StateClock: a Tool for Timed Reactive Modules
|
|
- Evan Wilkinson
- 5 years ago
- Views:
Transcription
1 StateClock: a Tool for Timed Reactive Modules Jonathan S. Ostroff Department Of Computer Science, York University, Toronto, Canada, M3J 1P3. jonathan@yorku.ca Abstract: We provide an overview of the compositional specification and verification tool StateClock using temporal logic and timed object-based visual system descriptions. Verification of the system is performed module by module using model-checking and theorem proving. 1.0 Introduction The StateTime toolset [4] consists of three tools: a visual system builder for discrete realtime systems, a model-checker for special realtime temporal logic properties such as the realtime response property p e 3 q (q holds 3 ticks after p), and a constraint logic theorem prover. StateTime lacks a notion of modules and module composition. Also, the constraint based theorem prover proved inadequate to the more demanding needs of compositional reasoning. The purpose of this paper is to present a new tool called StateClock for the compositional design and verification of discrete realtime reactive systems that are described by assemblies of modules. The basic component of StateClock is the real-time reactive module. Event timers and clocks can be used with ordinary temporal logic to express real-time properties. The resulting compositional nature of StateClock allows the designer to treat much larger systems than can be treated with non-compositional tools. StateClock consists of a system builder for constructing assemblies of modules (which can be instances of classes), a simulator for validating modules, and a translator to the fair transition systems of the STeP [2] tool for model-checking and theorem proving. The STeP tool has a notion of clocked transition or hybrid systems for describing continuous realtime systems, but these systems cannot be checked automatically with the model-checker. In this paper, we use a combination of modelchecking and theorem proving for modular verification. 2.0 Visual object-based descriptions and modularity Consider the system PING-PONG in Fig. 1 which is organized into three modules: OBS (an observer), PING and PONG. Consider the module PING in Fig. 2. A real time reactive module such as PING has an interface, aspec- ification, abody (its implementation), and an environment. The interface lists all the variables that the module shares with its environment (other modules). An interface variable is declared to have one of three modes: in (the module can read but not write to it), out (only the module can write to the variable) or shared (both the module and the environment can write to the variable). Variables may be of type boolean, string, integer or integer subtype, enumerated or array. The specification is a set of temporal logic formulas in the interface variables that describe how the module ought to behave in any arbitrary environment. For example, the modular specification ping in Fig. 2 asserts that if the signal y remains high (true) awaiting the signal z (if it occurs), at a time that the clock c is ticking with c = 3, then the clock will continue to tick until such time as z goes high at time c = 4. The job of the environment is to arbitrarily change all the input or shared variables. The envi-
2 FIGURE 1. A system as an assembly of modules Two examples of assemblies of modules are shown below. SYSTEM is organized into three modules, which in turn may have sub-modules. A module or sub-module may be an instance of a class. PING- PONG consists of three modules: OBS, PING and PONG. FIGURE2.ThemodulePING Modular specification ping : (y Awaits z) /\ ct /\ c = 3 ==> ct Until (z /\ c = 4) where c is a clock in OBS and ct asserts the clock is ticking. Interface Variables in y: bool in c: CLOCK out x, z: bool Local variable ping_d: integer Environment ronment, in this case, consists of the event arbitrary (Fig. 2) that may change the input y at any moment (lower time bound is zero, upper time bound is infinity) and module OBS (Fig. 3). The environment is generated automatically by StateClock. The action choose(y) in arbitrary will randomly chooses a value for y. The clock c is also an input and should change arbitrarily, except that in this case the clock is set by observer OBS when it observes x going high, as shown in OBS. If specification ping is verified in this environment (arbitrary and OBS), then any module (e.g. PONG) can be substituted for the environment without the specification or interface of PING changing. The body implements the specification. The body may introduce new local variables in addition to the interface variables. In State- Clock, the body is described in a statechart-
3 FIGURE 3. The observer OBS Interface in x: bool outc:clock The observer is part of the environment of each module (PING and PONG respectively). The observer does not interfere with any of the signals x, y, z of the other modules. The observer starts the clock c when it detects the signal x going high, and stops the clock 5 ticks later. Clocks can also be count-down,i.e.theycanbe started at a particular value and they count down with each tick of the global clock. like notation that supports sequential composition, parallel composition and nondeterminism in hierarchical structures. An arrow drawn from one structure to another is called an event which has associated time bounds, a guard and an update function. Updates must respect the modes of the interface variables, otherwise a syntax error is flagged. If, in any environment, the behaviour of the body of the module m conforms to its specification s, then we write mms. In PING, there is a local integer variable ping_d that is incremented until it reaches a value of 100. The purpose of the local variable is to cause state explosion so FIGURE 4. Module PONG that we can see the difference between verifying the system all at once or compositionally one module at a time. The reactive modules of StateClock allow for real-time descriptions using clocks and event timers. Event timers are used to impose real-time constraints (via lower and upper time bounds) on module events. An event has the form event[low,hi] guard/update. The lower bound ensures that the event is activated only after low ticks of the global clock, whereas the upper bound ensures that the event is taken on or before hi ticks of the global clock provided it is still enabled. Interface: in x: bool in c: CLOCK out y: bool Specification pong : (x Awaits y) /\ ct /\ c = 0 ==> ct Until ([]y /\ ct /\ c = 3) Environment arbitrarily change x; for clock c use OBS (Fig. 3) Local pong_d: integer
