Academia.eduAcademia.edu

Outline

Title
Abstract
Introduction
An Industrial Case Study
Limitations
Related Work
Conclusion
References
All Topics
Computer Science
Embedded Systems

Model-checking behavioral programs

Profile image of Gera WeissGera Weiss

2011

https://doi.org/10.1145/2038642.2038686
visibility

description

10 pages

link

1 file

Abstract

System specifications are often structured as collections of scenarios and use-cases that describe desired and forbidden sequences of events. A recently proposed behavioral programming approach, which evolved from the visual language of live sequence charts (LSCs), calls for coding software modules in alignment with such scenarios. We present a methodology and a supporting model-checking tool for verifying behavioral Java programs, without having to first translate them into a specific input language for the model checker. Our method facilitates early discovery of conflicting or under-specified scenarios, which can often be resolved by adding new scenarios rather than by changing existing code. Also, counterexamples provided by the tool are themselves event sequences that can serve directly for refinements and corrections. Our tool reduces the size of the execution state-space using an abstraction that focuses on behaviorally interesting states and treats transitions between them as atomic.

Related papers

Live sequence charts: An introduction to lines, arrows, and strange boxes in the context of formal verification
Jochen Klose

Lecture notes in computer …, 2004

The language of Message Sequence Charts (MSC) is a well-established visual formalism which is typically used to capture scenarios in the early stages of system development. But when it comes to rigorous requirements capturing, in particular in the context of formal ...

View PDFchevron_right
Tool Support for Composition and Verification of Formal Behavior
Rachida Dssouli

2007 Innovations in Information Technologies (IIT), 2007

In this paper, we present a tool support for formal modeling, automated composition, and formal verification of partial system behaviors described as Use Case Automata (UCAs). Use case Composition, Modeling and Verification (UCOMV) supports visual modeling of formal behaviors and their merging through the notion of composition expression. These expressions determine the extension points in the UCAs where the composition is performed, as well as the semantics of the intended composition. UCOMV supports a new incremental approach of building the desired specification with a formal automated mechanism of composition. In addition, it allows the verification of UCAs over behavioral properties defined as temporal property specifications. We also provide an XML based schema for the presentation of UCA models in other tool extensions to the suit.

View PDFchevron_right
Introducing Binary Decision Diagrams in the Explicit-State Verification of Java Code
Alexander von Rhein

One of the big performance problems of software model checking is the state-explosion problem. Various tools exist to tackle this problem. One of such tools is Java Pathfinder (JPF) an explicit-state model checker for Java code that has been used to verify efficiently a number of real applications.

View PDFchevron_right
Symbolic Simulation of Behavioral Requirements
Shishir Choudhary

2003

Message Sequence Charts (MSC) have traditionally been used as a weak form of behavioral requirements in software design; they denote scenarios which may happen. Live Sequence Charts (LSC) extend Message Sequence Charts by also allowing the designer to specify scenarios which must happen. Live Sequence Chart specifications are executable; their simulation allows the designer to play out potentially aberrant scenarios prior to software construction. In this paper, we propose the use of Constraint Logic Programming (CLP) for symbolic execution of requirements described as Live Sequence Charts. The utility of CLP stems from its ability to execute in the presence of symbolic variables. This allows us to simulate multiple scenarios at one go. For example, several scenarios which only differ from each other in the value of a variable may be executed as a single scenario where the variable value is left uninstantiated. Similarly, we can simulate scenarios with an unbounded number of process...

View PDFchevron_right
From Live Sequence Charts to State Machines and Back: a Guided Tour
Pierre-Yves Schobbens

IEEE Transactions …, 2005

The problem of relating state-based intraagent (or intraobject) behavioral descriptions with scenario-based interagent (interobject) descriptions has recently focused much interest among the software engineering community. This paper compiles the results of our investigation of this problem. As interagent formalism, we adopt a simple variant of Live Sequence Charts. For the intraagent perspective, we consider a game-theoretic foundation, looking at agents as "strategies," which encompasses the popular "state-based" paradigm. Three classes of relationships between models are studied: scenario checking (called eLSC checking), synthesis, and verification. We set a formally defined theoretical stage that allows us to express these three problems very simply, to discuss their complexity, and to describe optimal solutions. Our study reveals the intrinsic high computational difficulty of these tasks. Consequently, many related problems and solutions are surveyed, some of which can be the basis for practical solutions. In this, we also offer a panorama of current research and directions for the future.

