No full-text available
To read the full-text of this research,
you can request a copy directly from the authors.
Possum: an animator for the SUM specification language
Abstract
We present an overview of the Possum specification animation
system, an addition to the Cogito methodology and toolset. Possum allows
interpretation (or animation) of specifications written in SUM, which is
the specification language used in Cogito. We give an account of the
functionality of Possum, illustrated by some simple examples, and
describe the way in which Possum is used in a typical Cogito
development. The current capabilities and limitations of Possum are
reviewed from a technical perspective and an overview of other systems
that support the animation of formal specification languages is
presented
... Earlier [16], we showed two different approaches to visualising refinements. The second of these involved the use of an animation tool, Possum [7], to simultaneously animate an abstract specification, and some concrete specification that is intended to be a refinement of the abstract specification. The motivation was to explore the specifications together, in order to both improve understanding of the refinement and, at each step, visually confirm that the refinement relationship still holds. ...
... We now return to our main focus, the use of a Z animation tool for checking refinements. The animation tool we use is Possum [7], a part of the Cogito [5] toolset. Possum can accept a variety of Z style notations. ...
... As stated by Hazel et al. [7], Possum interprets queries and responds with simplifications of those queries. It can be used either to step through consecutive states of a state machine by "executing" the operations of that machine, or to evaluate arbitrary expressions and predicates. ...
We describe how a Z animation tool can be used to check Z data refinements. We illustrate two approaches. In the first approach the tool is used to interactively step through operations of the abstract and concrete specifications, checking whether the refinement relationship holds. In the second approach the tool is used to automatically check refinements and to provide counter-examples should the refinement fail. We envisage these techniques being used in order to improve understanding of refinements and to help validate their correctness.
... They also investigate how testgraphs can be used to drive the testing of graphical user interfaces (GUIs) [37]. The approach is applicable to any model-based specification language that has an appropriate animation tool, however, the tool support for the framework is implemented for the Sum specification language [24] and the Possum animator [17]. The case study presented in this paper also uses these languages and the corresponding tool support. ...
... This section presents the Sum specification language [24] and Possum animation tool [17]. Sum is used to specify the GSM example, and Possum is used as the basis for the tool support in the framework. ...
... To simplify queries such as this, Possum uses a mix of generate-and-test and other constraint-solving techniques (see Hazel et al. [17] for more details). Due to the undecidability of Z and Sum, it is clear that Possum cannot execute/evaluate every predicate or expression given to it. ...
Despite the existence of a number of animation tools for a variety of languages, methods for employing these tools for specification testing have not been adequately explored. Similarly, despite the close correspondence between specification testing and implementation testing, the two processes are often treated independently, and relatively little investigation has been performed to explore their relationship. This paper presents the results of applying a framework and method for the systematic testing of specifications and their implementations. This framework exploits the close correspondence between specification testing and implementation testing. The framework is evaluated on a sizable case study of the Global System for Mobile Communications 11.11 Standard, which has been developed towards use in a commercial application. The evaluation demonstrates that the framework is of similar cost-effectiveness to the BZ-Testing-Tools framework and more cost-effective than manual testing. A mutation analysis detected more than 95% of non-equivalent specification and implementation mutants. Copyright © 2010 John Wiley & Sons, Ltd.
... In this section, we present the example used throughout this paper and introduce the Possum specification testing tool [Hazel et al. 1997;], which is used as the basis for the tool support in the framework. ...
... To simplify queries such as this, Possum uses a mix of generate-and-test and other constraint-solving techniques (see [Hazel et al. 1997] for more details). ...
... Several specification testing tools exist that automatically execute or interpret specifications. The specification testing tool we use in this work is Possum [Hazel et al. 1997;, which executes Z and other Z-like languages. PiZA [Hewitt et al. 1997] is another testing tool for Z. PiZA translates specifications into Prolog to generate output variables. ...
Formal specifications can precisely and unambiguously define the required behavior of a software system or component. However, formal specifications are complex artifacts that need to be verified to ensure that they are consistent, complete, and validated against the requirements. Specification testing or animation tools exist to assist with this by allowing the specifier to interpret or execute the specification. However, currently little is known about how to do this effectively. This article presents a framework and tool support for the systematic testing of formal, model-based specifications. Several important generic properties that should be satisfied by model-based specifications are first identified. Following the idea of mutation analysis, we then use variants or mutants of the specification to check that these properties are satisfied. The framework also allows the specifier to test application-specific properties. All properties are tested for a range of states that are defined by the tester in the form of a testgraph, which is a directed graph that partially models the states and transitions of the specification being tested. Tool support is provided for the generation of the mutants, for automatically traversing the testgraph and executing the test cases, and for reporting any errors. The framework is demonstrated on a small specification and its application to three larger specifications is discussed. Experience indicates that the framework can be used effectively to test small to medium-sized specifications and that it can reveal a significant number of problems in these specifications.
... It has tool support for each stage of the formal development process, except the role of testing in Cogito is not discussed. An animator called Possum [11,12] is used in Cogito to test the specification before refinement begins. The B Method is another formal development methodology. ...
... Possum [11,12] is an animation tool for Z and Z-like specification languages, including Sum [21]. Possum interprets queries made in Sum and responds with simplifications of those queries. ...
... (0,0), (11,13), (22,26), (33,39), (44,52) This example defines a set of pairs between 0 and 60, where for each pair, the first element times 13 is equal to the second element times 11. ...