4 Any number of clocks can be declared in a module, and once declared, can be started or stopped in event updates. Clocks may also be used in event guards to express conditions under which the event is enabled. There are two kinds of clocks. Count-up clocks are started at some initial value (either zero or as set by the user); they count up in lock-step with the tick of a conceptual global clock. A count-down clock is started at some initial value and counts down until it reaches zero. Both kinds of clock are useful in system descriptions. Clock values can also be used to assert realtime temporal logic properties. For example if a count-up clock c is started when the condition p becomes true, then the temporal logic formula ( c.start p) e( q c = 3) asserts that q must occur three ticks later. In this way, ordinary temporal logic can be used to assert properties approximating those of special realtime temporal logics with response properties such as p e 3 q. While tools exist for verifying special realtime temporal logics [1], no such tool currently combines algorithmic and deductive methods as STeP does for ordinary linear time temporal logic. By using clocks and event timers, we can express real-time properties of interest within the framework of ordinary temporal logic. The StateClock tool allows the user to select a module at any level in the project and to view its interface and body, as well as its specification. By collecting the interface and body (with its local variables) all in one window, the designer immediately knows which variables the events of the body have access to. The simulator view (not shown) allows the designer to execute the module (in an arbitrary environment), or to view and execute collections of modules interacting with each other. A mistaken description of an algorithm or system can often be found in simulation mode, even before model-checking or theorem-proving is undertaken. 3.0 Modular verification Once the body of a module is implemented, the module and its specification are automatically converted to STeP fair transition systems, and STeP can be used to check that the module conforms to its specification (Fig. 5). Since module specifications can be quite complex, it is preferable to use the model checker rather than the theorem prover (which needs greater user guidance) provided the fair transition system (which might deal with infinite state domains) can be reduced to a finite representation. Otherwise, the theorem prover must be used. The rule for composing modules is given by m 1 ms 1 m 2 ms 2 m 1 m 2 mr ( s 1 s 2 ) r where s 1, s 2 are the specifications of the modules m 1, m 2 respectively. The composed system m 1 m 2 satisfies requirement r provided the requirement condition ( s 1 s 2 ) r holds. The compositional rule can be used for topdown or bottom-up design. In bottom-up development, two pre-existing modules already known to satisfy their specifications are composed, and what must be checked is the requirement condition. In top-down development, a task is decomposed into two or more sub-modules each with their associated specifications that, taken together, satisfy the task requirement. Each module and its specification can then be assigned to a programmer. The programmer must develop a body that will make the module specification valid. The StateClock tool allows simultaneous use of
5 FIGURE 5. StateClock is the front-end description tool and STeP is the back-end reasoning tool project.stc m.his StateClock modularity visual and temporal logic descriptions clocks and event timers simulation/execution m.fts m.spec STeP Fair transition systems First Order Temporal Logic Specifications Model-Checking Theorem-proving Given a module m, StateClock communicates with STeP via a fair transition system (m.fts) anda temporal logic specification (m.spec). StateClock can also store a simulation run of a module in a history file (m.his). The whole project can be stored and later retrieved from a file project.stc. both top-down and bottom-up design in a given project. During design, the STeP theorem prover is used to check the requirement condition while the model-checker is used to check that module bodies satisfy their associated specifications. 4.0 Modular verification of PING- PONG We would like to show that the combined system PING-PONG (i.e. modules PING, PONG and OBS) satisfies the global requirement ping_pong given by (x Awaits y) /\ c = 0 /\ ct ==> ct Until (z /\ c = 4) x z i.e. once the signal goes high, signal will go high 4 ticks later. We proceed as follows: First check that the module PING satisfies its specification ping (Fig. 2). The environment is the arbitrary event shown in Fig. 2, as well as OBS. By clicking on PING in Fig. 1, the environment is automatically generated, and converted to a fair transition system that includes the environment. The specification ping is shown to be valid using 16,749 states in 5 seconds via modelchecking. A similar procedure is performed for module PONG. The specification pong (Fig. 4) is shown to be valid using 31,004 states in 11 seconds. We must now check the requirement condition ping pong ping_pong. The theorem prover discharges this in under a second. By our modular rule, the requirement ping_pong therefore holds for the global system PING_PONG. If we had tried to model-check the complete system PING-PONG for the requirement, it would take 82 seconds and use 260,233 states, which is an order of magnitude increase due to the state explosion problem. 5.0 Conclusion TheStateClocktoolhasbeenusedontwo large examples. (a) It was used to show the correctness of the delay trip reactor shutdown software for a nuclear reactor described in [5]. Three versions of the control software are used with the final decision to shut down based on majority voting. (b) StateClock was also used to modularly debug and verify the Therac-25 radiation system described in [3]. In both