View PDFchevron_right
Exploiting Behavioral Hierarchy for Efficient Model Checking
Michael McDougall

2002

Inspired by the success of model checking in hardware and protocol verification, model checking techniques for software have been the focus of a lot of research in the last few years [5,3,2,6]. Model checking can be applied only to relatively small models due to its inherently high computational requirements, and there are two complementary trends to address scalability. The model extraction approach, exemplified by projects such as Bandera [6] and SLAM [3], involves constructing inputs to model checkers by abstracting programs written in languages such as C and Java. The model-based design approach, exemplified by modeling notations such as Statecharts [7], promotes design using high-level models that are compiled into code. Our research agenda is to develop model checking techniques for model-based design of software.

View PDFchevron_right
L2C2: Logic-based LSC Consistency Checking
Mahadevan Subramaniam

arXiv (Cornell University), 2010

Live sequence charts (LSCs) have been proposed as an interobject scenario-based specification and visual programming language for reactive systems. In this paper, we introduce a logic-based framework to check the consistency of an LSC specification. An LSC simulator has been implemented in logic programming, utilizing a memoized depth-first search strategy, to show how a reactive system in LSCs would response to a set of external event sequences. A formal notation is defined to specify external event sequences, extending the regular expression with a parallel operator and a testing control. The parallel operator allows interleaved parallel external events to be tested in LSCs simultaneously; while the testing control provides users to a new approach to specify and test certain temporal properties (e.g., CTL formula) in a form of LSC. Our framework further provides either a state transition graph or a failure trace to justify the consistency checking results.

View PDFchevron_right
State/Event-Based Software Model Checking
Natasha Sharygina

Lecture Notes in Computer Science, 2004

We present a framework for model checking concurrent software systems which incorporates both states and events. Contrary to other state/event approaches, our work also integrates two powerful verification techniques, counterexample-guided abstraction refinement and compositional reasoning. Our specification language is a state/event extension of linear temporal logic, and allows us to express many properties of software in a concise and intuitive manner. We show how standard automata-theoretic LTL model checking algorithms can be ported to our framework at no extra cost, enabling us to directly benefit from the large body of research on efficient LTL verification. We have implemented this work within our concurrent C model checker, MAGIC, and checked a number of properties of OpenSSL-0.9.6c (an open-source implementation of the SSL protocol) and Micro-C OS version 2 (a real-time operating system for embedded applications). Our experiments show that this new approach not only eases the writing of specifications, but also yields important gains both in space and in time during verification. In certain cases, we even encountered specifications that could not be verified using traditional pure event-based or state-based approaches, but became tractable within our state/event framework. We report a bug in the source code of Micro-C OS version 2, which was found during our experiments.

View PDFchevron_right
Model Checking Conformance with Scenario-Based Specifications
Shmuel Katz

Lecture Notes in Computer Science, 2003

Specifications that describe typical scenarios of operations have become common for software applications, using, for example, use-cases of UML. For a system to conform with such a specification, every execution sequence must be equivalent to one in which the specified scenarios occur sequentially, where we consider computations to be equivalent if they only differ in that independent operations may occur in a different order. A general framework is presented to check the conformance of systems with such specifications using model checking. Given a model and additional information including a description of the scenarios and of the operations' independence, an augmented model using a transducer and temporal logic assertions for it are automatically defined and model checked. In the augmentation, a small window with part of the history of operations is added to the state variables. New transitions are defined that exchange the order of independent operations, and that identify and remove completed scenarios. If the model checker proves all the generated assertions, every computation is equivalent to some sequence of the specified scenarios. A new technique is presented that allows proving equivalence with a small fixed-size window in the presence of unbounded out-of-order of operations from unrelated scenarios. This key technique is based on the prediction of events, and the use of anti-events to guarantee that predicted events will actually occur. A prototype implementation based on Cadence SMV is described.

