Formal Specification

This paper presents a model-based approach that combines the data-flow and object-oriented computing paradigms to model embedded systems. The rationale behind the approach is that both views are important for modelling purposes in embedded systems environments, and thus a combined and integrated usage is not only useful, but also fundamental for developing complex systems. We also show that by using models we were able to implement automated transformations between different views of the system under design. We exemplify the approach with an IPv6 router case study.

This paper provides insight into the development of System Verilog Assertions standardization efforts. Specifically it covers the evolution from Accellera 3.1a version to its current state of standardization (the upcoming SVA2012 release). Insight into the new features, changes and the reasons for the same exposes users of SVA to the direction the standard is evolving.

This invited paper presents a number of correlated specifications of example railway system problems. They use a variety of partially or fully integrated formal specification. The paper thus represents a mere repository of what we consider interesting case studies. The existence of the Unified Modeling Language [10, 67, 36, 20] has caused, for one reason or another, the research community to try formalise one or another facet of UML. In this paper we report on another way to achieve what UML attempts to achieve: Broadness of application, convenience of notation, and multiplicity of views. Whether these different UML views are unified, integrated, correlated or merely co-located is for others to dispute. We also seek to support multiple views, but are also in no doubt that there must be sound, well defined relations between such views. We thus report on ways and means of integrating formal techniques such as RAISE (RSL) [58, 59],

It has been suggested that constraining a natural language (NL) reduces the degree of ambiguity of requirement specifications written in that language. There is also a tendency to assume that an inescapable side effect of constraining a natural language is a subsequent reduction in its expressiveness. The primary objective of this paper is to describe a technique that we have developed for empirically measuring the expressiveness of a constrained natural language (CNL) when used to specify the requirements in a particular application domain. Our simple yet practical and repeatable technique elucidates the individual contribution that each lexical entity of the CNL can make on the overall expressiveness of the CNL This technique is particularly useful for designing new CNLs, as well as situations where tailoring or streamlining existing CNLs for particular application domains is needed.

Nowadays, if we want to obtain a sound and correct final software product it is very important to be able to properly join modern OO programming environments, which are built for the new Internet architectures, with the OO methodologies roduced over the last few years in order to deal properly with the Conceptual Modeling process. Our contribution to this objective is the OO-Method [Pas96, Pas97-1] proposal. OO-Method is an OO Methodology that allows analysts to introduce the relevant system information by means of a set of graphical models to obtain the conceptual model through a requirement collection phase, so that an OO formal specification in OASIS [Pas95] can be generated at any given moment. This formal specification acts as a high-level system repository. Furthermore, a Java software prototype, which is functionally equivalent to the OASIS specification, is also generated in an automated way. This is achieved by defining an execution model that gives the pattern to obtain a concrete implementation in the selected target software development environment. A CASE workbench [Pas97-1] supports the methodology.

The growing design complexity of today's embedded real-time systems requires new techniques aiming the raising of the abstraction level since earlier stages of design in order to deal with such complexity in a suitable way. This paper reports a case study, which provides an assessment of two well-know highlevel paradigms, namely Aspect-(AO) and Object-Oriented (OO) paradigms. Concepts of both paradigms were applied at modeling phase of a Distributed Embedded Real-Time System (DERTS). The handling of DERTS' functional and non-functional requirements (at modeling level) using AO and OO concepts is discussed. Both paradigms are compared using of a set of software engineering metrics, which were adapted to be applied at modeling level. The presented results show the suitability of each paradigm for DERTS specification in terms of reusability quality of model elements.

Although adaptive applications are increasing in popularity, there are only a few approaches that focus on their generalization or the specification of a reference model. Trying to fill this gap, this paper presents a reference model for adaptive hypermedia applications, similar to AHAM. The main novelty of our approach is an object-oriented specification written in UML (Unified Modeling Language) which integrates both an intuitive visual representation and a formal unambiguous specification in OCL (Object Constraint Language). Our reference model is defined as an extension of the Dexter Hypertext Reference Model including user modeling aspects and rule-based adaptation mechanisms.