6 cases, the global system was too large to treat at once using the STeP model-checker. Global requirements are usually much simpler to write (and get right) than modular specifications. Modular specifications need to take into account the effects of the environment, which are not needed in requirements. Nevertheless, when our tools run out of steam and smarts, it is necessary to decompose our global system and to work one module at a time without ever having to look at the global system. Acknowledgements Lewis Lo wrote the StateClock software. The translation algorithm for converting timed events with timers and clocks to fair transition systems was done by Eddie Ng. Thomas Armstrong wrote the documentation which can be found at This research was supported by NSERC. References [1] Alur,R.,T.A.Henzinger,andP.-H.Ho.Automatic Symbolic Verification of Embedded Systems. IEEE Transactions on Software Engineering, 22(3): , [2] Bjorner, N., A. Browne, E. Chang, M. Colon, A. Kapur,Z.Manna,H.B.Sipma,andT.Uribe.STeP: Deductive-Algorithmic Verification of Reactive and Real-Time Systems. In Computer-Aided Verification (CAV '96), New Brunswick, NJ, edited by R. Alur and T. Henzinger, Springer-Verlag, LNCS 1102, , [3] Leveson, N.G. and C.S. Turner. An Investigation of the Therac-25 Accidents. Computer, 26(7): 18-41, [4] Ostroff, J.S. A Visual Toolset for the Design of Real-Time Discrete Event Systems. IEEE Trans. on Control Systems Technology, 5(3): , [5] Ostroff, J.S. Composition and Refinement of Discrete Real-Time Systems. ACM Trans. on Software Engineering Methodology, 8(1): 1-48,
TTM/PAT: Specifying and Verifying Timed Transition Models
TTM/PAT: Specifying and Verifying Timed Transition Models Jonathan S. Ostroff 1, Chen-Wei Wang 1,Yang Liu 2, Jun Sun 3, and Simon Hudon 1 1 Department of Electrical Engineering & Computer Science, York
More informationDistributed Systems Programming (F21DS1) Formal Verification
Distributed Systems Programming (F21DS1) Formal Verification Andrew Ireland Department of Computer Science School of Mathematical and Computer Sciences Heriot-Watt University Edinburgh Overview Focus on
More informationModal Models in Ptolemy
Modal Models in Ptolemy Edward A. Lee Stavros Tripakis UC Berkeley Workshop on Equation-Based Object-Oriented Modeling Languages and Tools 3rd International Workshop on Equation-Based Object-Oriented Modeling
More informationModelling, Specification and Verification of an Emergency Closing System
From: FLAIRS-00 Proceedings. Copyright 2000, AAAI (www.aaai.org). All rights reserved. Modelling, Specification and Verification of an Emergency Closing System Werner Stephan and Georg Rock and Michael
More informationCOMP 763. Eugene Syriani. Ph.D. Student in the Modelling, Simulation and Design Lab School of Computer Science. McGill University
Eugene Syriani Ph.D. Student in the Modelling, Simulation and Design Lab School of Computer Science McGill University 1 OVERVIEW In the context In Theory: Timed Automata The language: Definitions and Semantics
More informationHierarchical Composition and Abstraction In Architecture Models
Hierarchical Composition and Abstraction In Architecture Models Pam Binns and Steve Vestal Honeywell Labs {pam.binns, steve.vestal}@honeywell.com Supported by the Air Force Office of Scientific Research
More informationtempo2hsal: Converting Tempo Models into HybridSal Tool Description
tempo2hsal: Converting Tempo Models into HybridSal Tool Description Ashish Tiwari Bruno Dutertre Computer Science Laboratory SRI International Menlo Park CA 94025 USA Report submitted under Honeywell subcontract
More information[module 2.2] MODELING CONCURRENT PROGRAM EXECUTION
v1.0 20130407 Programmazione Avanzata e Paradigmi Ingegneria e Scienze Informatiche - UNIBO a.a 2013/2014 Lecturer: Alessandro Ricci [module 2.2] MODELING CONCURRENT PROGRAM EXECUTION 1 SUMMARY Making
More informationRefinement Using µ-charts: The Compaq Grand Slam Cup Case Study Revisited
Refinement Using µ-charts: The Compaq Grand Slam Cup Case udy Revisited Hubert Baumeister Institut für Informatik Universität München Oettingenstr. 67 80538 München, Germany Christoph Maier FAST e.v. Arabellastr.
More informationFunctional Programming in Hardware Design
Functional Programming in Hardware Design Tomasz Wegrzanowski Saarland University Tomasz.Wegrzanowski@gmail.com 1 Introduction According to the Moore s law, hardware complexity grows exponentially, doubling
More informationCover Page. The handle holds various files of this Leiden University dissertation
Cover Page The handle http://hdl.handle.net/1887/22891 holds various files of this Leiden University dissertation Author: Gouw, Stijn de Title: Combining monitoring with run-time assertion checking Issue
More informationException Handling in S88 using Grafchart *
Presented at the World Batch Forum North American Conference Woodcliff Lake, NJ April 7-10, 2002 107 S. Southgate Drive Chandler, Arizona 85226-3222 480-893-8803 Fax 480-893-7775 E-mail: info@wbf.org www.wbf.org
More informationECDAR: An Environment for Compositional Design and Analysis of Real Time Systems
ECDAR: An Environment for Compositional Design and Analysis of Real Time Systems AlexandreDavid 1,Kim.G.Larsen 1,AxelLegay 2, UlrikNyman 1,AndrzejWąsowski 3 1 ComputerScience,AalborgUniversity,Denmark
More informationQ Body of techniques supported by. R precise mathematics. R powerful analysis tools. Q Rigorous, effective mechanisms for system.
