Huan Sun,Ziyu Mao,Jingyi Wang,Ziyan Zhao,Wenhai Wang

DOI: https://doi.org/10.1007/978-3-031-43681-9_13

2023-01-01

Abstract:Real-time operating systems (RTOSs) such as mu C/OS-II are critical components of many industrial systems, which makes it of vital importance to verify their correctness. However, earlier specifications for verification of RTOSs often do not explicitly specify the behavior of possible unbounded kernel service invocations. To address the problem, a new event-based modelling approach is recently proposed to treat the operating system as a concurrent reactive system (CRS). Besides, a respective parametric rely-guarantee style reasoning framework called PiCore is developed to verify such systems effectively. Witnessing the advancement, we conduct a case study to investigate the use of PiCore to compositionally verify two important entangled modules of a practical RTOS mu C/OS-II, i.e., the memory management module and the mailbox module. Several desirable safety properties regarding the memory pools and mailboxes are formally defined and proved with PiCore (approximate to 2500 lines of specifications and proof scripts in Isabelle/HOL) based on a formal execution model considering the two modules simultaneously. We also discuss the shortcomings of PiCore for our case study and present possible improvement directions.

Huan Sun,Ziyu Mao,Jingyi Wang,Ziyan Zhao,Wenhai Wang

DOI: https://doi.org/10.1007/978-3-031-43681-9_13

2023-01-01

Abstract:Real-time operating systems (RTOSs) such as C/OS-II are critical components of many industrial systems, which makes it of vital importance to verify their correctness. However, earlier specifications for verification of RTOSs often do not explicitly specify the behavior of possible unbounded kernel service invocations. To address the problem, a new event-based modelling approach is recently proposed to treat the operating system as a concurrent reactive system (CRS). Besides, a respective parametric rely-guarantee style reasoning framework called PiCore is developed to verify such systems effectively. Witnessing the advancement, we conduct a case study to investigate the use of PiCore to compositionally verify two important entangled modules of a practical RTOS C/OS-II, i.e., the memory management module and the mailbox module. Several desirable safety properties regarding the memory pools and mailboxes are formally defined and proved with PiCore ( 2500 lines of specifications and proof scripts in Isabelle/HOL) based on a formal execution model considering the two modules simultaneously. We also discuss the shortcomings of PiCore for our case study and present possible improvement directions.

Quan Long,Zongyan Qiu,Zhiming Liu,Lingshuang Shao,He Jifeng

DOI: https://doi.org/10.1007/11560647_32

2005-01-01

Abstract:We have recently developed an object-oriented refinement calculus called rCOS to formalize the basic object-orient design principles, patterns and refactoring as refinement laws. The aim is of rCOS is to provide a formal support to the use-cased driven, incremental and iterative Rational Unified Process (RUP). In this paper, we apply rCOS to a step-wised development of a Point of Sale Terminal (POST) system, from a requirement model to a design model, and finally, to the implementation in Visual C#.

Haibin Shen,Jimin Wang,Lingdi Ping,Kang Sun

DOI: https://doi.org/10.1007/11689522_32

2006-01-01

Abstract:Flexible features of C can be misused and result in potential vulnerabilities which are hard to detect by performing only static checking. Existing tools either give up run-time type checking or employ a type system whose granularity is too coarse (it does not differentiate between pointer types) so that many errors may go undetected. This paper presents a dynamic checking approach to conquer them. A type system that is based on the physical layout of data types and has the proper granularity has been employed. Rules for propagating dynamic types and checking for compatibility of types during execution of the target program are also set up. Then a model of dynamic type checking on this type system to capture run-time type errors is built. Experimental results show that it can catch most errors, including those may become system vulnerabilities and the overhead is moderate.

Amel Benabbou,Safia Nait Bahloul,Youssef Amghar

DOI: https://doi.org/10.48550/arXiv.1007.3275

2010-07-19

Databases

Abstract:Date and Darwen have proposed a theory of types, the latter forms the basis of a detailed presentation of a panoply of simple and complex types. However, this proposal has not been structured in a formal system. Specifically, Date and Darwen haven't indicated the formalism of the type system that corresponds to the type theory established. In this paper, we propose a pseudo-algorithmic and grammatical description of a system of types for Date and Darwen's model. Our type system is supposed take into account null values; for such intention, we introduce a particular type noted #, which expresses one or more occurrences of incomplete information in a database. Our algebraic grammar describes in detail the complete specification of an inheritance model and the subryping relation induced, thus the different definitions of related concepts.