Requirements Engineering (RE) is a relatively young discipline, and still many advances have been achieved during the last decades. In particular, numerous RE methods have been proposed. However, there is a growing concern for empirical validations that assess RE proposals and statements. This paper is related to the evaluation of the quality of functional requirements specifications, focusing on completeness and granularity. To do this, several concepts related to conceptual model quality are presented; these concepts lead to the definition of metrics that allow measuring certain aspects of a requirements model quality (e.g. degree of functional encapsulations completeness with respect to a reference model, number of functional fragmentation errors). A laboratory experiment with master students has been carried out, in order to compare (using the proposed metrics) two RE approaches; namely, Use Cases and Communication Analysis. Results indicate greater quality (in terms of completeness and granularity) when Communication Analysis guidelines are followed. Moreover, interesting issues arise from experimental results, which invite further research.

Model-based design (MBD) involves designing a model of a control system, simulating and debugging it with dedicated tools, and finally generating automatically code corresponding to this model. In the domain of embedded systems, it offers the huge advantage of avoiding the timeconsuming and error-prone final coding phase. The main issue raised by MBD is the faithfulness of the generated code with respect to the initial model, the latter being defined by the simulation semantics. To bridge the gap between the high-level model and the low-level implementation, we use the synchronous programming language Lustre as an intermediate formal model. Concretely, starting from a highlevel model specified in the de-facto standard Simulink, we first generate Lustre code along with some structured "glue code", and then we generate embedded real-time code for the Xenomai RTOS. Thanks to Lustre's clean mathematical semantics, we are able to guarantee the faithfulness of the generated multi-tasked real-time code.

The increasing demand for Distributed Systems(DS's) raised the need of a quality-assured development process, which could not only address the issue of requirement compliance, but also could help the construction of tools able to derive implementations automatically. In order to attend such a need, some Formal Description Techniques (FDT's) have been proposed. This paper defends the transformational approach as a good strategy to carry out the automatic implementation of DS's expressed in FDTs, focusing Mondel as FDT, and the DRACO-PUC environment as transformational system.

Over the last few years, there is a remarkable increase in the complexity of media-intensive products such as digital video recorder, DVD players, MPEG players and video conference devices. The complexity stems from the heavy computational workload and large data volume in the media stream.

Abstract After decades from introducing and using agile methodologies, project managers realized that no methodology is sufficient by itself. Thus, merging their principles is the solution yet no formal solution has been proposed. Relying on previous work, ATT ...

"This paper presents a formal development of a cardiac pacing
system based on a Boston Scientific’s model, a pilot case study from the Grand Challenge in Software Verification. We present a summary of our Z model of the system, its translation into Perfect Developer, and the code generation and execution. Further practical result and analysis are also in the context of this paper.
Keywords: formal modelling, Z, refinement, Perfect Developer, pacemaker."

The software requirements engineering (RE) process is one of the key processes in software development. The aim of requirements engineering process is capturing, understanding and analyzing customer requirements. Today, use cases are widely used as a technique for specification of the functional requirements of the system. Even through use cases are widely used for specification of the functional requirements, their semantics are unclear that it is difficult to apply them to complex problems. In this paper we have proposed SilabReq language for use cases specification for a standard information system. It is developed under XText framework. The benefits of using SilabReq for use cases specification are reflected in the fact that software requirements are considered as a model. Thereafter, the use cases can be used for automatic processing and analyzing. (Abstract)

Hardware and software systems are growing everyday in scale and functionality. This increase in complexity increases the number of subtle errors. Moreover, some of these errors may cause catastrophic loss of money, time, or even in many cases human life. A major goal of ...