Introduction to Formal Methods 1 Introduction to Formal Methods 2 Formal Specification Requirements specification R notational statement of system services Software specification R formal abstract depiction
More informationInvariant Based Programming
Invariant Based Programming Ralph-Johan Back Abo Akademi and TUCS June 2006 Constructing correct programs: alternative approaches A posteriori correctness proof (Floyd, Naur, Hoare,...). Prove correctness
More informationModel Checking Revision: Model Checking for Infinite Systems Revision: Traffic Light Controller (TLC) Revision: 1.12
Model Checking mc Revision:.2 Model Checking for Infinite Systems mc 2 Revision:.2 check algorithmically temporal / sequential properties fixpoint algorithms with symbolic representations: systems are
More informationModel Checking. Automatic Verification Model Checking. Process A Process B. when not possible (not AI).
Sérgio Campos scampos@dcc.ufmg.br Why? Imagine the implementation of a complex hardware or software system: A 100K gate ASIC perhaps 100 concurrent modules; A flight control system dozens of concurrent
More informationFormal methods What are they? Uses Tools Application to software development
FormalMethods Page 1 Formal methods introduction 9:26 PM Formal methods What are they? Uses Tools Application to software development FormalMethods Page 2 What are formal methods? 9:49 PM Do you have any
More informationLecture 11 Lecture 11 Nov 5, 2014
Formal Verification/Methods Lecture 11 Lecture 11 Nov 5, 2014 Formal Verification Formal verification relies on Descriptions of the properties or requirements Descriptions of systems to be analyzed, and
More informationCyber Physical System Verification with SAL
Cyber Physical System Verification with July 22, 2013 Cyber Physical System Verification with Outline 1 2 3 4 5 Cyber Physical System Verification with Table of Contents 1 2 3 4 5 Cyber Physical System
More informationFormal Verification. Lecture 10
Formal Verification Lecture 10 Formal Verification Formal verification relies on Descriptions of the properties or requirements of interest Descriptions of systems to be analyzed, and rely on underlying
More informationTopic Formal Methods. ICS 121 Lecture Notes. What are Formal Methods? What are Formal Methods? Formal Specification in Software Development
Lecture Notes What are? 1 Formal Method (FM) = specification language + formal reasoning Body of techniques supported by precise mathematics powerful analysis tools Rigorous effective mechanisms for system
More informationJOURNAL OF OBJECT TECHNOLOGY
JOURNAL OF OBJECT TECHNOLOGY Online at www.jot.fm. Published by ETH Zurich, Chair of Software Engineering JOT, 2002 Vol. 1, No. 2, July-August 2002 The Theory of Classification Part 2: The Scratch-Built
More informationPromela and SPIN. Mads Dam Dept. Microelectronics and Information Technology Royal Institute of Technology, KTH. Promela and SPIN
Promela and SPIN Mads Dam Dept. Microelectronics and Information Technology Royal Institute of Technology, KTH Promela and SPIN Promela (Protocol Meta Language): Language for modelling discrete, event-driven
More information40 Behaviour Compatibility
40 Behaviour Compatibility [2] R. De Nicola, Extentional Equivalences for Transition Systems, Acta Informatica, vol. 24, pp. 21-237, 1987. [3] J. Gray, Notes on Data Base Operating Systems, in Operating
More informationSoftware Engineering: Integration Requirements
Software Engineering: Integration Requirements AYAZ ISAZADEH Department of Computer Science Tabriz University Tabriz, IRAN Abstract: - This paper presents a discussion of software integration requirements,
More informationSome notes about Event-B and Rodin
Some notes about Event-B and Rodin Résumé This document briefly presents the language event-b and the tool Rodin. For a comprehensive presentation, refer to the event-b page http://www.event-b.org/, the
More informationModel Checking VHDL with CV
Model Checking VHDL with CV David Déharbe 1, Subash Shankar 2, and Edmund M. Clarke 2 1 Universidade Federal do Rio Grande do Norte, Natal, Brazil david@dimap.ufrn.br 2 Carnegie Mellon University, Pittsburgh,
More informationSérgio Campos, Edmund Clarke
Sérgio Campos, Edmund 1 / 23 Model checking is a technique that relies on building a finite model of a system and checking that a desired property holds in that model. The check is performed by an exhaustive
More informationBy: Chaitanya Settaluri Devendra Kalia
By: Chaitanya Settaluri Devendra Kalia What is an embedded system? An embedded system Uses a controller to perform some function Is not perceived as a computer Software is used for features and flexibility
More informationIntroduction to Formal Methods
2008 Spring Software Special Development 1 Introduction to Formal Methods Part I : Formal Specification i JUNBEOM YOO jbyoo@knokuk.ac.kr Reference AS Specifier s Introduction to Formal lmethods Jeannette