Zhiming Liu,Jifeng He,Xiaoshan Li,Yifeng Chen

DOI: https://doi.org/10.1007/978-3-540-39893-6_36

2003-01-01

Abstract:This paper is towards the development of a methodology for object-oriented software development. The intention is to support effective use of a formal model for specifying and reasoning during the requirements analysis and design of a software development process. The overall purpose is to enhance the application of the Unified Modelling Language (UML) with a formal semantics in the Rational Unified Software Development Process (RUP). The semantic framework defines the meaning of some UML submodels. It identifies both the static and dynamic relationships among these submodels. Thus, the focus of this paper is the development of a semantic model to consistently combine a use-case model and a conceptual class diagram to form a system specification.

Zhe Chen,Gilles Motet

DOI: https://doi.org/10.1109/depend.2009.18

2009-06-01

Abstract:Safety is an important element of dependability. It is defined as the absence of accidents. Most accidents involving software-intensive systems have been system accidents, which are caused by unsafe inter-system or inter-component interactions. To validate the absence of system hazards concerning dysfunctional interactions, industrials call for approaches of modeling system safety requirements and interaction constraints among components. This paper proposes such a formalism, namely interface control systems (or shortly C-Systems). An interface C-System is composed of an interface automaton and a controlling automaton, which formalizes safe interactions and restricts system behavior at the meta level. This framework differs from the framework of traditional model checking. It explicitly separates the tasks of product engineers and safety engineers, and provides a top-down technique for modeling a system with safety constraints, and for automatically composing a safe system that conforms to safety requirements. The contributions of this work include formalizing safety requirements and a way of automatically ensuring system safety.

Xi Lin,Hehua Zhang,Ming Gu

DOI: https://doi.org/10.1155/2013/934349

2013-01-01

Journal of Applied Mathematics

Abstract:Component-based models are widely used for embedded systems. The models consist of components with input and output ports linked to each other. However, mismatched links or assumptions among components may cause many failures, especially for large scale models. Binding semantic knowledge into models can enable domain-specific checking and help expose modeling errors in the early stage. Ontology is known as the formalization of semantic knowledge. In this paper we propose an ontology-driven tool for static correctness checking of domain-specific errors. two kinds of important static checking, semantic type and domain-restrcted rules, are fulfilled in a unified framework. We first propose a formal way to precisely describe the checking requirements by ontology and then separately check them by a lattice-based constraint solver and a description logic reasoner. Compared with other static checking methods, the ontology-based method we proposed is model-externally configurable and thus flexible and adaptable to the changes of requirements. The case study demonstrates the effectiveness of our method.

Mariangiola Dezani-Ciancaglini,Paola Giannini,Angelo Troina

DOI: https://doi.org/10.4204/EPTCS.9.5

2009-11-12

Abstract:The calculus of looping sequences is a formalism for describing the evolution of biological systems by means of term rewriting rules. We enrich this calculus with a type discipline to guarantee the soundness of reduction rules with respect to some biological properties deriving from the requirement of certain elements, and the repellency of others. As an example, we model a toy system where the repellency of a certain element is captured by our type system and forbids another element to exit a compartment.

Logic in Computer Science,Computational Engineering, Finance, and Science

Jin Song Dong,Yuan-Fang Li,Jing Sun,Jun Sun,Hai Wang

DOI: https://doi.org/10.1007/3-540-36103-0_33

2002-01-01

Abstract:Timed Communicating Object Z(TCOZ) combines Object-Z's strengths in modelling complex data and state with TCSP's strengths in modeling real-time concurrency. Based on our previous work on the XML environment for TCOZ, this paper firstly demonstrates the development of a type checker for detecting static semantic errors of the TCOZ specification, then illustrates a transformation tool to automatically project TCOZ models into UML statechart diagrams for visualising the dynamic system behaviour.