A formal specification animator interprets and executes specifications to give them the appearance of liveliness. This can be used to identify errors in a specification because it provides concrete examples of the behaviour of the specification. By providing a suitable user interface, it allows users unfamiliar with specification languages and notations to interact with the specification. We exploit the similarities between animation and testing, and present a method that combines specification animation and software testing of abstract data types (ADTs). Tool support is provided by Peach, which supports the animation of a specification and the testing of an implementation of that specification. We demonstrate the use of our method and tool on a small example, and discuss its application to a larger example
... This work includes the task allocation process among the SoC components, considering high parallelism level and routing scheme considering latency, status link and shortest route. For this purpose, the Z notation [7], a well accepted and ISO standard [8], was chosen as formal specification language and Possum [9] as animation tool used as support during reasoning about architecture properties. This paper is organized as follows: Section 2 depicts the main characteristics of the used NoC. ...
... The first one is related to its maturity level, recently conveyed into ISO standard [8]. The second one concerns the availability of tools to support formal activities, such as type checkers, theorem proves and animation of formal specification [9,19,20]. Additionally, the expressiveness of the Z notation allows starting with high level specifications that can be gradually refined into more concrete ones, without loss of precision and integrity properties defined. ...
This paper presents a qualitative approach for NoC Design based on formal methods. Among the benefits of formalism usage are included a deeper understanding of complex systems, such NoC-based ones, and a precise specification of component features and behavior. The successive refinement strategy adopted aims focusing on specific properties like communication aspects, even considering overall architectural constraints defined. The Z notation was used for specification purpose, Z-eves as type checker, and Possum as animation tool.
... Techniques like execution have been introduced to overcome the difficulty of using a non executable specification language, allowing the specifier to either test or rapidly implement his specification document. Several researchers have reported success in executing subsets of Z translating them to languages such as PROLOG or LISP [21,8]. ...
... Among the few works reported two of them can be remarked: VIZ [21] and POSSUM [8]. Both systems enable the developer to validate visually specifications in Z. Technology provided by VIZ allows software developers to choose an appropriate representation of objects used in an executable formal specification and create animations of these objects in an interactive fashion. ...
The importance of correctly determining the re- quirements of a system at the very beginning of the development process it is a well known fact. Experi- ence shows that the incorrect definition of the require- ments leads to the development of deficient systems, increases the cost of its development or even causes projects to fail. Therefore it is crucial for the clients to verify that the planned system satisfies their needs. This means that the system must be described in a form that clients can clearly understand it. In this con- text, visualization techniques appear as a useful tool to help the users in the process of requirements under- standing and validation. This work proposes the use of D visualization tech- niques to validate the requirements of a system with the user. The use of these techniques can reduce the communication gap between the clients and the devel- opers resulting in a much more effective process of re- quirements validation. The approach tries to take ad- vantage of the benefits of the 3D visualization, com- plementing this with the advantages of formal speci- fications. A tool, called ReqViz3D, that materializes the pro- posal was developed. This tool allows to specify the requirements in the formal language Z, define a graphical representation of them, and create a 3D ani- mated visualization of theirs execution through which the users can validate them. Keywords: Requirements, Visualization, Require- ments Visualization, 3D Graphics, Formal Specifica- tions.
... As Miller and Strooper pointed out in (Strooper and Miller, 2001), animation serves two purposes: (1) giving end users and field experts a chance to interact with the specification and observe its operational behavior, and (2) providing the specifier with concrete examples of how the specification behaves, so that they can check whether the specification reflects the intended properties of their design. Some tools have been built to support animation of different specification languages, such as PiZA (Hewitt et al., 1997), ZAL animation system (Morrey et al., 1998), Possum (Hazel et al., 1997), B-Model animator (Waeselynck and Behnia, 1998), and ANGOR (Combes et al., 2002), but most of those tools focus on the approach similar to testing: executing specifications with sample input values and analyzing the results. In general, this kind of technique requires a translation from a formal specification language to an executable programming language (e.g., Prolog or LISP), which imposes many restrictions to the style of the specifications written in the specification language. ...
... The final step is to ''execute'' the identified predicate expressions by substituting concrete values for corresponding variables in the predicate expressions and evaluate the expressions. In addition to the above work on Z specification animation, there are also studies on animation of other specification languages, such as OCL for UML (Gray and Schach, 2000), B (Waeselynck and Behnia, 1998), and SUM (Hazel et al., 1997). ...
Formal specification has been increasingly adopted for the development of software systems of the highest integrity. However, the readability of specifications for large-scale and complex systems can be so poor that even the developers may not easily understand whether their specifications define the “intended behaviors”. In this paper, we describe a software tool that supports the animation of specifications by simulating their functional scenarios using the Message Sequence Chart (MSC). The tool extracts automatically functional scenarios from a specification and generates a message sequence chart for each of them for a syntactic level analysis. The tool can also execute a functional scenario with test cases for a semantic level analysis if all the processes involved in the scenario are defined using explicit specifications. With the tool support the animation of a specification can be carried out incrementally to assist its user to review the adequacy of the specification. We present a case study applying the tool to animate a formal specification for a library system and evaluate its result.
... Techniques like execution have been introduced to overcome the difficulty of using a non-executable specification language, allowing the specifier to either test or rapidly implement his/her specification document. Several researchers have reported success in executing subsets of Z translating them to languages such as PROLOG or LISP [26,12]. ...