View PDFchevron_right
Checking JML specifications using an extensible software model checking framework
Edwin Rodriguez

International Journal on Software Tools for Technology Transfer, 2006

The use of assertions to express correctness properties of programs is growing in practice. Assertions provide a form of lightweight checkable specification that can be very effective in finding defects in programs and in guiding developers to the cause of a problem. A wide variety of assertion languages and associated validation techniques have been developed, but run-time monitoring is commonly thought to be the only practical solution. In this paper, we describe how specifications written in the Java Modeling Language (JML), a general purpose behavioral specification and assertional language for Java, can be validated using a customized model checker built on top of the Bogor model checking framework. Our experience illustrates the need for customized state-space representations and reduction strategies in model checking frameworks in order to effectively check the kind of strong behavioral specifications that can be written in JML. We discuss the advantages and tradeoffs of model checking relative to other specification validation techniques and present data that suggest that the cost of model checking strong specifications is practical for several real programs.

View PDFchevron_right

References (33)

  1. REFERENCES
  2. Apache Commons. The Javaflow component. commons.apache.org/sandbox/javaflow/.
  3. C. Baier and J.-P. Katoen. Principles of Model Checking. The MIT Press, 2008.
  4. T. Ball and S. Rajamani. Automatically validating temporal safety properties of interfaces. Model Checking Software, pages 102-122, 2001.
  5. J. Burch, E. Clarke, K. McMillan, D. Dill, and L. Hwang. Symbolic model checking: 10 20 states and beyond. Information and Computation, 98(2):142-170, 1992.
  6. E. Clarke, O. Grumberg, S. Jha, Y. Lu, and H. Veith. Counterexample-guided abstraction refinement. In Proc. 12th Int. Conf. on Computer Aided Verification (CAV), LNCS 1855, pages 154-169, 2000.
  7. P. Combes, D. Harel, and H. Kugler. Modeling and verification of a telecommunication application using live sequence charts and the play-engine tool. Software and System Modeling, 7(2):157-175, 2008.
  8. W. Damm and D. Harel. LSCs: Breathing life into message sequence charts. J. on Formal Methods in System Design, 19(1):45-80, 2001.
  9. W. Damm and B. Westphal. Live and let die: LSC based verification of UML models. Sci. Comput. Program., 55(1-3):117 -159, 2005.
  10. E. W. Dijkstra. Hierarchical ordering of sequential processes. Acta Inf., 1:115-138, 1971.
  11. N. Eitan, M. Gordon, D. Harel, A. Marron, and G. Weiss. On visualization and comprehension of scenario-based programs. In Proc. 19th IEEE Int. Conf. on Program Comprehension (ICPC), pages 189-192, 2011.
  12. J. P. Ernits. Memory arbiter synthesis and verification for a radar memory interface card. Nord. J. Comput., 12(2):68-88, 2005.
  13. M. Glusman and S. Katz. Model checking conformance with scenario-based specifications. In Proc. 15th Int. Conf. on Computer Aided Verification (CAV), LNCS 2725, pages 328-340, 2003.
  14. O. Grumberg and D. E. Long. Model checking and modular verification. ACM Trans. Program. Lang. Syst., 16:843-871, 1994.
  15. D. Harel, H. Kugler, R. Marelly, and A. Pnueli. Smart play-out of behavioral requirements. In Proc. 4th Int. Conf. on Formal Methods in Computer-Aided Design (FMCAD), LNCS 2517, pages 378-398, 2002.
  16. D. Harel, H. Kugler, and G. Weiss. Some methodological observations resulting from experience using LSCs and the play-in/play-out approach. In Scenarios: Models, Transformations and Tools, pages 26-42, 2003.
  17. D. Harel and R. Marelly. Come, Let's Play: Scenario-Based Programming Using LSCs and the Play-Engine. Springer, 2003.
  18. D. Harel, A. Marron, and G. Weiss. The BPJ package. www.cs.bgu.ac.il/~geraw.
  19. D. Harel, A. Marron, and G. Weiss. Programming coordinated scenarios in Java. In Proc. 24th European Conf. on Object-Oriented Programming (ECOOP), LNCS 6183, pages 250-274, 2010.
  20. D. Harel and I. Segall. Planned and traversable play-out: A flexible method for executing scenario-based programs. In Proc. 13th Int. Conf. on Tools and Algorithms for the Construction and Analysis of Systems (TACAS), LNCS 4424, pages 485-499, 2007.
  21. T. Henzinger, R. Jhala, and R. Majumdar. Counterexample-guided control. Automata, Languages and Programming, pages 188-188, 2003.
  22. G. Holzmann. The Spin Model Checker: Primer and Reference Manual. Addison-Wesley, 2003. spinroot.com/spin/whatispin.html.
  23. B. Jobstmann, A. Griesmayer, and R. Bloem. Program repair as a game. In Proc. 17th Int. Conf. on Computer Aided Verification (CAV), LNCS 3576, pages 226-238, 2005.
  24. N. Kam, D. Harel, H. Kugler, R. Marelly, A. Pnueli, E. J. A. Hubbard, and M. J. Stern. Formal modeling of C. elegans development: A scenario-based approach. In Proc. 1st Int. Workshop on Computational Methods in Systems Biology (CMSB), LNCS 2602, pages 4-20, 2003.
  25. E. Katz. Verifying Scenario-Based Aspect Specifications. PhD thesis, Technion -Israel Institute of Technology, Computer Science Department, 2006.
  26. E. Katz and S. Katz. Verifying scenario-based aspect specifications. In Proc. Int. Symp. of Formal Methods Europe (FM), LNCS 3582, pages 432-447, 2005.
  27. H. Kugler, D. Harel, A. Pnueli, Y. Lu, and Y. Bontemps. Temporal logic for scenario-based specifications. In Proc. 11th Int. Conf. on Tools and Algorithms for the Construction and Analysis of Systems (TACAS), LNCS 3440, pages 445-460, 2005.
  28. H. Kugler, C. Plock, and A. Roberts. Synthesizing biological theories. In Proc. 23rd Int. Conf. on Computer Aided Verification (CAV), LNCS 6806, pages 579-584, 2011.
  29. D. J. Lehmann, A. Pnueli, and J. Stavi. Impartiality, justice and fairness: The ethics of concurrent termination. In Proc. 8th Int. Colloq. on Automata, Languages, and Programming (ICALP), LNCS 115, pages 264-277, 1981.
  30. A. Pnueli, Y. Sa'ar, and L. D. Zuck. Jtlv: A framework for developing verification algorithms. In Proc. 22nd Int. Conf. on Computer Aided Verification (CAV), LNCS 6174, pages 171-174, 2010. jtlv.ysaar.net/.
  31. J. Queille and J. Sifakis. Fairness and related properties in transition systems -a temporal logic to deal with fairness. Acta Inf., 19:195-220, 1983.
  32. W. Visser, K. Havelund, G. Brat, S. Park, and F. Lerda. Model checking programs. Automated Software Engineering, 10:203-232, 2003.
  33. G. Weiss. Optimal scheduler for a memory card. Technical report, IST-2001-35304 AMETIST Project, Weizmann Institute of Science, 2002.