Michael Sammler,Rodolphe Lepigre,Robbert Krebbers,Kayvan Memarian,Derek Dreyer,Deepak Garg

DOI: https://doi.org/10.1145/3453483.3454036

2021-06-18

Abstract:Given the central role that C continues to play in systems software, and the difficulty of writing safe and correct C code, it remains a grand challenge to develop effective formal methods for verifying C programs. In this paper, we propose a new approach to this problem: a type system we call RefinedC, which combines ownership types (for modular reasoning about shared state and concurrency) with refinement types (for encoding precise invariants on C data types and Hoare-style specifications for C functions). RefinedC is both automated (requiring minimal user intervention) and foundational (producing a proof of program correctness in Coq), while at the same time handling a range of low-level programming idioms such as pointer arithmetic. In particular, following the approach of RustBelt, the soundness of the RefinedC type system is justified semantically by interpretation into the Coq-based Iris framework for higher-order concurrent separation logic. However, the typing rules of RefinedC are also designed to be encodable in a new “separation logic programming” language we call Lithium. By restricting to a carefully chosen (yet expressive) fragment of separation logic, Lithium supports predictable, automatic, goal-directed proof search without backtracking. We demonstrate the effectiveness of RefinedC on a range of representative examples of C code.

JH Zhao,JJ Chen,GL Zheng

DOI: https://doi.org/10.1145/270507.270521

1997-01-01

Abstract:In this paper, we propose that the messages should be defined independently to the class definitions in an object-oriented program. The compatibility relation between two message types is also discussed. This kind of relationship is essential and useful for software reuses. A software designer can declare the compatibility relation between two message types if messages are defined independently to the class definitions. A message of one type can be converted to another type automatically when necessary if a compatibility relation between the two message types is specified. A new type system is proposed based on these new concepts in this paper. This type system is more flexible than the traditional ones while keeping the safety of type checking.

Yulun Wu,Bohua Zhan,Bican Xia

2024-03-20

Abstract:We present the design and implementation of a tool for semi-automatic verification of functional specifications of operating system modules. Such verification tasks are traditionally done in interactive theorem provers, where the functionalities of the module are specified at abstract and concrete levels using data such as structures, algebraic datatypes, arrays, maps and so on. In this work, we provide encodings to SMT for these commonly occurring data types. This allows verification conditions to be reduced into a form suitable for SMT solvers. The use of SMT solvers combined with a tactic language allows semi-automatic verification of the specification. We apply the tool to verify functional specification for key parts of the uC-OS/II operating system, based on earlier work giving full verification of the system in Coq. We demonstrate a large reduction in the amount of human effort due to increased level of automation.

Symbolic Computation,Logic in Computer Science

Wei Li

DOI: https://doi.org/10.48550/arXiv.cs/0303021

2003-03-21

Logic in Computer Science

Abstract:A first order inference system, called R-calculus, is defined to develop the specifications. It is used to eliminate the laws which is not consistent with the user's requirements. The R-calculus consists of the structural rules, an axiom, a cut rule, and the rules for logical connectives. Some examples are given to demonstrate the usage of the R-calculus. The properties about reachability and completeness of the R-calculus are formally defined and are proved.

Li Tan

DOI: https://doi.org/10.48550/arXiv.1201.2430

2012-06-16

Abstract:Situation calculus has been widely applied in Artificial Intelligence related fields. This formalism is considered as a dialect of logic programming language and mostly used in dynamic domain modeling. However, type systems are hardly deployed in situation calculus in the literature. To achieve a correct and sound typed program written in situation calculus, adding typing elements into the current situation calculus will be quite helpful. In this paper, we propose to add more typing mechanisms to the current version of situation calculus, especially for three basic elements in situation calculus: situations, actions and objects, and then perform rigid type checking for existing situation calculus programs to find out the well-typed and ill-typed ones. In this way, type correctness and soundness in situation calculus programs can be guaranteed by type checking based on our type system. This modified version of a lightweight situation calculus is proved to be a robust and well-typed system.

