Mark Utting

Mark Utting
University of Queensland | UQ · School of Information Technology and Electrical Engineering

PhD

About

108
Publications
32,920
Reads
How we measure 'reads'
A 'read' is counted each time someone views a publication summary (such as the title, abstract, and list of authors), clicks on a figure, or views or downloads the full-text. Learn more
3,289
Citations
Additional affiliations
August 2004 - June 2005
University of Franche-Comté
Position
  • Researcher
May 2011 - July 2014
Queensland University of Technology
Position
  • Fellow
October 1996 - June 2014
University of Waikato
Position
  • Professor

Publications

Publications (108)
Chapter
We evaluate the use of the existing Microsoft Vale framework to guarantee correctness of low level Ethereum Virtual Machine (EVM) bytecode, while affording smart contract developers higher-level language and reasoning features. We encode EVM-R (a subset of EVM semantics and instruction set) into F*, and raise the EVM-R into Vale design-by-contract...
Chapter
Compilers are a vital tool but errors in a compiler can lead to errors in the myriad of programs it compiles. Our research focuses on verifying the optimisation phase because it is a common source of errors within compilers. In programming language semantics, expressions (or terms) are represented by abstract syntax trees, and their semantics is ex...
Preprint
Full-text available
TypeScript is a quickly evolving superset of JavaScript with active development of new features. Our paper seeks to understand how quickly these features are adopted by the developer community. Existing work in JavaScript shows the adoption of dynamic language features can be a major hindrance to static analysis. As TypeScript evolves the addition...
Preprint
Full-text available
Our objective is to formally verify the correctness of the hundreds of expression optimization rules used within the GraalVM compiler. When defining the semantics of a programming language, expressions naturally form abstract syntax trees, or, terms. However, in order to facilitate sharing of common subexpressions, modern compilers represent expres...
Preprint
Full-text available
We want to verify the correctness of optimization phases in the GraalVM compiler, which consist of many thousands of lines of complex Java code performing sophisticated graph transformations. We have built high-level models of the data structures and operations of the code using the Isabelle/HOL theorem prover, and can formally verify the correctne...
Article
Full-text available
The quest to develop increasingly sophisticated verification systems continues unabated. Tools such as Dafny, Spec#, ESC/Java, SPARK Ada and Whiley attempt to seamlessly integrate specification and verification into a programming language, in a similar way to type checking. A common integration approach is to generate verification conditions that a...
Chapter
The optimization phase of a compiler is responsible for transforming an intermediate representation (IR) of a program into a more efficient form. Modern optimizers, such as that used in the GraalVM compiler, use an IR consisting of a sophisticated graph data structure that combines data flow and control flow into the one structure. As part of a wid...
Article
Full-text available
This paper describes the design and verification of a copy elimination and memory deallocation scheme for a compiler that translates the verification-friendly programming language Whiley into efficient C code. We use a combination of static analysis and runtime flags to replace array copies with reference assignments when possible. Formal proofs ha...
Preprint
Full-text available
The optimization phase of a compiler is responsible for transforming an intermediate representation (IR) of a program into a more efficient form. Modern optimizers, such as that used in the GraalVM compiler, use an IR consisting of a sophisticated graph data structure that combines data flow and control flow into the one structure. As part of a wid...
Preprint
Full-text available
We describe the verification of an existing smart contract for a simple casino application, using the Whiley specification and programming language, with a fully automated verification engine based on Boogie and Z3. After finding and fixing several specification and code issues in the smart contract, we are able to verify all the operations of the...
Conference Paper
Full-text available
Testing IT systems has become a major bottleneck for many companies. Besides the growing complexity of such systems, shorter release cycles and increasing quality requirements have led to increased verification and validation costs. However, analysis of existing testing procedures reveals that not all artifacts are exploited to tame this cost incre...
Chapter
This tutorial introduces the basic ideas of software specification and verification, which are important techniques for assuring the quality of software and eliminating common kinds of errors such as buffer overflow. The tutorial takes a practical hands-on approach using the Whiley language and its verifying compiler. This verifying compiler uses a...
Conference Paper
The quest to develop increasingly sophisticated verification systems continues unabated. Tools such as Dafny, Spec#, ESC/Java, SPARK Ada, and Whiley attempt to seamlessly integrate specification and verification into a pro- gramming language, in a similar way to type checking. A common integration ap- proach is to generate verification conditions t...
Conference Paper
Languages that use call-by-value semantics, such as Whiley, can make program verification easier. But efficient implementation becomes harder, due to the overhead of copying and garbage collection. This paper describes how a mixture of static analysis and runtime-monitoring can be used to eliminate unnecessary copying and deallocate memory without...