In this paper, the verification strategy of PROVER environment is presented. The PROVER system (PROduction system for hardware VERification) is implemented using CLIPS (C Language Integrated Production System). PROVER is a rulebased framework for formal hardware verification. The environment supports verification at different levels of hardware specification. Verification strategy is illustrated in this paper using Carry select adder as a case study. Ref er en c e s (1) Elleithy, "Formal Hardware Verification: of VLSI Architectures: Current Status and Future directions" in T I-PC3.3

For a long time, one of the major research goals in the computer science research community has been to raise the level of abstraction power of specification languages/programming languages. Many specification languages and formalisms have been invented, but unfortunately very few of those are practically useful, due to limited computer support of these languages and/or inefficient implementations. Thus, one important goal is executable specification languages of high abstraction power and with high performance, good enough for practical usage and comparable in execution speed to hand implementations of applications in low-level languages such as C or C++. In this paper we briefly describe our work in creating efficient executable specification languages for two application domains. The first area is formal specification of programming language semantics, whereas the second is formal specification of complex systems for which we have developed an object-oriented mathematical modeling language called Modelica, including architectural support for components and connectors. Based on these efforts, we are currently working on a unified equation-based mathematical modeling language that can handle modeling of items as diverse as programming languages, computer algebra, event-driven systems, and continuous-time physical systems. The key unifying feature is the notion of equation. In this paper we describe the design and implementation of the unified language. A compiler implementation is already up and running, and used for substantial applications.

In this paper we introduce a logical viewpoint on architectures. The logical viewpoint is based on the distinction between symbolic and semantic models of architectures. The core of a symbolic model consists of its signature that specifies symbolically its structural elements and their relationships. A semantic model is defined as a formal interpretation of the symbolic model. This leads to more precise characterization of the concepts introduced in IEEE standard 1471-2000, and provides a formal approach to the design of enterprise of architectural description languages and a general mathematical foundation for the use of formal methods in enterprise architectures.

This report gives an overview of the work performed by the Programming Research Group as part of the European collaborative ESPRIT II REDO project (no. 2487). This work covered the areas of reverse-engineering: redocumentation and re-engineering; validation: post-hoc verification and generation of correct code from specifications; maintenance: new languages and methods to support maintenance. Research in areas of concurrent programming and decompilation were also performed.

This paper describes an approach, which uses formal specifications, for the classification of REA patterns and their building blocks. In general, classification is essential -especially when the number of patterns of a collection increases. Budgen [Bud03] stresses the need and importance of exploring and evaluating "the most effective ways to index and classify patterns." The number of patterns increases over time, and there is always the possibility of having either duplicate patterns or patterns whose relationships can be interpreted differently if these relationships are not clearly defined. In this short paper, we describe our approach in which REA patterns are specified formally using Alloy prior to being classified in the Zachman framework. For convenient references, these REA specifications are assigned numbers.

We present a logical framework for modeling and reasoning about the evolution of requirements. We demonstrate how a sufficiently rich meta level logic can formally capture intuitive aspects of managing changes to requirements models, while maintaining completeness and consistency. We consider a theory as the deductive closure of a given set of axioms and conclude that software engineering is concerned, in essence, with, building and managing large theories. This theory construction commences with the development of the requirements model which we view as a theory of some nonmonotonic logic. Requirements evolution then involves the mapping of one such theory to another. Exploiting the deductive power of the theory of belief revision and nonmonotonic reasoning we develop a formal description of this mapping, as well as the requirements engineering process itself. This work thus offers a rigorous approach to reasoning about requirements evolution and a important focus for defining semantically well founded methods and tools for the effective management of changing requirements

The formal analysis described here detects two so far undetected real deadlock situations per thousand C source files or million lines of code in the open source Linux operating system kernel, and three undetected accesses to freed memory, at a few seconds per file. That is notable because the code has been continuously under scrutiny from thousands of developers' pairs of eyes. In distinction to model-checking techniques, which also use symbolic logic, the analysis uses a "3-phase" compositional Hoare-style programming logic combined with abstract interpretation. The result is a customisable post-hoc semantic analysis of C code that is capable of several different analyses at once.