More informationSystem Correctness. EEC 421/521: Software Engineering. System Correctness. The Problem at Hand. A system is correct when it meets its requirements
System Correctness EEC 421/521: Software Engineering A Whirlwind Intro to Software Model Checking A system is correct when it meets its requirements a design without requirements cannot be right or wrong,
More informationcontaining such cycles will not satisfy the eventuality property, thus, we will be unable to derive its correctness for the concrete model. A common w
A Heuristic for the Automatic Generation of Ranking Functions Λ Dennis Dams z Rob Gerth x Orna Grumberg Abstract The duality between invariance and progress is fundamental in proof techniques for the verification
More informationLeslie Lamport: The Specification Language TLA +
Leslie Lamport: The Specification Language TLA + This is an addendum to a chapter by Stephan Merz in the book Logics of Specification Languages by Dines Bjørner and Martin C. Henson (Springer, 2008). It
More informationA Brief Introduction to Coloured Petri Nets
A Brief Introduction to Coloured Petri Nets Kurt Jensen Computer Science Department, University of Aarhus NyMunkegade, Bldg. 540, DK-8000 AarhusC, Denmark E-mml: kjensen9 WWV~: http://www.daimi.aau.dk/~kjensen/
More informationRule Formats for Nominal Modal Transition Systems
Rule Formats for Nominal Modal Transition Systems Anke Stüber Universitet Uppsala, Uppsala, Sweden anke.stuber@it.uu.se Abstract. Modal transition systems are specification languages that allow the expression
More informationwant turn==me wait req2==0
Uppaal2k: Small Tutorial Λ 16 October 2002 1 Introduction This document is intended to be used by new comers to Uppaal and verification. Students or engineers with little background in formal methods should
More informationContemporary Design. Traditional Hardware Design. Traditional Hardware Design. HDL Based Hardware Design User Inputs. Requirements.
Contemporary Design We have been talking about design process Let s now take next steps into examining in some detail Increasing complexities of contemporary systems Demand the use of increasingly powerful
More informationCONTROLLER DEPENDABILITY ANALYSIS BY PROBABILISTIC MODEL CHECKING. Marta Kwiatkowska, Gethin Norman and David Parker
CONTROLLER DEPENDABILITY ANALYSIS BY PROBABILISTIC MODEL CHECKING Marta Kwiatkowska, Gethin Norman and David Parker School of Computer Science, University of Birmingham, Birmingham, B15 2TT, United Kingdom
More informationPet: An Interactive Software Testing Tool
Pet: An Interactive Software Testing Tool Elsa Gunter, Robert Kurshan, and Doron Peled Bell Laboratories 600 Mountain Ave. Murray Hill, NJ 07974 Abstract. We describe here the Pet (standing for path exploration
More informationCompositionality in system design: interfaces everywhere! UC Berkeley
Compositionality in system design: interfaces everywhere! Stavros Tripakis UC Berkeley DREAMS Seminar, Mar 2013 Computers as parts of cyber physical systems cyber-physical ~98% of the world s processors
More informationUtilizing Static Analysis for Programmable Logic Controllers
Sébastien Bornot Ralf Huuck Ben Lukoschus Lehrstuhl für Softwaretechnologie Universität Kiel Preußerstraße 1 9, D-24105 Kiel, Germany seb rhu bls @informatik.uni-kiel.de Yassine Lakhnech Verimag Centre
More informationResource-bound process algebras for Schedulability and Performance Analysis of Real-Time and Embedded Systems
Resource-bound process algebras for Schedulability and Performance Analysis of Real-Time and Embedded Systems Insup Lee 1, Oleg Sokolsky 1, Anna Philippou 2 1 RTG (Real-Time Systems Group) Department of
More informationThe TOBIAS test generator and its adaptation to some ASE challenges Position paper for the ASE Irvine Workshop
The test generator and its adaptation to some ASE challenges Position paper for the ASE Irvine Workshop Y. Ledru Laboratoire Logiciels Systèmes Réseaux/IMAG BP 72, F-38402 Saint-Martin-d Hères CEDEX, FRANCE
More informationFormal Methods in the Classroom: The Logic of Real-Time Software Design
Formal Methods in the Classroom: The Logic of Real-Time Software Design Jonathan S. Ostroff and Richard F. Paige Department of Computer Science, York University Toronto, Ontario M3J 1P3, Canada. fjonathan,paigeg@cs.yorku.ca
More informationAdvanced VLSI Design Prof. Virendra K. Singh Department of Electrical Engineering Indian Institute of Technology Bombay
Advanced VLSI Design Prof. Virendra K. Singh Department of Electrical Engineering Indian Institute of Technology Bombay Lecture 40 VLSI Design Verification: An Introduction Hello. Welcome to the advance
More informationProving the Correctness of Distributed Algorithms using TLA
Proving the Correctness of Distributed Algorithms using TLA Khushboo Kanjani, khush@cs.tamu.edu, Texas A & M University 11 May 2007 Abstract This work is a summary of the Temporal Logic of Actions(TLA)
More informationModeling and Verification of Priority Assignment in Real-Time Databases Using Uppaal