Article
Full-text available
The Whiley compiler can generate naive C code, but the code is inefficient because it uses infinite integers and dynamic array sizes. Our project goal is to build up a compiler that can translate Whiley programs into efficient OpenCL code with fixed-size integer types and fixed-size arrays, for parallel execution on GPUs. This paper presents an abs...
Chapter
This chapter gives an overview of the field of model-based testing (MBT), particularly the recent advances in the last decade. It gives a summary of the MBT process, the modeling languages that are currently used by the various communities who practice MBT, the technologies used to generate tests from models, and discusses best practices, such as t...
Article
Full-text available
Purpose This paper describes dynamic agent composition, used to support the development of flexible and extensible large-scale agent-based models (ABMs). This approach was motivated by a need to extend and modify, with ease, an ABM with an underlying networked structure as more information becomes available. Flexibility was also sought after so tha...
Article
This paper presents simulation results for future electricity grids using an agent-based model developed with MODAM (MODular Agent-based Model). MODAM is introduced and its use demonstrated through four simulations based on a scenario that expects a rise of on-site renewable generators and electric vehicles (EV) usage. The simulations were run over...
Chapter
Energy usage in general, and electricity usage in particular, are major concerns internationally due to the increased cost of providing energy supplies and the environmental impacts of electricity generation using carbon-based fuels. If a "systems" approach is taken to understanding energy issues then both supply and demand need to be considered ho...
Article
This paper introduces a parallel implementation of an agent-based model applied to electricity distribution grids. A fine-grained shared memory parallel implementation is presented, detailing the way the agents are grouped and executed on a multi-threaded machine, as well as the way the model is built (in a composable manner) which is an aid to the...
Conference Paper
Full-text available
Designing the smart grid requires combining varied models. As their number increases, so does the complexity of the software. Having a well thought architecture for the software then becomes crucial. This paper presents MODAM, a framework designed to combine agent-based models in a flexible and extensible manner, using well known software engineeri...
Article
This paper introduces the JStar parallel programming language, which is a Java-based declarative language aimed at discouraging sequential programming, encouraging massively parallel programming, and giving the compiler and runtime maximum freedom to try alternative parallelisation strategies. We describe the execution semantics and runtime support...
Conference Paper
Full-text available
With an increasing number of small-scale renewable generator installations, distribution network planners are faced with new technical challenges (intermittent load flows, network imbalances...). Then again, these decentralized generators (DGs) present opportunities regarding savings on network infrastructure if installed at strategic locations. Ho...
Article
Model-based testing relies on models of a system under test and/or its environment to derive test cases for the system. This paper provides an overview of the field. Seven different dimensions define a taxonomy that allows the characterization of different approaches to model-based testing. It is intended to help with understanding benefits and lim...
Article
Full-text available
Usually, test automation scripts for a web application directly mirror the actions that the tester carries out in the browser, but they tend to be verbose and repetitive, making them expensive to maintain and ineffective in an agile setting. Our research has focussed on providing tool-support for business-level, example-based specifications that ar...
Article
Full-text available
Z is a formal specication language combining typed set theory, predicate calculus, and a schema calculus. This paper describes an extension of Z that allows transformation and reasoning rules to be written in a Z-like notation. This gives a high-level, declarative, way of specifying transformations of Z terms, which makes it easier to build new Z m...
Article
Full-text available
A software development process is effectively an abstract form of model transformation, starting from an end-user model of requirements, through to a system model for which code can be automatically generated. The success (or failure) of such a transformation depends substantially on obtaining a correct, well-formed initial model that captures user...
Conference Paper
We propose a simple framework for validation unit testing of Z specifications, and illustrate this framework by testing the first few levels of a POSIX specification. The tests are written in standard Z, and are executable by the CZT animator, ZLive.
Conference Paper
Full-text available
In model-based testing, one of the biggest decisions taken before modelling is the modelling language and the model analysis tool to be used to model the system under investigation. UML, Alloy and Z are examples of popular state-based modelling languages. In the literature, there has been research about the similarities and the differences between...
Article
Full-text available
Jumble is a byte code level mutation testing tool for Java which inter-operates with JUnit. It has been designed to operate in an industrial setting with large projects. Heuristics have been included to speed the checking of mutations, for example, noting which test fails for each mutation and running this first in subsequent mutation checks. Signi...
Article
Full-text available
This paper presents an original model-based testing approach that takes a UML behavioural view of the system under test and automatically generates test cases and executable test scripts according to model coverage criteria. This approach is embedded in the LEIRIOS Test Designer tool and is currently deployed in domains such as Enterprise IT and el...