Related papers

Runtime Verification of Java Programs for Scenario-Based Specifications
zhao jianhua

Lecture Notes in Computer Science, 2006

In this paper, we use UML sequence diagrams as scenariobased specifications, and give the solution to runtime verification of Java programs for the safety consistency and the mandatory consistency. The safety consistency requires that any forbidden scenario described by a given sequence diagram never happens during the execution of a program, and the mandatory consistency requires that if a reference scenario described by the given sequence diagrams occurs during the execution of a program, it must immediately adhere to a scenario described by the other given sequence diagram. In the solution, we first instrument the program under verification so as to gather the program execution traces related to a given scenario-based specification; then we drive the instrumented program by random test cases so as to generate the program execution traces; last we check if the collected program execution traces satisfy the given specification. Our work leads to a testing tool which may proceed in a fully automatic and pushbutton fashion.

View PDFchevron_right
Syntax-directed model checking of sequential programs
Karen Yorav

The Journal of Logic and Algebraic Programming, 2002

This work presents a syntax-directed, modular approach to temporal logic model checking of sequential programs. In contrast to hardware designs, the models of software systems might be too large to fit into memory even when they consist of a single sequential unit. Furthermore, even when the model can be held in memory, model checking might exceed the memory capacity of the computer. To avoid the high space requirements for software we therefore suggest to partition the text of a sequential program into sequentially composed sub-programs. Based on this partition, we present a model-checking algorithm for sequential programs that arrives at its conclusion by examining each sub-program in separation. The novelty of our approach is that it uses a decomposition of the program in which the interconnection between parts is sequential and not parallel. We handle each part separately, while keeping all other parts on an external memory (files). Consequently, our approach reduces space requirements and enables verification of larger systems. We implemented the ideas described in this paper in a prototype tool called SoftVer and applied it to a few small examples. We have achieved reduction in both space and time requirements. We consider this work as a step towards making temporal logic model checking useful for verification of sequential programs.