... Among the few works reported, two of them can be remarked: VIZ [26] and POSSUM [12]. Both systems enable the developer to visually validate specifications in Z. Technology provided by VIZ allows software developers to choose an appropriate representation of objects used in an executable formal specification and create animations of these objects in an interactive fashion. ...
It is a well-known fact the real significance of correctly determining requirements of a system at the very beginning of the development process. Indeed, experience demonstrates that the incorrect definition of requirements leads to development of deficient systems, increases the cost of its development or even causes projects to fail. Thus, it is crucial for clients to verify that the planned system satisfies their needs. In order to help users in the process of requirements understanding and validation this work proposes using 3D visualization techniques. The use of these techniques can reduce the communication gap between clients and developers resulting in a much more effective process of requirements validation. The approach tries to take advantage of the benefits of the 3D visualization, complementing this with the advantages of formal specifications. The approach proposes the use of formal specifications in a lighter way. This means that no formal reasoning (theorem proving) is carried out to check the properties of the specified system and the emphasis is focused on the execution and animation of the specification for early validation. A prototype tool that materializes the proposal was developed. The tool allows specifying the requirements in the formal language Z, defining a graphical representation of them and creating a 3D animated visualization of their execution through which the users can validate them.
... Possum is an animation interpreter for specifications written in Sum. Possum was developed at the Software Verification Research Centre at the University of Queensland [27, 97] . The advantages of using such animation tools in the field of security has been demonstrated in the analysis of fair exchange protocols [15]. ...
... This could not be done in a real environment because the model was part of an architecture that was currently under development. The model was thus specified using Z. Fuzz [86] was used to verify the specification and the Possum interpreter [27] was used to test the functionality of the proposed model. The use of formal mechanisms and verification tools helped us to analyse the architecture and correct the vulnerabilities identified during the verifica- tion. ...
Location information is used to provide a diverse range of services to users such as emergency, navigation, billing, security, information and advertising services. This information is derived from a broad range of indoor and outdoor technologies. The location information thus derived is of different granularity, different co-ordination system and is controlled by numerous service providers. In addition to this, broad selections of devices are used for providing these services. Having a diverse range of applications requiring location information at different levels of granularity, the need to export location information across multiple devices and the existence of different location determination technologies necessitates the need for heterogeneous location network. These networks derive location information from multiple sources and provides various location-based services to users irrespective of the medium, device or technology used. Security, user privacy and management of location information are some of the important issues that need to be addressed. The main contribution of this thesis is the design of a secure and privacy assured heterogeneous location architecture. A formal methodology was chosen to design the heterogeneous location architecture. The design of the architecture resulted in a novel key distribution protocol and a model for information flow that can be easily encapsulated into applications or architectures having similar requirements. The research also resulted in the enhancement of a proposed location framework for securing critical infrastructures using context-aware self-defending objects. The proposed enhanced framework helps to negate the security vulnerabilities introduced through the use of general-purpose computer systems in critical infrastructures.
... We use the Z animation tool Possum [12], a part of the Cogito [11] toolset, to visualise and animate action system refinement. This extends our previous work on visualising and animating Z refinements [21, 20]. ...
... However, these lack important features of Possum, such as the ability to execute implicit specifications and the ability to plug-in vi- sualisations. Possum interprets queries, written in Z, and responds with simplifications of those queries [12]. It can be used either to step through consecutive states of a state machine by " executing " the operations of that machine, or to evaluate arbitrary expressions and predicates. ...
Refinement is the process of deriving verifiably-correct software from its specification. In practice, however refinement steps are complex and difficult to prove correct. We show how animation can be used to provide insights into the correctness, or otherwise, of refinement steps for the most general form of data refinement in which the whole system design can be changed in a single step.
... The three tools that we have used to date are Possum, ZANS, and ZETA/ZAP. Possum is an animator been developed by the Software Verification Research Centre at the University of Queensland in Australia (see [3]) 1 . ...
... The design goal and mode of evaluation adopted by the developers of Possum was to build a system that would work on a collection of existing specifications. Possum was designed to animate the SUM specification language [3] but can also be used to animate Z. ...
In this paper we describe our experience of using three different animation systems. We searched for and decided to use these tools in the context of a project which involved developing formal versions (in Z) of informal requirements documents, and then showing the formal versions to people in industry who were not Z users (or users of any formal techniques). So, an animator seemed a good way of showing the behaviour of a system described formally without the audience having to learn Z. A requirement, however, that the tools used have to satisfy is that they correctly animated Z (whatever that may mean) and they behave adequately in terms of speed and presentation. We have to report that none of the tools we looked at satisfy these requirements---though to be fair all of them are still under development. 1
... In the last decade, several animation tools have been developed for executing and interpreting formal specifications automatically. For example, PiZA [8] is an animator for Z, and Possum [6, 7] is an animator for Z and Z-like specification language. The animation tool used in our monitoring system is Jaza [21]. ...
With current trends towards more complex software system and use of higher level languages, a monitoring technique is of increasing importance for the areas such as performance enhancement, dependability, correctness checking and so on. In this paper, we present a formal specification-based online monitoring technique. The key idea of our technique is to build a linking system, which connects a specification animator and a program debugger. The required information about dynamic behaviors of the formal specification and concrete implementation of a target system is obtained from the animator and the debugger. Based on that information, the judgment on the consistency of the concrete implementation with the formal specification will be provided. Not embedding any instrumentation code into the target system, our monitoring technique will not alter the dynamic behavior of the target system. Animating the formal specification, rather than annotating the target system with extra formal specifications, our monitoring technique separates the implementation-dependent description of the monitored objects and the formal requirement specification of them
... Alchemy sits at a very different point in the design space of synthesizers, trying to relieve developers the burden of proceeding from a partial, non-deterministic specification to a rapid (and hopefully usable) prototype; to instead build large, industrial systems, Alchemy would probably have to adopt techniques such as refinement. Numerous tools " animate " specifications in Z and similar languages (e.g., [15, 24]), B [31] , and the Java Modeling Lan- guage [4]. These tools typically refine a given specification gradually into first-order logic or a language such as Prolog. ...