Book
Full-text available
This book gives a practical introduction to model-based testing, showing how to write models for testing purposes and how to use model-based testing tools to generate test suites. It is aimed at testers and software developers who wish to use model-based testing, rather than at tool-developers or academics. The book focuses on the mainstream practi...
Chapter
Full-text available
We show how real-time schedulability tests and program refinement rules can be integrated to create a formal development method of practical use to real-time programmers. A computational model for representing task scheduling is developed within a imed refinement calculus. Proven multi-tasking schedulability tests then become available as feasibili...
Conference Paper
Community Z Tools (CZT) is an integrated framework for the Z formal specification language. In this paper, we show how it is also designed to support extensions of Z, in a way that minimises the work required to build a new Z extension. The goals of the framework are to maximise extensibility and reuse, and minimise code duplication and maintenance...
Article
Full-text available
This position paper gives an overview of model-based testing and discusses how it might fit into the proposed grand challenge for a program verifier.
Article
Automated test case and test driver generation from a formal model is becoming a more widely used practice in the smart card area. This innovative approach for validation testing makes it possible to ensure the functional coverage of the test suite and to automate the production of executable test scripts. This paper presents an approach to automat...
Conference Paper
Full-text available
Automated test case and test driver generation from a formal model is becoming a more widely used practice in the smart card area. This innovative approach for validation testing makes it possible to ensure the functional coverage of the test suite and to automate the production of executable test scripts. This paper presents an approach to automat...
Conference Paper
Full-text available
This paper presents a model-based framework for the symbolic animation of object-oriented specifications. A customized set-theoretic solver is used to simulate the execution of the system and handle constraints on state variables. We define a framework for animating object-oriented specifications with dynamic object creations, interactions and inhe...
Conference Paper
Full-text available
The Community Z Tools (CZT) project is an open-source Java framework for building formal methods tools for Z and Z dialects. It also includes a set of tools for parsing, typechecking, transforming and printing standard Z specifications in LATEX , Unicode or XML formats. This paper gives an overview of the CZT framework, including an introduction to...
Conference Paper
Full-text available
This paper describes a tool for symbolically animating JML specifications using Constraint Logic Programming. A customized solver handles constraints that represent the value of instance fields. We have extended a model-based approach to be able to handle object-oriented specifications. Our tool is also able to check properties during the simulatio...
Article
Full-text available
Conference Paper
Full-text available
This paper proposes a new family of model-based coverage criteria, based on formalizing boundary-value testing heuristics. The new criteria form a hierarchy of data-oriented coverage criteria, and can be applied to any formal notation that uses variables and values. They can be used either to measure the coverage of an existing test set, or to gene...
Conference Paper
When animating a formal model for validation or test generation purposes, scalability is a key issue. This paper describes a graph-based representation for the operations of state-based formal models. This representation makes it possible to handle large models efficiently and perform a variety of transformations, such as splitting an operation int...
Article
BZ-TESTING-TOOLS (BZ-TT) is a tool set for automated test case generation from B and Z specifications. BZ-TT uses boundary and cause–effect testing on the basis of the formal model. It has been used and validated on several industrial applications in the domain of critical software, particularly smart card and transport systems. This paper presents...
Conference Paper
Full-text available
This paper proposes an XML format for standard Z. We describe several earlier XML proposals for Z, the problems and issues that arose, and the rationales behind our new proposal. The new proposal is based upon a comparison of various existing Z annotated syntaxes, to ensure that the mark-up will be widely usable. This XML format is expected to beco...
Conference Paper
Full-text available
The good news of this paper is that without extending Z, we can elegantly specify object-oriented systems, including encapsulation, inheritance and subtype polymorphism (dynamic dispatch). The bad news is that this specification style is rather different to normal Z specifications, more abstract and axiomatic, which means that it is not so well sup...
Article
In this paper we show how ecient data structures can be automatically introduced into programs that are written using at database like relations. We describe a compilation process for Starlog, which is a pure logic programming language with temporal features that allow updates to be supported cleanly. Starlog programs are translated into an interme...
Conference Paper
Generally logic programs are considered more abstract than programs written in other paradigms. Yet most logic programs are strongly dependent on programmer-defined data structures - such as lists in Prolog. Logic programs often become saturated with data structure manipulation code which obscures the original problem and requires large-scale rewri...
Conference Paper
We present a method for black-box boundary testing from B and Z formal specifications. The basis of the method is to test every operation of the system at every boundary state using all input boundary values of that operation. The test generation process is highly automated. It starts by calculating boundary goals from Pre/Post predicates derived f...