Modeling and Verification of Priority Assignment in Real-Time Databases Using Uppaal Martin Kot Martin Kot Center for Applied Cybernetics, Department of Computer Science, FEI, Center for Applied VSBCybernetics,
More informationA Safety Mechanism Using Software Patterns
URL: http://www.elsevier.nl/locate/entcs/volume82.html 11 pages A Safety Mechanism Using Software Patterns Kiyohito Itoh, Hiromi Kobayashi 1 Department of Management Engineering Tokai University Hiratsuka,
More informationPast Pushdown Timed Automata and Safety Verification
Past Pushdown Timed Automata and Safety Verification Zhe Dang, Tevfik Bultan, Oscar H. Ibarra, and Richard A. Kemmerer Abstract We consider past pushdown timed automata that are discrete pushdown timed
More informationSimplifying Itai-Rodeh Leader Election for Anonymous Rings
AVoCS 04 Preliminary Version Simplifying Itai-Rodeh Leader Election for Anonymous Rings Wan Fokkink 1 Department of Software Engineering, CWI, Amsterdam, The Netherlands Department of Computer Science,
More informationModeling a Production Cell as a Distributed Real-Time System with Cottbus Timed Automata
Modeling a Production Cell as a Distributed Real-Time System with Cottbus Timed Automata Dirk Beyer and Heinrich Rust? Lehrstuhl für Software Systemtechnik, BTU Cottbus Abstract. We build on work in designing
More informationFormal verification of ASMs using MDGs
Available online at www.sciencedirect.com Journal of Systems Architecture 54 (2008) 15 34 www.elsevier.com/locate/sysarc Formal verification of ASMs using MDGs A. Gawanmeh a, *, S. Tahar a, K. Winter b
More informationAsmL Specification and Verification of Lamport s Bakery Algorithm
Journal of Computing and Information Technology - CIT 13, 2005, 4, 313-319 313 AsmL Specification and Verification of Lamport s Bakery Algorithm Matko Botinčan Department of Mathematics, University of
More informationChapter 2 The AMBA SOC Platform
Chapter 2 The AMBA SOC Platform SoCs contain numerous IPs that provide varying functionalities. The interconnection of IPs is non-trivial because different SoCs may contain the same set of IPs but have
More informationM. De Wulf, L. Doyen,J.-F. Raskin Université Libre de Bruxelles Centre Fédéré en Vérification
Systematic Implementation of Real-Time Models M. De Wulf, L. Doyen,J.-F. Raskin Université Libre de Bruxelles Centre Fédéré en Vérification Model-based Development for Controllers Make a model of the environment
More informationLecture Notes on Ints
Lecture Notes on Ints 15-122: Principles of Imperative Computation Frank Pfenning Lecture 2 August 26, 2010 1 Introduction Two fundamental types in almost any programming language are booleans and integers.
More informationMOCHA: Modularity in Model Checking??? Computing Science Research Center, Bell Laboratories.
MOCHA: Modularity in Model Checking??? R. Alur 1, T.A. Henzinger 2, F.Y.C. Mang 2, S. Qadeer 2, S.K. Rajamani 2, and S. Tasiran 2 1 Computer & Information Science Department, University ofpennsylvania,
More informationCom S 541. Programming Languages I
Programming Languages I Lecturer: TA: Markus Lumpe Department of Computer Science 113 Atanasoff Hall http://www.cs.iastate.edu/~lumpe/coms541.html TR 12:40-2, W 5 Pramod Bhanu Rama Rao Office hours: TR
More informationTo be or not programmable Dimitri Papadimitriou, Bernard Sales Alcatel-Lucent April 2013 COPYRIGHT 2011 ALCATEL-LUCENT. ALL RIGHTS RESERVED.
To be or not programmable Dimitri Papadimitriou, Bernard Sales Alcatel-Lucent April 2013 Introduction SDN research directions as outlined in IRTF RG outlines i) need for more flexibility and programmability
More informationConcurrent Models of Computation
Concurrent Models of Computation Edward A. Lee Robert S. Pepper Distinguished Professor, UC Berkeley EECS 219D Concurrent Models of Computation Fall 2011 Copyright 2009-2011, Edward A. Lee, All rights
More informationWriting better code Loop invariants Correctness. John Edgar 2
Writing better code Loop invariants Correctness John Edgar 2 Not all code is equal Correct and reliable code is one of our goals Is a new car correct or reliable? Other characteristics of good code Affordable
More informationVerification of Bakery algorithm variants for two processes
Verification of Bakery algorithm variants for two processes David Dedi 1, Robert Meolic 2 1 Nova Vizija d.o.o., Vreerjeva ulica 8, SI-3310 Žalec 2 Faculty of Electrical Engineering and Computer Science,
More informationReal Time is Really Simple
Real Time is Really Simple Leslie Lamport Microsoft Research Technical Report MSR-TR-2005-30 4 March 2005 Revised 16 August 2005 Abstract It is easy to write and verify real-time specifications with existing
More informationLecture 2: Symbolic Model Checking With SAT
Lecture 2: Symbolic Model Checking With SAT Edmund M. Clarke, Jr. School of Computer Science Carnegie Mellon University Pittsburgh, PA 15213 (Joint work over several years with: A. Biere, A. Cimatti, Y.