We develop a general constraint logic programming (CLP) based framework for specification and verification of real-time systems. Our framework is based on the notion of timed automata that have traditionally been used for specihing real-time systems. In our framework, a user models the ordering of real-time events as the grammar of a language accepted by a timed automata, the real-time constraints on these events are then captured as denotations of the grammar productions specijied by the usel: The grammar can be speciJied as a Definite Clause Grammar (DCG), while the denotations can be speccped in constraint logic. The resulting specijication can hence be regarded as a constraint logic program (CLP), and is executable. Many interesting properties of the real-time system can be verc3ed by posing appropriate queries to this CLP program. A major advantage of our approach is that it is constructive in nature, i.e., it can be used for computing the conditions under which a property will holdfor a given real-time system. Our framework also suggests new types of formalisms that we call Constraint Automata and Timed Push-down Automata.

The analysis of UCR data provides a basis for crime prevention in the United States as well as a sound decision making tool for policy makers. The decisions made with the use of UCR data range from major funding for resource allocation down to patrol distribution by local police departments. The FBI collects and maintains the database of the Uniform Crime Reports (UCR), from 18,000 reporting police agencies nationwide. However, many of these data sets have missing, incomplete, or incorrect data points that render crime analysis less effective. UCR experts have stated that in the current form UCR data is unreliable and sporadic. Efforts have previously been made to design a software application to correct these necessary problems, but the application was deemed insufficient due to limited portability and usability. Software requirements restricted potential users and the user interface was ineffective. However, this previous work describes the functions needed to effectively clean and assess UCR data. This paper describes the design of an application used to clean, process, and correct UCR data so that ideal policy decisions can be made. Erroneous portions of the data will be found using the outlier detection function that is based on a statistical model of anomalous behavior. These methods incorporate sponsor specifications and user requirements. This project builds upon the GRASP (Geospatial Repository for Analysis and Safety Planning) project's goal of sharing information between law enforcement agencies. Eventually

Linear permissions have been proposed as a lightweight way to specify how an object may be aliased, and whether those aliases allow mutation. Prior work has demonstrated the value of permissions for addressing many software engineering concerns, including information hiding, protocol checking, concurrency, security, and memory management.

The paper describes the application of formal modelling techniques within interface design to a 'what you see is what you get' style word processor to illustrate the analysis of the usability properties of interactive systems. A formal framework as an abstract model of interaction is employed, termed the template model, which explicitly identifies system abstractions (known as templates) that have a defined relationship to the intended task and users' capabilities. In the investigation, a subset of a conventional word processor is formally specified. The specification is then analysed in terms of the template model by identifying abstractions upon which common wordprocessing tasks depend. The outcome of the analysis illustrates the potential benefit of the template model in explaining implicit assumptioiis about the usability properties of the artefact.

A general approach to security architecture is introduced. A survey of existing attempts to develop the security architecture introduces the topic. Security can be highlighted as part of the system development life cycle. The authors assume that security cannot be achieved by concentrating on one system component but can be achieved by identifying the relationship between these components and how information is used among them. An original sphere of use and interaction is presented upon which security measures can be evaluated and the required security controls can be chosen.

The Distributed Computing Software project at Oxford University is using formal specification techniques to explore the design of services in a distributed operating system. Our goal is to construct and publish the specification of a loosely-coupled distributed operating system consisting of a number of autonomous services. Some design principles have been proposed from consideration of conventional business practice. Several services have already been designed and implemented according to these principles.

Perfect Developer is a software tool that supports the formal development of object-oriented programs by refine-ment, including formal verification of code. It is built around a single language that supports both specification and implementation. We critically examine how Perfect De-veloper supports programming by refinement, focusing on three refinement techniques: algorithm refinement, data re-finement and delta refinement. In particular we examine the extent to which Perfect Developer provides formal verifica-tion for these techniques. We assess it as a tool for software construction and compare it with related tools. 1.