Conference Paper
This paper compares two methods of generating tests from formal specifications. The Test Template Framework (TTF) method is a framework and set of heuristics for manually generating test sets from a Z specification. The B Testing Tools (BTT) method uses constraint logic programming techniques to generate test sequences from a B specification. We gi...
Article
Full-text available
In this paper, we present an environment for boundary-value test generation from Z and B specifications. The test generation method is original and was designed on the basis of several industrial case-studies in the domain of critical software (Smart Card and transport areas). It is fully supported by a tool-set: the BZ-Testing-Tools environment. T...
Article
Full-text available
To support formal reasoning in mathematical and software engineering applications, it is desirable to have a generic prover that can be instantiated with a range of logics. This allows the prover to be applied to a wider variety of reasoning tasks than a fixed-logic prover. This paper describes the design principles and the architecture of the late...
Article
A new style of formal methods course is described, based on a pragmatic approach that emphasizes testing. The course introduces students to formal specification using Z, and shows how formal specification and testing can benefit each other, in both the validation and verification phases. It uses a tools-based approach, with practical work that rein...
Article
Full-text available
We describe an approach to logic programming where the execution of a pure logic program is ordered on "temporal" values in the program. The resulting programs are relational and avoid a premature commitment to data structures. This is a strong advantage in a programming language. We present the programming language Starlog as an example of this ap...
Article
Full-text available
Starlog is a purely declarative, temporal, logic programming language. It supports both bottom-up and top-down execution and is well-suited to writing reactive programs. This paper presents a simple methodology for proving Starlog programs correct with respect to predicate calculus specifications. The promise of declarative programming languages is...
Article
We present a comprehensive refinement calculus for the development of sequential, real-time programs from real-time specifications. A specification may include not only execution time limits, but also requirements on the behaviour of outputs over the duration of the execution of the program. The approach allows refinement steps that separate timing...
Article
Full-text available
: This paper describes some of the diculties and challenges that arise during the design of tools for validating Z specications by testing and animation. We address three issues: handling undened terms, simplication versus enumeration, and the representation of sets, and show how each issue has been handled in the Jaza tool. Finally, we report on a...
Conference Paper
Full-text available
We report on the software development techniques used in the New Zealand software industry, paying particular attention to requirements gathering. We surveyed a selection of software companies with a general questionnaire and then conducted in-depth interviews with four companies. Our results show a wide variety in the kinds of companies undertakin...
Article
. We report on the software development techniques used in the New Zealand software industry, paying particular attention to requirements gathering. We surveyed a selection of software companies with a general questionnaire and then conducted in-depth interviews with four companies. Our results show a wide variety in the kinds of companies undertak...
Article
Full-text available
In this paper, we describe work we have been doing on implementing the logic in Ergo 5. Initially, we have chosen to implement the ZUM'98 version of the logic, which uses explicit Curry-style typing rules, rather than the more recent Church-style presentation, because the former is more suited to mechanization. Ergo 5 is the latest version of a ser...
Article
Full-text available
A new version of the Ergo theorem prover is under development. It uses a single tactic language, based on Angel, for tactic programming, user interface, and proof representation. This paper describes the language as it is used in each of these cases, and explains the details of its implementation in Qu-Prolog. An example from classical propositiona...
Article
Full-text available
In this thesis, the refinement calculus is extended to support a variety of object-oriented programming styles. The late binding of procedure calls in object-oriented languages is modelled by defining an object-oriented system to be a function from procedure names and argument values to the procedures that are invoked by late binding. The first mod...
Article
Developing concurrent real-time programs is one of computer science's greatest challenges. Not only is such software expensive to manufacture, but its role in safety-critical systems demands that it be correct. Formal methods of program specification and refinement could strengthen the mathematical precision used to develop such software. Neverthel...
Conference Paper
This paper describes the interactive verification of a simple interrupt-driven real-time scheduler written in the machine code language of the MIPS R3000 RISC processor. The formal verification was carried out using the interactive theorem prover Ergo.
Technical Report
Full-text available
This specification builds on top of a low level pipeline specification of the MIPS R3000 and presents a more abstract view of instruction execution. The specification defines a more abstract (instruction level) state of the R3000 CPU together with its data and instruction caches. It models each instruction as causing an atomic change in the state o...
Conference Paper
Full-text available
Object-oriented languages typically use late binding for procedure calls on objects. This raises a potential problem for programmers who wish to reason about their programs, because the effects of a procedure call cannot always be determined statically. In this paper we develop a simple model of procedure invocation for object-oriented languages ba...