Programming Languages,Artificial Intelligence

Zhi Jin

DOI: https://doi.org/10.1007/bf02939524

1995-01-01

Abstract:The development of the object-oriented paradigm has suffered from the lack of any generally accepted formal foundations for its semantic definition. To address this issue, we propose the development of the logic-based semantics of the object-oriented paradigm. By combining the logic- with the object-oriented paradigm of computing first, this paper discusses formally the semantics of a quite purely object-oriented logic paradigm in terms of proof theory, model theory and fixpoint theory from the viewpoint of logic. The operational and declarative semantics is given. And then the correspondence between soundness and completeness has been discussed formally.

Xiaohong Chen,Zhiwei Zhong,Zhi Jin,Min Zhang,Tong Li,Xiang Chen,Tingliang Zhou

DOI: https://doi.org/10.1109/re.2019.00040

2019-01-01

Abstract:Consistency verification of safety requirements is an important but still challenging task for safety-critical systems such as rail transit systems. That is mainly because requirements are typically written in natural language and with strong time constraints. Driven by the practical need from industry, in this paper we propose a systematic approach to specify safety requirements in a quasi-natural language and automatically verify their consistency using formal methods. Specifically, we define a domain specific language SafeNL to specify safety requirements, and then automatically transform them into formal constraints defined in the Clock Constraint Specification Language (CCSL). The transformed constraints can be automatically and efficiently verified by model checking. We conduct two practical case studies to analyze the safety requirements of an interlocking system in CASCO Signal Ltd. Results of the studies show the validity and utility of our approach can pragmatically contribute to industrial practice. We also report some lessons learned from case studies.

Xibin Zhao,Anping He,Jinzhao Wu,Guowu Yang,Yi Yang,Ning Zhou,Shihan Yong,Lian Li

2012-01-01

Applied Mathematics & Information Sciences

Abstract:SystemC is an emerging standard hardware description language for system-level modeling and design. Formal semantics could give its meaning in a mathematically rigorous and unambiguous way. In this paper, we formalize SystemC both from processes and simulation environment by process algebra, which enables that deduction and verification of the whole simulation procedure are in an integrated and convenient manner. Meanwhile, in order to accommodate event-driven and concurrent properties of SystemC, we adopt event structure characterized by true concurrency, as semantic model of both SystemC and its simulation environment for denotational semantics and operational semantics, as well as demonstrate the correspondence between them. As a result, we propose a unified framework for formalizing SystemC.

Matt Luckcuck,Marie Farrell,Angelo Ferrando,Rafael C. Cardoso,Louise A. Dennis,Michael Fisher

2023-12-01

Abstract:Robotic systems used in safety-critical industrial situations often rely on modular software architectures, and increasingly include autonomous components. Verifying that these modular robotic systems behave as expected requires approaches that can cope with, and preferably take advantage of, this inherent modularity. This paper describes a compositional approach to specifying the nodes in robotic systems built using the Robotic Operating System (ROS), where each node is specified using First-Order Logic (FOL) assume-guarantee contracts that link the specification to the ROS implementation. We introduce inference rules that facilitate the composition of these node-level contracts to derive system-level properties. We also present a novel Domain-Specific Language, the ROS Contract Language, which captures a node's FOL specification and links this contract to its implementation. RCL contracts can be automatically translated, by our tool Vanda, into executable monitors; which we use to verify the contracts at runtime. We illustrate our approach through the specification and verification of an autonomous rover engaged in the remote inspection of a nuclear site, and finish with smaller examples that illustrate other useful features of our framework.

Logic in Computer Science,Software Engineering

Yan Chen,Xuan Du,Xuegong Zhou,Chenglian Peng

DOI: https://doi.org/10.1007/11568421_40

2004-01-01

Abstract:SystemC can be considered as the best possible language today for system level design and exploration of embedded systems. However, testing SystemC descriptions is still an open issue, since the language is new and researchers are looking for efficient error models and coverage metrics, which can be indifferently applied to hardware and software modules. In this paper we propose a novel approach to automate the test coverage analysis for SystemC descriptions using UML and Aspect-Oriented technology. SystemC meta-model and aspect meta-model are established to support UML customization and extension. They also provide the foundation for aspect weaver and SystemC code generator. Expected functional coverage metric could be extracted from UML timing descriptions so that it is possible to automate the whole test coverage analysis. By using the aspect-oriented technology test functionalities could be added or replaced without modifying the original design. It makes system designs more readable and easier to maintain.