify that the system implementation adhered to the critical time partitioning requirements. During these experiments, the known error was rediscovered in the time partitioning implementation. We believe this case study provides several insights into how to develop cost-effective methods and tools to support the software design and implementation review process.

Formalization and validation of the General Inter-ORB Protocol (GIOP) using PROMELA and SPIN

Abstract: The General Inter-Orb Protocol (GIOP) is a key component of the Common Object Request Broker Architecture (CORBA) specification. We present the formal modeling and validation of the GIOP protocol using the Promela language, Linear Time Temporal Logic (LTL) and the Spin model checker. We validate the Promela model using ten high-level requirements which we elicit from the informal CORBA specification. These requirements are then formalized in LTL and the Spin model checker is used to determine their validity. During the validation process we discovered a few problems in GIOP: a potential transport-layer interface deadlock and problems with the server migration protocol. We also describe how property specification patterns helped us in formalizing the high-level requirements that we have elicited.

Issues in slicing PROMELA and its applications to model checking, protocol understanding, and simulation

Abstract: A program slice consists of the parts of a program that may affect or are affected by the value being computed at the point of interest. Recent work in slicing concurrent programs examines how synchronization, communication, and non-determinism (along with traditional control and data dependence) affect values at certain program points. We are extending this work to slice the Promela programming language, used to specify protocols for the Spin model checker. An application of slicing may be its usefulness in paring down protocol descriptions to just the pieces that affect particular points of interest. Model checking and simulation of the pared-down protocol may, in some cases, be much more efficient. We present program slicing as a tool that, along with model checking and simulation techniques, can facilitate understanding and debugging of protocols.

Model Checking SDL with Spin

Abstract: We present an attempt to use the model checker Spin as a verification engine for SDL, with special emphasis put on the verification of timing properties of SDL models. We have extended Spin with a front-end that allows to translate SDL to Promela (the input language of Spin), and a back-end that allows to analyse timing properties. Compared with the previous attempts, our approach allows to verify not only qualitative but also quantitative aspects of SDL timers, and our translation of SDL to Promela handles the SDL timers in a correct way. We applied the toolset to the verification of a substantial part of a complex industrial protocol. This allowed to expose several non-trivial errors in the protocol's design.

Automatic Verification of Multiagent Conversations

Abstract: As network bandwidth increases, distributed applications are becoming increasingly prevalent. Systems using these applications are very complicated to build and must be dependable. Software agents are ideal for breaking complicated problems into manageable subtasks. Agent conversations, a series of messages passed between agents, are the cornerstone of multiagent systems and must be deemed correct before being placed into service. This paper introduces a method to automatically verify that conversations are valid before employing them. Agent conversations are created graphically using state transition diagrams in the agentTool multiagent development environment. This graphical representation is then transformed into a formal modeling language called Promela that is analyzed by the Spin verification tool to detect errors such as deadlock, non-progress loops, syntax errors, unused messages, and unused states. Feedback is provided to the user automatically via text messages and graphical highlighting of error conditions.

Verification and Optimization of a PLC Control Schedule

Abstract: We report on the use of the SPIN model checker for both the verification of a process control program and the derivation of optimal control schedules. This work was carried out as part of a case study for the EC VHS project (Verification of Hybrid Systems), in which the program for a Programmable Logic Controller (PLC) of an experimental chemical plant had to be designed and verified. The intention of our approach was to see how much could be achieved here using the standard model checking environment of SPIN/Promela. As the symbolic calculations of real-time model checkers can be quite expensive it is interesting to try and exploit the efficiency of established non-real-time model checkers like SPIN in those cases where promising work-arounds seem to exist. In our case we handled the relevant real-time properties of the PLC controller using a time-abstraction technique; for the scheduling we implemented in Promela a so-called variable time advance procedure. For this case study these techniques proved sufficient to verify the design of the controller and derive (time-)optimal schedules with reasonable time and space requirements.