Article
This paper describes a refinement tool we are developing, with special emphasis on the use of tactics. The operation of the tool is illustrated by stepping through the derivation of a selection sort algorithm. Several aspects of the tool and its implementation are then discussed in more detail, stressing the way in which the tool assists the user i...
Article
. Embedded real-time programs can be succinctly specified using timed traces. Each sequentially executed statement acts to define a distinct trace segment. An elegant way of defining the effect of such statements is as trace `coercers' that impose constraints on existing, but underspecified, traces. Unfortunately this model fails the usual refineme...
Conference Paper
Full-text available
This paper gives an overview of the real-time specification of a commercial RISC processor. The specification is at two related levels, with an abstraction relation defined between them. The lower level specification models separate stages of execution of up to five overlapped instructions. The higher level specification abstracts from the lower le...
Article
In this paper an outline is given of an approach to formally reasoning about importation, parameterisation and instantiation of specifications written in a modular extension of the Z language (called Sum). Interpretation and instantiation of theories in first order logic are well understood. We illustrate how to use these results directly to provid...
Article
This report describes a Haskell [HPe92] module that implements finite versions of the set, relation and function types from Z [Hay87] [Spi89]. It uses the literate script convention, where each executable Haskell line begins with a ? character. ? module ZTypes( Set, ? set, union, inter, diff, genunion, geninter, ? mem, notmem, subset, psubset, disj...
Article
The ability to animate Z specifications is useful in allowing a specifier to explore the behaviour of a specification. This paper defines three new evaluation criteria for animation systems, interactivity, transparency and operational equivalence. It also describes a simple Haskell-based animation system that satisfies these criteria. A system that...
Article
Full-text available
This document contains a specification of the behavioural and real-time aspects of a typical MIPS R3000 RISC CPU. To increase assurance of correctness relative to the operational behaviour of the actual device, this specification directly specifies the five-stage pipeline structure of the CPU, rather than taking an instruction level view. A more ab...
Article
Full-text available
. We show how real-time schedulability tests and program refinement rules can be integrated to create a formal development method of practical use to real-time programmers. A computational model for representing task scheduling is developed within a `timed' refinement calculus. Proven multi-tasking schedulability tests then become available as feas...
Article
Full-text available
This document describes the commands available in the theorem prover Ergo. It assumes that the reader is familiar, to some extent, with Ergo (refer to the Ergo User Manual [UW94]). As such, it is intended to serve as a reference only. Ergo is a term rewriting theorem prover designed and implemented at the Software Verification Research Centre at th...
Article
Full-text available
We have recently extended the sequential refinement calculus to handle real-time programs. A novel deadline command allows execution time limits to be expressed in a high-level language. The calculus allows refinement steps that separate timing constraints from non-timing requirements. Rules are provided for handling timing constraints, but the ref...
Article
. This paper gives an overview of: two levels of formal specification of the real-time behaviour of a commercial RISC chip; an approach to verifying the higher-level specification relative to the lower-level one; and the proof tool and environment used for the proofs. The specifications are written in functional logic, which provides an adaptable m...
Article
Full-text available
Object-oriented systems are typically structured as complex networks of interacting mutable objects. To reason about such systems, simple and efficient techniques for coping with aliasing are needed. This paper identifies several key criteria for evaluating techniques for reasoning about aliasing, then proposes a technique which satisfies these cri...
Article
This document is a tutorial designed to get new users familiar with the schema reasoning environment of the Ergo proof tool. The schema environment consists of Ergo theories, tactics and oracles for proving properties about Sum specifications and especially specifications involving the schema calculus operations. In this tutorial we show how to gen...
Article
this document to describe Qu-Prolog in detail. However, since Ergo is implemented in Qu-Prolog, some comments about Qu-Prolog are required in order to use its syntax during interaction with the system. Furthermore, many users of Ergo will need to have sufficient knowledge of Qu-Prolog to be able to write simple tactics and heuristics. See [Robinson...
Article
Full-text available
s and compressed postscript files are available via http://svrc.it.uq.edu.au The Ergo 5 Generic Proof Engine Mark Utting Abstract This paper describes the design principles and the architecture of the latest version of the Ergo proof engine, Ergo 5. Ergo 5 is a generic interactive theorem prover, similar to Isabelle, but based on sequent calculus r...
Article
We describe some of the technology we used to build a user interface for a programmable theorem prover. By separating the user interface from the application itself, it is possible to experiment with new interface features very easily, without compromising the soundness of the proof tool. INTRODUCTION In this paper, we describe some of the technolo...