This paper describes our experience using UML, the Unified Modeling Language, to describe the software architecture of a system. We found that it works well for communicating the static structure of the architecture: the elements of the architecture, their relations, and the variability of a structure. These static properties are much more readily described with it than the dynamic properties. We could easily describe a particular sequence of activities, but not a general sequence. In addition, the ability to show peer-topeer communication is missing from UML.

New models and new tools are needed for analyzing and improving strategic and operational decisions within an extended enterprise. This paper proposes to exploit the expressiveness of UML diagrams to facilitate the analysis of the enterprise processes involved in activity planning and management. An extended enterprise is decomposed into business units which exchange data, negotiate and collaborate.

"Formal methods aim to apply mathematically-based techniques to the development of computer-based systems, especially at the specification level, but also down to the implementation level. This aids early detection and avoidance of errors through increased understanding. It is also beneficial for more rigorous testing coverage. This talk presents the use of formal methods on a real project. The Z notation has been used to specify a large-scale high integrity system to aid in air traffic control. The system has been implemented directly from the Z specification using SPARK Ada, an annotated subset of the Ada programming language that includes assertions and tool support for proofs. The Z specification has been used to direct the testing of the software through additional test design documents using tables and fragments of Z. In addition, Mathematica has been used as a test oracle for algorithmic aspects of the system. In summary, formal methods can be used successfully in all phases of the lifecycle for a large software project with suitably trained engineers, despite limited tool support.
"

Formal methods have traditionally been used for specification and development of software. However there are potential benefits for the testing stage as well. The panel session associated with this paper explores the usefulness or otherwise of formal methods in various contexts for improving software testing. A number of different possibilities for the use of formal methods are explored and questions raised. The contributors are all members of the UK FORTEST Network on formal methods and testing. Although the authors generally believe that formal methods are useful in aiding the testing process, this paper is intended to provoke discussion. Dissenters are encouraged to put their views to the panel or individually to the authors.

In this paper a set of concepts to design mixed reality systems is presented. The principle of interaction space is proposed and then integrated in a development process, especially, to take into account the mixed reality specifications in the information system design. Models are elaborated to highlight relationships between business and interaction spaces. The development of the proposed method is presented on a case study.

Safety critical software requires integrating verification techniques in software development methods. Software architectures must guarantee that developed systems will meet safety requirements and safety analyses are frequently used in the assessment. Safety engineers and software architects must reach a common understanding on an optimal architecture from both perspectives. Currently both groups of engineers apply different modelling techniques and languages: safety analysis models and software modelling languages. The solutions proposed seek to integrate both domains coupling the languages of each domain. It constitutes a sound example of the use of language engineering to improve efficiency in a software-related domain. A model-driven development approach and the use of a platform-independent language are used to bridge the gap between safety analyses (failure mode effects and criticality analysis and fault tree analysis) and software development languages (e.g. unified modelling language). Language abstract syntaxes (metamodels), profiles, language mappings (model transformations) and language refinements, support the direct application of safety analysis to software architectures for the verification of safety requirements. Model consistency and the possibility of automation are found among the benefits.

... Domain Analysis Requirement and Assumptions identification Classifying Modeling ElaborationConflict Identification and Resolution Prioritization Specification ... 4.4. Conflict Management Contributions among goals (positive or negative) can be modeled and managed. ...

Formal methods and testing are two important approaches that assist in the development of high-quality software. While traditionally these approaches have been seen as rivals, in recent years a new consensus has developed in which they are seen as complementary. This article reviews the state of the art regarding ways in which the presence of a formal specification can be used to assist testing.

Requirements defects have a major impact throughout the whole software lifecycle. Having a specific defects classification for requirements is important to analyse the root causes of problems, build checklists that support requirements reviews and to reduce risks associated with requirements problems. In our research we analyse several defects classifiers; select the ones applicable to requirements specifications, following rules to build defects taxonomies; and assess the classification validity in an experiment of requirements defects classification performed by graduate and undergraduate students. Not all subjects used the same type of defect to classify the same defect, which suggests that defects classification is not consensual. Considering our results we give recommendations to industry and other researchers on the design of classification schemes and treatment of classification results.