An automatic SPIN validation of a safety critical railway control system

Abstract: This paper describes an experiment informal specification and validation performed in the context of an industrial joint project. The project involved an Italian company working in the field of railway engineering, Ansaldobreda Segnalamento Ferroviario, and the CNR Institutes IEI and CNUCE of Pisa, Within the project two formal models have been developed describing different aspects of a safety-critical system used in the management of medium-large railway networks. Validation of safety and liveness properties has been performed on both models. Safety properties have been checked primarily in presence of Byzantine faults as well as of silent faults embedded in the models themselves. Liveness properties have been more focused on a communication protocol used within the system. Properties have been specified by means of assertions or temporal logical formulae. We used PROMELA as specification language, while the verification was performed using the verification tool suite SPIN.

VIP: A Visual Editor and Compiler for v-Promela

Abstract: We describe the Visual Interface to PROMELA (VIP) tool that we have recently implemented. VIP supports the visual editing and maintenance of v-Promela models. v-Promela is a visual, object-oriented extension to PROMELA, the input language to the SPIN model checker. We introduce the v-Promela notation as supported by the VIP editor, discuss PROMELA code generation, and describe the process of property validation for the resulting models. Our discussion centers around two case studies, a call processing system and the CORBA GIOP protocol.

Formal Test Automation: The Conference Protocol with PHACT

Abstract: We discuss a case study of automatic test generation and test execution based on formal methods The case is the Conference Protocol, a simple, chatbox-like protocol, for which (formal) specifications and multiple implementations are publicly available and which is also used in other case study experiments The tool used for test generation and test execution is Phact, the PHilips Automated Conformance Tester The formal method is (Extented) Finite State Machines which is the input language for Phact The experiment consists of developing a Finite State Machine specification for the Conference Protocol, generating 82 tests in TTCN with Phact, and executing these tests against 28 different implementations of the Conference Protocol, both correct and erroneous ones The result is that some erroneous implementations are not detected by the test cases These results are analysed, the merits of Extented Finite State Machines for specification are discussed, and the achievements of Phact are assessed Moreover, the results are compared with a previous experiment in which the same 28 implementations were tested based on specifications in LOTOS and Promela

Abstraction of Communication Channels in Promela: A Case Study

Abstract: We present a case study of how abstractions can be applied to a protocol model, written in Promela, in order to make in amenable for exhaustive state-space exploration, e.g., by SPIN. The protocol is a simple version of the Five Packet Handshake Protocol, which is used in TCP for transmission of single messages. We present techniques for abstracting from actual values of messages, sequence numbers, and identifiers in the protocol. Instead, an abstract model of the protocol is constructed of variables which record whether variables and parameters of messages are equal or unequal. The abstraction works because the protocol handles identifiers and parameters of messages in a simple way. The abstracted model contains only on the order of a thousand states, and safety properties have been analyzed by SPIN.

Verification of Agent Behavioral Models

Abstract: Intelligent software agents are becoming very popular. They are ideal for solving distributed problems that are too difficult for a non-distributed system to solve. Distributed agents can be used to retrieve, filter, and summarize information as well as provide intelligent user interfaces. However, multiagent systems are very complicated to build and must be dependable. Agent conversation protocols, a series of messages passed between agents, are the cornerstone of multiagent systems. Agents also have tasks associated with them that specify how an agent behaves. This paper introduces a formal methodology that automatically verifies the interaction between agents. Agent behavioral specifications are created graphically in the agentTool multiagent development environment. This graphical representation is then transformed into a formal modeling language called Promela that is analyzed by Spin to ensure the interaction between agents is correct. This type of verification provides the user with another tool to ensure the system will perform as expected.