More informationOn the Definition of Sequential Consistency
On the Definition of Sequential Consistency Ali Sezgin Ganesh Gopalakrishnan Abstract The definition of sequential consistency is compared with an intuitive notion of correctness. A relation between what
More informationObject-Oriented Theories for Model Driven Architecture
Object-Oriented Theories for Model Driven Architecture Tony Clark 1, Andy Evans 2, Robert France 3 1 King s College London, UK, anclark@dcs.kcl.ac.uk, 2 University of York, UK, andye@cs.york.ac.uk, 3 University
More information2 Discrete Dynamic Systems
2 Discrete Dynamic Systems This chapter introduces discrete dynamic systems by first looking at models for dynamic and static aspects of systems, before covering continuous and discrete systems. Transition
More informationFinite Model Generation for Distributed Java Programs
Finite Model Generation for Distributed Java Programs R. Boulifa and E. Madelaine INRIA Sophia-Antipolis, BP 93, 06902 Sophia-Antipolis Cedex, France {rabea.boulifa eric.madelaine}@sophia.inria.fr Abstract
More informationDIVERSITY TG Automatic Test Case Generation from Matlab/Simulink models. Diane Bahrami, Alain Faivre, Arnault Lapitre
DIVERSITY TG Automatic Test Case Generation from Matlab/Simulink models Diane Bahrami, Alain Faivre, Arnault Lapitre CEA, LIST, Laboratory of Model Driven Engineering for Embedded Systems (LISE), Point
More informationImplementing I/O-Automaton Specifications on Erlang
SCIS & ISIS 2010, Dec. 8-12, 2010, Okayama Convention Center, Okayama, Japan Implementing I/O-Automaton Specifications on Erlang Yoshinobu Kawabe and Jun Zhao Department of Information Science Aichi Institute
More informationThe SPIN Model Checker
The SPIN Model Checker Metodi di Verifica del Software Andrea Corradini Lezione 1 2013 Slides liberamente adattate da Logic Model Checking, per gentile concessione di Gerard J. Holzmann http://spinroot.com/spin/doc/course/
More informationA Tabular Expression Toolbox for Matlab/Simulink
A Tabular Expression Toolbox for Matlab/Simulink Colin Eles and Mark Lawford McMaster Centre for Software Certification McMaster University, Hamilton, Ontario, Canada L8S 4K1 {elesc,lawford}@mcmaster.ca
More informationOn the Complexity of the Policy Improvement Algorithm. for Markov Decision Processes
On the Complexity of the Policy Improvement Algorithm for Markov Decision Processes Mary Melekopoglou Anne Condon Computer Sciences Department University of Wisconsin - Madison 0 West Dayton Street Madison,
More informationEfficient Degree Elevation and Knot Insertion for B-spline Curves using Derivatives
Efficient Degree Elevation and Knot Insertion for B-spline Curves using Derivatives Qi-Xing Huang a Shi-Min Hu a,1 Ralph R Martin b a Department of Computer Science and Technology, Tsinghua University,
More informationB vs. Coq to prove a Garbage Collector
B vs. Coq to prove a Garbage Collector L. Burdy GEMPLUS Avenue du Pic de Bertagne - 13881 Gémenos Cedex - France lilian.burdy@gemplus.com Abstract. This paper presents a comparison between two formal methods
More informationRuntime Checking for Program Verification Systems
Runtime Checking for Program Verification Systems Karen Zee, Viktor Kuncak, and Martin Rinard MIT CSAIL Tuesday, March 13, 2007 Workshop on Runtime Verification 1 Background Jahob program verification
More informationCo-Simulation of Hybrid SDL and VHDL Specifications
Co-Simulation of Hybrid SDL and VHDL Specifications Maciej Wasowski, Dorota Witaszek, Joachim Fischer, Eckhardt Holz, Stefanie Lau, Olaf Kath Humboldt-University of Berlin - Department of Computer Science
More informationComposition of State Machines
Chapter 5 Composition of State Machines Hongwei Zhang http://www.cs.wayne.edu/~hzhang/ Ack.: this lecture is prepared in part based on slides of Lee, Sangiovanni-Vincentelli, Seshia. Outline Concurrent
More informationPROPER TECHNIQUE OF SOFTWARE INSPECTION USING GUARDED COMMAND LANGUAGE
International Journal of Computer Science and Communication Vol. 2, No. 1, January-June 2011, pp. 153-157 PROPER TECHNIQUE OF SOFTWARE INSPECTION USING GUARDED COMMAND LANGUAGE Neeraj Kumar Singhania University,
More informationExperiences with OWL-S, Directions for Service Composition:
Experiences with OWL-S, Directions for Service Composition: The Cashew Position Barry Norton 1 Knowledge Media Institute, Open University, Milton Keynes, UK b.j.norton@open.ac.uk Abstract. Having used
More informationMANY real-time applications need to store some data
Proceedings of the International Multiconference on Computer Science and Information Technology pp. 673 678 ISBN 978-83-60810-14-9 ISSN 1896-7094 Modeling Real-Time Database Concurrency Control Protocol
More informationModelling and Verifying of e-commerce Systems