Alloy specifications are used to define lightweight models of systems. We present Alchemy, which compiles Alloy specifi- cations into implementations that execute against persistent databases. Alchemy translates a subset of Alloy predicates into imperative update operations, and it converts facts into database integrity constraints that it maintains automati- cally in the face of these imperative actions. In addition to presenting the semantics and an algorithm for this compilation, we present the tool and outline its application to a non-trivial specification. We also discuss lessons learned about the relationship between Alloy speci- fications and imperative implementations.
... Currently SAL provides a suite of four model checkers and a simulator. The SAL simulator is a fully customisable environment for manipulating state transition systems and their traces, and it is a significant advance on Z animators such as Possum [7]. The model checkers are also fully customisable. ...
The Symbolic Analysis Laboratory (SAL) is a suite of tools for analysis of state transition systems. Tools supported include a simula- tor and four temporal logic model checkers. The common input language to these tools was originally developed with translation from other lan- guages, both programming and specication languages, in mind. It is, therefore, a rich language supporting a range of type denitions and ex- pressions. In this paper, we investigate the translation of Z specications into the SAL language as a means of providing model checking support for Z. This is facilitated by a library of SAL denitions encoding the Z mathematical toolkit.
... We used the software tool Possum. Possum was developed at the Software Verification Research Centre at the University of Queensland [13]. It provides animation of specifications written in Sum, which is essentially a markup of Z. Possum supports Z conventions for modelling state based systems and allows for manual as well as script based animations. ...
We propose a way to unify two approaches to analysis of protocol security, namely complexity theoretic cryptographic analysis
and formal specification with machine analysis. We present a specification in Sum of the Bellare–Rogaway cryptographic model
and demonstrate its use with a specification of a protocol of Jakobsson and Pointcheval. Although this protocol has a proof
in the Bellare-Rogaway model, its original version was flawed. We show that our specification can be used to find the flaw.
... The rules are written as schemas that are executable by a specification animator, so the user may interact with the animation software to automate the refactoring process. The evolution of the case study presented in this paper has been successfully automated using this technique, taking advantage of the Possum [8] animator. The possibility exists for abstraction from the specification language itself to allow succinct formal specification and reasoning about these refactoring steps, in a similar vein to the work presented by Mens et al. [14] and Lämmel [20], and this is also left for future work. ...
Object-Z offers an object-oriented means for structuring formal specifications. We investigate the application of refactoring rules to add and remove structure from such specifications to forge object-oriented designs. This allows us to tractably move from an abstract functional description of a system toward a lower-level design suitable for implementation on an object-oriented platform.KeywordsProof ObligationClass SimulationPlayer ObjectPlayer ClassCoalescence RuleThese keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.
... Techniques like execution have been introduced to overcome the difficulty of using a non executable specification language, allowing the specifier to either test or rapidly implement his specification document. Several researchers have reported success in executing subsets of Z translating them to languages such as PROLOG or LISP (Ozcan et al., 1998)(Traynor et al., 1997). Although specification execution can provide immediate feedback during the process of writing a specification and reduce the errors made at the early stages of the development process, seems yet to be more useful to developers rather than to users. ...
This paper presents a prototype tool to animate and visualize require- ments called REQVIZ. In essence, this tool takes a Z specification as input and generates a visualization as output, through which, users can validate require- ments. The prototype was developed based on architectural design driven by pat- terns. This process brings benefits that impact directly on understanding, reuse, evolution, analysis and documentation management of the system. This tool aims to help to achieve a more effective requirement validation using vi- sualization techniques that reduce the communication gap between the customer and developer: the system is described in a way that the costumer can understand. The requirements are stated by the developer in a formal language, in particular Z, because formal specification languages enables us to denote them unambigu- ously. Also visualization techniques were developed using D graphics taking advantage of this kind of presentations.
... The algorithm of section 4.1 was developed during an initial prototyping phase, using a specification and animation language. The Possum animator [9], based on the Z specification language, was chosen. This was in order to provide the benefits of formal specification, with the additional benefit of execution of the specification. ...
... Most of the animation work deals with the trade-off between expressiveness of the notation and its executability, especially with the Z notation. For example, Possum [8] executes Z and uses Cogito to test the specification before refining. Works about Object-Z animation with a Z animation environment has been described in [11]. ...
This paper presents a model-based framework for the symbolic animation of object-oriented specifications. A customized set-theoretic solver is used to simulate the execution of the system and handle constraints on state variables. We define a framework for animating object-oriented specifications with dynamic object creations, interactions and inheritance. We show how this technique can be applied to Java Modeling Language (JML) specifications, making it possible to animate Java programs that only contain method interfaces and no code!
... The rules are written as schemas that are executable by a specification animator, so the user may interact with the animation software to automate the refactoring process. The evolution of the case study presented in this paper has been successfully automated using this technique, taking advantage of the Possum animator [10]. The use of an animator readily allows for the searching of possible state spaces (designs), which is very helpful for identifying candidate classes for application of the rules. ...