A Formal Specification and Validation of a Critical System in Presence of Byzantine Errors

Abstract: This paper describes an experience in formal specification and fault tolerant behavior validation of a railway critical system. The work, performed in the context of a real industrial project, had the following main targets: (a) to validate specific safety properties in the presence of byzantine system components or of some hardware temporary faults; (b) to design a formal model of a critical railway system at a right level of abstraction so that could be possible to verify certain safety properties and at the same time to use the model to simulate the system. For the model specification we used the PROMELA language, while the verification was performed using the SPIN model checker. Safety properties were specified by means of both assertions and temporal logic formulae. To make the problem of validation tractable in the SPIN environment, we used ad hoca bstraction techniques.

SPIN Model Checking and Software Verification: 7th International SPIN Workshop Stanford, CA, USA, August 30 - September 1, 2000 Proceedings

Abstract: Papers.- Symmetric Spin.- Using Garbage Collection in Model Checking.- Model Checking Based on Simultaneous Reachability Analysis.- Testing Spin's LTL Formula Conversion into Buchi Automata with Randomly Generated Input.- Verification and Optimization of a PLC Control Schedule.- Modeling the ASCB-D Synchronization Algorithm with SPIN: A Case Study.- Bebop: A Symbolic Model Checker for Boolean Programs.- Logic Verification of ANSI-C Code with SPIN.- Interaction Abstraction for Compositional Finite State Systems.- Correctness by Construction: Towards Verification in Hierarchical System Development.- Linking ST e P with SPIN.- Abstraction of Communication Channels in Promela: A Case Study.- A Language Framework for Expressing Checkable Properties of Dynamic Software.- Model-Checking Multi-threaded Distributed Java Programs.- Using Runtime Analysis to Guide Model Checking of Java Programs.- Communication Topology Analysis for Concurrent Programs.- Low-Fat Recipes for SPIN.- Tool Tutorials.- Tutorial on FDR and Its Applications.- The Temporal Rover and the ATG Rover.- Runtime Checking of Multithreaded Applications with Visual Threads.

A Formal Specification and Validation of a Safety Critical Railway Control System

Abstract: This paper describes an important experiment in formal specification and validation, both performed in the context of an industrial project jointly performed by Ansaldobreda Segnalamento Ferroviario and CNR Institutes IEI and CNUCE of Pisa. Within this project we developed two formal models of a control system which is part of a wider safety-critical system for the management of medium-large railway networks. Each model describes different aspects of the system at a different level of abstraction. On these models we performed verification of both safety properties - in the hypothesis of Byzantine errors or in presence of some defined hardware faults -- and liveness properties of a dependable communication protocols. The properties has been specified by means of assertions and temporal logical formulae. As a specification language we used Promela language while the verification was performed using the model checker Spin.

Linking STeP with SPIN

Abstract: We have connected ST e P, the Stanford Temporal Prover, with SPIN, an LTL model checker In this paper we describe the translation of fair transition systems into Promela, in particular how weak and strong fairness constraints are handled The paper presents some preliminary experimental results using this connection

A Flexible Statechart-to-Model-Checker Translator

Abstract: Many current-day software design tools offer some variant of statechart notation for system specification. We, like others, have built an automatic translator from (a subset of) statecharts to a model checker, for use to validate behavioral requirements. Our translator is designed to be flexible. This allows us to quickly adjust the translator to variants of statechart semantics, including problem-specific notational conventions that designers employ. Our system demonstration will be of interest to the following two communities: (1) Potential end-users: Our demonstration will show translation from statecharts created in a commercial UML tool (Rational Rose) to Promela, the input language of Holzmann's model checker SPIN. The translation is accomplished automatically. To accommodate the major variants of statechart semantics, our tool offers user-selectable choices among semantic alternatives. Options for customized semantic variants are also made available. The net result is an easy-to-use tool that operates on a wide range of statechart diagrams to automate the pathway to model-checking input. (2) Other researchers: Our translator embodies, in one tool, ideas and approaches drawn from several sources. Solutions to the major challenges of statechart-to-model-checker translation (e.g., determining which transition(s) will fire, handling of concurrent activities) are retired in a uniform, fully mechanized, setting. The way in which the underlying architecture of the translator itself facilitates flexible and customizable translation will also be evident.