Modelling and Verifying of e-commerce Systems Andreas Speck Friedrich-Schiller-University Jena Department of Economics Integrated Application Systems Group andreas.speck@uni-jena.de www.wiwi.uni-jena.de/wi2/
More informationTVLA: A SYSTEM FOR GENERATING ABSTRACT INTERPRETERS*
TVLA: A SYSTEM FOR GENERATING ABSTRACT INTERPRETERS* Tal Lev-Ami, Roman Manevich, and Mooly Sagiv Tel Aviv University {tla@trivnet.com, {rumster,msagiv}@post.tau.ac.il} Abstract TVLA (Three-Valued-Logic
More informationDuet: Static Analysis for Unbounded Parallelism
Duet: Static Analysis for Unbounded Parallelism Azadeh Farzan and Zachary Kincaid University of Toronto Abstract. Duet is a static analysis tool for concurrent programs in which the number of executing
More informationUML Profile for MARTE: Time Model and CCSL
UML Profile for MARTE: Time Model and CCSL Frédéric Mallet 1 Université Nice Sophia Antipolis, Aoste team INRIA/I3S, Sophia Antipolis, France Frederic.Mallet@unice.fr Abstract. This 90 minutes tutorial
More informationF-Soft: Software Verification Platform
F-Soft: Software Verification Platform F. Ivančić, Z. Yang, M.K. Ganai, A. Gupta, I. Shlyakhter, and P. Ashar NEC Laboratories America, 4 Independence Way, Suite 200, Princeton, NJ 08540 fsoft@nec-labs.com
More informationTest and Evaluation of Autonomous Systems in a Model Based Engineering Context
Test and Evaluation of Autonomous Systems in a Model Based Engineering Context Raytheon Michael Nolan USAF AFRL Aaron Fifarek Jonathan Hoffman 3 March 2016 Copyright 2016. Unpublished Work. Raytheon Company.
More informationState Identification In The Hybrid Automata Description Of Dynamical Systems
State Identification In The Hybrid Automata Description Of Dynamical Systems ISABELLA KOTINI, GEORGE HASSAPIS Dept. of Electrical and Computer Engineering Aristotle University of Thessaloniki 54006, Thessaloniki
More informationT : Protocol Design
T-110.300: Protocol Design Protocol Design Theory Methods Protocol Engineering Process (PEP) Timo.Kyntaja@vtt.fi 1 (154) Motivation Telecom systems engineering is a huge industry networks, terminals, services
More informationTIV: A Toolset for Interactive Verification of Basic LOTOS Specifications
TIV: A Toolset for Interactive Verification of Basic LOTOS Specifications Cheoljoo Jeong Kangho Kim Youngchan Kim Yeondae Chung Systems Engineering Research Institute Taejon, 305-333, Korea {cjeong,khkim,yckim,chung}@eagles.seri.re.kr
More informationA Simple Tutorial on NuSMV
NuSMV-tutorial 1 A Simple Tutorial on NuSMV Chenyi Zhang March 28, 2007 For a comprehensive tutorial, please visit the site http://nusmv.irst.itc.it/ NuSMV-tutorial 2 Introduction History SMV is the first
More informationIntroduction to Model Checking
Introduction to Model Checking René Thiemann Institute of Computer Science University of Innsbruck WS 2007/2008 RT (ICS @ UIBK) week 4 1/23 Outline Promela - Syntax and Intuitive Meaning Promela - Formal
More informationAN ABSTRACTION TECHNIQUE FOR REAL-TIME VERIFICATION
AN ABSTRACTION TECHNIQUE FOR REAL-TIME VERIFICATION Edmund M. Clarke, Flavio Lerda, Muralidhar Talupur Computer Science Department Carnegie Mellon University Pittsburgh, PA 15213 {flerda,tmurali,emc}@cs.cmu.edu
More informationFormal Methods in Software Engineering. Lecture 07
Formal Methods in Software Engineering Lecture 07 What is Temporal Logic? Objective: We describe temporal aspects of formal methods to model and specify concurrent systems and verify their correctness
More informationSoftware Architectures
Software Architectures Richard N. Taylor Information and Computer Science University of California, Irvine Irvine, California 92697-3425 taylor@ics.uci.edu http://www.ics.uci.edu/~taylor +1-949-824-6429
More informationAlgorithmic Verification. Algorithmic Verification. Model checking. Algorithmic verification. The software crisis (and hardware as well)
Algorithmic Verification The software crisis (and hardware as well) Algorithmic Verification Comp4151 Lecture 1-B Ansgar Fehnker Computer become more powerful (Moore s law) The quality of programs cannot
More informationThe Synchronous System Description Language PURR?
The Synchronous System Description Language PURR? Thomas Kropf, Jürgen Ruf, Klaus Schneider, and Markus Wild University of Karlsruhe, Department of Computer Science, Institute for Computer Design and Fault
More informationTDD for Embedded Systems: A Basic Approach and Toolset
TDD for Embedded Systems: A Basic Approach and Toolset Rogerio Atem de Carvalho, Hudson Silva, Rafael Ferreira Toledo, Milena Silveira de Azevedo Scientific Computing Group (C2), Centre for Embedded and
More informationMore on Verification and Model Checking
More on Verification and Model Checking Wednesday Oct 07, 2015 Philipp Rümmer Uppsala University Philipp.Ruemmer@it.uu.se 1/60 Course fair! 2/60 Exam st October 21, 8:00 13:00 If you want to participate,
More information