We present a process for introducing an object-oriented architecture into an abstract functional specification written in Object-Z. Since the design is derived from the specification, correctness concerns are addressed as pan of the design process. We base our approach on refactoring rules that apply to class structure, and use the rules to implement design patterns. As a motivating example, we introduce a user-interface design that follows the model-view-controller paradigm into an existing specification.
... In this work, we have used the Possum animator [11,12], and we have implemented a Java class to communicate with Possum. The interface is generic in order to easily accommodate changes to Possum and possibly other animators. ...
Achieving consistency between a specification and its implementation is an important part of software development. In this paper, we present a method for generating passive test oracles that act as self-checking implementations. The implementation is verified using an animation tool to check that the behavior of the implementation matches the behavior of the specification. We discuss how to integrate this method into a framework developed for systematically animating specifications, which means a tester can significantly reduce testing time and effort by reusing work products from the animation. One such work product is a testgraph: a directed graph that partially models the states and transitions of the specification. Testgraphs are used to generate sequences for animation, and during testing, to execute these same sequences on the implementation.
... A variety of model finders have been developed for group-theoretic investigations [eg, 33]; these work on a logic of uninterpreted functions, and do not handle relations or closure. Several animators for Z have been developed using Prolog as an underlying engine [11,12,24,43], but these cannot handle large spaces. Most other tools for relational notations are less automatic. ...
An automatic analysis method for first-order logic with sets and relations is described. A first-order formula is translated to a quantifier-free boolean formula, which has a model when the original formula has a model within a given scope (that is, involving no more than some finite number of atoms). Because the satisfiable formulas that occur in practice tend to have small models, a small scope usually suffices and the analysis is efficient.
The paper presents a simple logic and gives a compositional translation scheme. It also reports briefly on experience using the Alloy Analyzer, a tool that implements the scheme.
Formal specification can benefit software quality by precisely defining the behaviors of operations to prevent primary mistakes in the early phase of software projects, but a remaining challenge is how such a specification can be checked comprehensibly to show whether it satisfies the user’s perception of requirements. In this paper, we describe a new technique for animating operation specifications as a means to address this problem. The technique offers new ways to do (1) automatic animation data generation for both input and output of an operation based on pre- and post-conditions, (2) visualized demonstration of the relationships between input and the corresponding output, (3) comprehensible animation of data items, and (4) illustrative animation of logical expressions and the operators used in them. We discuss these issues and present a prototype tool that supports the automation of the proposed technique. We also report an industrial application as a trial experiment to validate the technique. Finally, we conclude the paper and point out future research directions.
This paper proposes an extension of operation semantics and discusses its benefits in enhancing the applicability of Morgan’s formal refinement calculus in practical software development.
Prototypes can be an effective way of interacting with an end-user to validate that the user's requirements have been correctly captured. In the formal methods community, specification animation has been investigated as a way of creating a kind of prototype that is generated from a formal specification. Enriching UML diagrams with OCL constraints can provide the formality that is needed to animate the diagrams without the need for a more rigorous formal specification language. This paper provides an overview of issues concerning specification animation and describes an initial attempt at an animation environment for UML/OCL. We translate the UML/OCL into an object- oriented declarative language, Prolog++, and utilize a primitive animation environment that allows both a developer and client to explore the validity of the specification. In particular, in this paper we focus on animating the effect of constraints.
This paper presents a formal specification-based software monitoring approach that can dynamically and continuously monitor
the behaviors of a target system and explicitly recognize undesirable behaviors in the implementation with respect to its
formal specification. The key idea of our approach is in building a monitoring module that connects a specification animator
with a program debugger. The requirements information about expected dynamic behaviors of the target system are gathered from
the formal specification animator, while the actual behaviors of concrete implementations of the target system are obtained
through the program debugger. Based on the information obtained from both sides, the judgement on the conformance of the concrete
implementation with respect to the formal specification is made timely while the target system is running. Furthermore, the
proposed formal specification-based software monitoring technique does not embed any instrumentation codes to the target system
nor does it annotate the target system with any formal specifications. It can detect implementation errors in a real-time
manner, and help the developers and users of the system to react to the problems before critical failure occurs.
Describes a rigorous approach to safety validation of embedded control software by specification animation. The software control logic is specified in Z and systematically animated together with a model of the equipment under control. All reachable equipment states under software control are systematically identified and compared with known hazardous states in normal operation and under dominant failure conditions. The process is completely automated, removing the need for human intervention and associated errors, and can be applied much earlier than traditional test-based techniques. As a result, the validation method has the potential to provide cost-effective, high-integrity safety assurance for embedded software. The approach is illustrated with a hypothetical industrial press control system
Fair exchange protocols are a mechanism to ensure that items held by two parties are exchanged without one party gaining an advantage. Several such protocols have been proposed in recent years. We used the Possum animation tool to explore these protocols to examine whether they achieve their security goals. Our experiments revealed some new attacks and helped to gain other useful insights into various fair exchange protocols.
It is not surprising that students are unconvinced about the benefits of formal methods if we do not show them how these methods can be integrated with other activities in the software lifecycle. In this paper, we describe an approach to integrating formal specification with more traditional verification and validation techniques in a course that teaches formal specification and specification-based testing. This is accomplished through a series of assignments on a single software component that involves specifying the component in Object-Z, validating that specification using inspection and a specification animation tool, and then testing an implementation of the specification using test cases derived from the formal specification.