View PDFchevron_right
An Approach to High-Level Behavioral Program Documentation Allowing Lightweight Verification
I. Michiels

14th IEEE International Conference on Program Comprehension (ICPC'06), 2006

Typically, multiple developers are involved in the various stages of the software development and maintenance process. To ensure an optimal transfer of knowledge between these different peers, a reliable human-readable model of the dynamics of a software artefact is needed. Once these models become machine-verifiable, they can be used throughout an application's lifetime to check whether the documented behavioral properties continue to hold as the application evolves. Unfortunately, most existing modeling media are inadequate to express human-readable behavioral models which are at the same time machine-verifiable. We therefore propose a declarative platform wherein behavioral program models can be expressed in terms of userdefined high-level concepts and be automatically verified against an application's actual behavior. We demonstrate our approach by using it to both document and verify an interpreter for a garbage-collected programming language.

View PDFchevron_right
Automated Behavior Computation for Software Analysis and Validation
Stacy Prowell

2012 45th Hawaii International Conference on System Sciences, 2012

Software systems can exhibit massive numbers of execution paths, and even comprehensive testing can exercise only a small fraction of these. It is no surprise that systems experience errors and vulnerabilities in use when many executions are untested. Computations over the functional semantics of programs may offer a potential solution. Structured programs are expressed in a finite hierarchy of control structures, each of which corresponds to a mathematical function or relation. A correctness theorem defines transformation of these structures from procedural logic into nonprocedural, as-built specifications of behavior. These computed specifications enumerate behavior for all circumstances of use and cover the behavior space. Automation of these computations affords a new means for validating software functionality and security properties. This paper describes theory and implementation for loop behavior computation in particular, and illustrates use of an automated behavior computation system to validate a miniature looping program with and without embedded malware.

View PDFchevron_right
Event-based runtime verification of java programs
Klaus Havelund

ACM SIGSOFT Software Engineering Notes, 2005

We introduce the temporal logic HAWK and its supporting tool for runtime verification of Java programs. A monitor for a HAWK formula checks if a finite trace of program events satisfies the formula. HAWK is a programming-oriented extension of the rule-based EAGLE logic that has been shown capable of defining and implementing a range of finite trace monitoring logics, including future and past time temporal logic, metric (real-time) temporal logics, interval logics, forms of quantified temporal logics, extended regular expressions, state machines, and others. Monitoring is achieved on a state-by-state basis avoiding any need to store the input trace. HAWK extends EAGLE with constructs for capturing parameterized program events such as method calls and method returns. Parameters can be executing thread, the objects that methods are called upon, arguments to methods, and return values. HAWK allows one to refer to these in formulae. The tool synthesizes monitors from formulae and automates program instrumentation.

View PDFchevron_right

Related topics

  • Computer Science
  • Embedded Software
  • Visual Language
  • Live Sequence Chart

    • Cited by

    Context-Oriented Behavioral Programming
    Achiya Elyasaf

    ArXiv, 2021

    Context: Modern systems require programmers to develop code that dynamically adapts to different contexts, leading to the evolution of new context-oriented programming languages. These languages introduce new software-engineering challenges, such as: how to maintain the separation of concerns of the codebase? how to model the changing behaviors? how to verify the system behavior? and more. Objective: This paper introduces Context-Oriented Behavioral Programming (COBP) — a novel paradigm for developing context-aware systems, centered on natural and incremental specification of context-dependent behaviors. As the name suggests, we combine behavioral-programming (BP) — a scenario-based modeling paradigm — with context idioms that explicitly specify when scenarios are relevant and what information they need. The core idea is to connect the behavioral model with a data model that represents the context, allowing an intuitive connection between the models via update and select queries. Co...

    View PDFchevron_right
    Synchronous Products of Rewrite Systems
    Óscar Martín

    Lecture Notes in Computer Science, 2016

    We present and formalize a concept of synchronous product for rewrite systems, and also a corresponding concept for general transition systems, used as semantics for the former. A series of examples shows their practical usefulness: for the strategic control of systems, and for modular specification and verification.

    View PDFchevron_right
    580 California St., Suite 400
    San Francisco, CA, 94104
    © 2025 Academia. All rights reserved