We present ProB, a validation toolset for the B method. ProB's automated animation facilities allow users to gain confidence in their specifications. ProB also contains a model checker and a refinement checker, both of which can be used to detect various errors in B specifications. We describe the underlying methodology of ProB, and present the important aspects of the implementation. We also present empirical evaluations as well as several case studies, highlighting that ProB enables users to uncover errors that are not easily discovered by existing tools.
This paper presents a systematic approach to proving temporal properties of arbitrary Z specifications. The approach involves (i) transforming the Z specification to an abstract temporal structure (or state transition system), (ii) applying a model checker to the temporal structure, (iii) determining whether the temporal structure is too abstract based on the model checking result and (iv) refining the temporal structure where necessary. The approach is based on existing work from the model checking literature, adapting it to Z.
This paper presents a framework for systematically animating specifications using testgraphs: directed graphs that partially model the specification being animated. Sequences for the animation are derived by traversing the testgraph. The framework provides a testgraph editor that allows users to edit testgraphs and supports automated testgraph traversal. We demonstrate our framework on a small specification, and discuss its application on two larger specifications. Experience with the framework so far indicates that it can be used to effectively animate small to medium-sized specifications and that it can reveal a significant number of problems in these specifications.
Completeness and feasibility of a specification are important properties for the assurance of a valid and correct implementation, but they are extremely difficult to be formally verified. In this paper, we describe an inspection method for analyzing the completeness and feasibility of an operation specified using pre- and postconditions. The characteristic of the method is that it utilizes test case generation criteria in forming questions of checklist and test case generation process as a reading technique for inspection. We formally define the properties, the criteria for test case generation, and discuss how they are used for inspection in practice.
Modeling to predict fault-proneness of software modules is an important area of research in software engineering. Most such models employ a large number of basic and derived metrics as predictors. This paper presents modeling results based on only two metrics, lines of code and cyclomatic complexity, using radial basis functions with Gaussian kernels as classifiers. Results from two NASA systems are presented and analyzed.
Achieving consistency between a specification and its implementation is an important part of software development In previous work, we have presented a method and tool support for testing a formal specification using animation and then verifying an implementation of that specification. The method is based on a testgraph, which provides a partial model of the application under test. The testgraph is used in combination with an animator to generate test sequences for testing the formal specification. The same testgraph is used during testing to execute those same sequences on the implementation and to ensure that the implementation conforms to the specification. So far, the method and its tool support have been applied to software components that can be accessed through an application programmer interface (API). In this paper, we use an industrially-based case study to discuss the problems associated with applying the method to a software system with a graphical user interface (GUI). In particular, the lack of a standardised interface, as well as controllability and observability problems, make it difficult to automate the testing of the implementation. The method can still be applied, but the amount of testing that can be carried on the implementation is limited by the manual effort involved.
We discuss a methodology for animating the Object-Z specification language using a Z animation environment. Central to the process is the introduction of a framework to handle dynamic instantiation of objects and management of object references. Particular focus is placed upon building the animation environment through pre-existing tools, and a case study is presented that implements the proposed framework using a shallow encoding in the Possum Z animator. The animation of Object-Z using Z is both automated and made transparent to the user through the use of a software tool named O-zone.
Animation tools have proven to be effective as a means of visualising formal specifications. Specifications that might otherwise be impenetrable can be communicated to a wide range of people involved in the software development process. The authors argue that animation can also aid understanding of formal program development or refinement. We examine two case studies that demonstrate the effectiveness of visualisations generated from a specification animation tool for improving the understanding of refinements
A formal specification animator executes and interprets traces on a specification. Similar to software testing, animation can only show the presence of errors, never their absence. However, animation is a powerful means of finding errors, and it is important that we adequately exercise a specification when we animate it. The paper outlines a systematic approach to the animation of formal specifications. We demonstrate the method on a small example, and then discuss its application to a non-trivial, system-level specification. Our aim is to provide a method for planned, documented and maintainable animation of specifications, so that we can achieve a high level of coverage, evaluate the adequacy of the animation, and repeat the process at a later time
Presents an overview of the Possum specification animation system
and its integration into the Cogito methodology and toolset. Possum
allows interpretation (or animation) of specifications written in Sum,
the specification language of Cogito. We distinguish two potential uses
for Possum and illustrate each of these with an example. The first is
the use of Possum for specification verification, where the analysis of
properties of specifications by the specification designer is
emphasised. The second use is specification validation, where the
specification is checked against the informal requirements of the system
A set of CASE tools is described for developing formal
requirements specifications expressed in the SCR (Software Cost
Reduction) tabular notation. The tools include an editor for building
the specifications, a consistency checker for testing the specifications
for consistency with a formal requirements model, a simulator for
symbolically executing the specifications, and a verifier for checking
that the specifications satisfy selected application properties. As
background, the SCR method for specifying requirements is reviewed and a
formal requirements model is introduced. Examples are presented to
illustrate the tools
Test templates and a test template framework are introduced as
useful concepts in specification-based testing. The framework can be
defined using any model-based specification notation and used to derive
tests from model-based specifications-in this paper, it is demonstrated
using the Z notation. The framework formally defines test data sets and
their relation to the operations in a specification and to other test
data sets, providing structure to the testing process. Flexibility is
preserved, so that many testing strategies can be used. Important
application areas of the framework are discussed, including refinement
of test data, regression testing, and test oracles
Demonstrates how Nitpick, a specification checker, can be applied
to the design of a style mechanism for a word processor. The design is
cast, along with some expected properties, in a subset of Z. Nitpick
checks a property by enumerating all possible cases within some finite
bounds, displaying as a counterexample the first case for which the
property fails to hold. Unlike animation or execution tools, Nitpick
does not require state transitions to be expressed constructively, and
unlike theorem provers, Nitpick operates completely automatically
without user intervention. Using a variety of reduction mechanisms, it
can cover an enormous number of cases in a reasonable time, so that
subtle flaws can be rapidly detected
It is demonstrated how model checking can be used to verify safety properties for event-driven systems. SCR tabular requirements describe required system behavior in a format that is intuitive, easy to read, and scalable to large systems (e.g. the software requirements for the A-7 military aircraft). Model checking of temporal logics has been established as a sound technique for verifying properties of hardware systems. An automated technique for formalizing the semiformal SCR requirements and for transforming the resultant formal specification onto a finite structure that a model checker can analyze has been developed. This technique was effective in uncovering violations of system invariants in both an automobile cruise control system and a water-level monitoring system
In ESPRIT project no. EP5570 called IPTES 1 a methodology and a supporting environment for incremental prototyping of embedded computer systems is developed. As a part of this prototyping tool an interpreter for an executable subset of a VDM dialect is developed. Based on a comparative study of different notations inspired by VDM we have now selected an executable subset of the BSI/VDM-SL 2 notation. This executable subset is interesting because it enables the designer to use loose specification. None of the executable VDM dialects which we have investigated contain as large a part of looseness as our subset does. In this article we will focus mainly on which constructs we have in this subset and how we have dealt with the looseness. Furthermore we will sketch the connection between the semantics of our subset and the semantics for the full BSI/VDM-SL. 1 Introduction IPTES is an ESPRIT research project which aims at development of a methodology and a supporting environment for inc...
There are many ad hoc tools aimed at the animation of executable subsets of the formal specification language Z. This paper presents an approach to rigorously establishing the correctness of such Z animation tools, drawing on ideas from the field of abstract interpretation. Enough of the standard Z syntax is treated to cover most uses of Z schemas and expressions, after schema calculus constructs have been expanded and embedded schema references replaced.
In this paper, we demonstrate how model checking can be used to verify safety properties for event-driven systems. SCR tabular requirements describe required system behavior in a format that is intuitive, easy to read, and scalable to large systems (e.g., the software requirements for the A7 aircraft). Model checking of temporal logics has been established as a sound technique for verifying properties of hardware systems. We have developed an automated technique for formalizing the semiformal SCR requirements and for transforming the resultant formal specification onto a finite structure that a model checker can analyze. This technique was effective in uncovering violations of system invariants in both an automobile cruise control system and a water-level monitoring system.
Measurable Improvement in Specification Techniques (MIST) is ESSI application experiment 10228. MIST is a 16 month project involving three companies: GEC-Marconi Avionics, who are the prime user; Praxis, who are the main subcontractor, acting as an independent reviewer; and B-Core (UK),who provide the tools used and consultancy. The main aims of MIST are to develop procedures for using formal methods with current methods on safety critical avionics software and to collect metrics to enable reasonable estimates for the use of these procedures.
Tribute Foreword Introduction Part I. Mathematics: 1. Mathematical reasoning 2. Set notation 3. Mathematical objects Part II. Abstract Machines: 4. Introduction to abstract machines 5. Formal definition of abstract machines 6. Theory of abstract machines 7. Constructing large abstract machines 8. Examples of abstract machines Part III. Programming: 9. Sequencing and loop 10. Programming examples Part IV. Refinement: 11. Refinement 12. Constructing large software systems 13. Examples of refinement Appendixes Index.
Many different methods have been devised for automatically verifying finite state systems by examining state-graph models of system behavior. These methods all depend on decision procedures that explicitly represent the state space using a list or a table that grows in proportion to the number of states. We describe a general method that represents the state space symbolically instead of explicitly. The generality of our method comes from using a dialect of the Mu-Calculus as the primary specification language. We describe a model checking algorithm for Mu-Calculus formulas that uses Bryant's Binary Decision Diagrans (Bryant, R. E., 1986, IEEE Trans. Comput.C-35) to represent relations and formulas. We then show how our new Mu-Calculus model checking algorithm can be used to derive efficient decision procedures for CTL model checking, satisfiability of linear-time temporal logic formulas, strong and weak observational equivalence of finite transition systems, and language containment for finite ω-automata. The fixed point computations for each decision procedure are sometimes complex, but can be concisely expressed in the Mu-Calculus. We illustrate the practicality of our approach to symbolic model checking by discussing how it can be used to verify a simple synchronous pipeline circuit.
Prototyping formal specifications can help capture accurately the requirements of real-world problems. We present a software system, called EZ, that generates executable prototypes directly from certain Z specifications. We first describe how nonmodular Z specifications can be mapped to search systems in C-Prolog. We then add modularity (schema referencing) and other features. A short comparison is made to other existing Z prototyping systems, with possibilities for future work being suggested.
Formal specifications contain a great deal of information that can be exploited in the testing of an implementation, either for the generation of test-cases, for sequencing the tests, or as an oracle in verifying the tests. This papers presents automatic techniques for partition analysis in state-based specifications, specifically VDM. Test domains for individual operations are calculated by reduction of their mathematical description to a Disjunctive Normal Form. Following this, a partition analysis of the system state can be performed which permits the construction of a Finite State Automaton from the specification. This, in turn, can be used to sequence the required tests in a valid and sensible way. A tool has been developed based on the techniques applied to VDM, which has been used to develop the examples presented in the paper.
A description is given of Z—, a computational subset of Z which can be treated as a programming language. The language is presented by taking a small sample specification and taking it through successive refinement stages. After data refinement the specification is in high-level Z--. Operational refinement then takes it into base-level Z--. Auxiliary functions to make Z-- programming easier are described and given formal Z definitions. Z-- itself is a typed functional language, and a sketch is given of how its most important constructs might be interpreted.
This paper demonstrates how a syntax-directed editor, designed as an entry tool for VDM specifications, can produce executable prototypes by the automatic translation of VDM specifications into Standard ML programs. A small example of this translation process is given.
Cogito 1 is the first iteration of a Z-based integrated methodology and support system for formal software development. This paper gives an overview of the Cogito methodology and associated tools. Particular emphasis is placed on the way in which Cogito integrates the various phases of the formal development process and provides comprehensive tools support for all phases of development addressed by the methodology.
Qu-Prolog is an extension of Prolog which performs meta-level computations over object languages, such as predicate calculi and lambda-calculi, which have object-level variables, and quantifier or binding symbols creating local scopes for those variables. As in Prolog, the instantiable (meta-level) variables of Qu-Prolog range over object-level terms, and in addition other Qu-Prolog syntax denotes the various components of the object-level syntax, including object-level variables. Further, the meta-level operation of substitution into object-level terms is directly represented by appropriate Qu-Prolog syntax. Again as in Prolog, the driving mechanism in Qu-Prolog computation is a form of unification, but this is substantially more complex than for Prolog because of Qu-Prolog's greater generality, and especially because substitution operations are evaluated during unification. In this paper, the Qu-Prolog unification algorithm is specified, formalised and proved correct. Further, the analysis of the algorithm is carried out in a frame-work which straightforwardly allows the 'completeness' of the algorithm to be proved: though fully explicit answers to unification problems are not always provided, no information is lost in the unification process.
Formal methods rely on the correctness of the formal requirements
specification, but this correctness cannot be proved. This paper
discusses the use of software tools to assist in the validation of
formal specifications and advocates a system by which Z specifications
may be animated as Prolog programs. Two Z/Prolog translation strategies
are explored; formal program synthesis and structure simulation. The
paper explains why the former proved to be unsuccessful and describes
the techniques developed for implementing the latter approach, with the
aid of case studies
The ability to animate Z specifications is useful in allowing a specifier to explore the behaviour of a specification. This paper defines three new evaluation criteria for animation systems, interactivity, transparency and operational equivalence. It also describes a simple Haskell-based animation system that satisfies these criteria. A system that allows Z specifications to be animated can assist a specifier to understand and validate a specification. For instance, the satisfiability of an operation can be checked using some given test data. As a specification is written, the specifier may wish to experiment with alternative definitions, perhaps to check that they are computable and give the expected results. Animation can provide immediate feedback during the process of writing a specification and this may help to reduce specification errors. Of course, not all Z specifications are directly executable [HJ89]. However, several researchers have reported success in animating subse...
Rapid protcityping in the OBJ specification language Working Papers ACM SIG-SOFT Rapid Prototyping Workshop 19821. [ 141 I. Hayes, editor. Specification Case Studies
- J Goguen
- J Meseguer
J. Goguen and J. Meseguer. Rapid protcityping in the OBJ specification language. ACM SIGSOFT Software Engineer-ing Notes, 7(5):75-84, 1982. Working Papers ACM SIG-SOFT Rapid Prototyping Workshop 19821. [ 141 I. Hayes, editor. Specification Case Studies. Prentice-Hall, second edition, 1993. First Edition published in 1987.
Extending Z with modules
- P Traynor
- E Kearney
- L Kazmierczak
- E Wang
- H Karlsen
- B Trehame
- J Ormsby
- T Draper
- Boyce
Traynor, P. Kearney, E. Kazmierczak, L. Wang, and E. Karlsen. Extending Z with modules. In Ausfralasian Computer Science Communications, Voi'l7:1, pages 5 13-522. ACSC95,1995. 1271 H. Trehame, B. Ormsby, J. Draper, T. Boyce, and S. Schnei-der. Prototyping formal specifications with the B-tookit.
Towards correct executable semantics for Z Symbolic model checking: lo2' states and beyond Computer aided transfor-mation of Z into Prolog
- P T Acsc
- J P Breuer
- J Bowen
- E Burch
- K Clarke
- D Mcmillan
- J Dill
- A Hwang
- P Dick
- J Krause
- Cozens
ACSC96,1996. P. T. Breuer and J. P. Bowen. Towards correct executable semantics for Z. In J. Bowen and J. Hall, editors, Proc. of the 8th Z User Meeting, Workshops in Computer Science, pages 185-209. Springer Verlag, 1994. J. Burch, E. Clarke, K. McMillan, D. Dill, and J. Hwang. Symbolic model checking: lo2' states and beyond. In Proc. of 5th Annual Symposium on Logic in Computer Science, 1990. A. Dick, P. Krause, and J. Cozens. Computer aided transfor-mation of Z into Prolog. In J. Nicholls, editor, Proceedings ofZ User Workshop, Workshops in Computer Science, pages 71-85. Springer Verlag, 1989.
Applying the B-method to avionics software: an initial report on the MIST project The IFAD VDM-SL toolbox: a practical approach to formal specifications
- J Draper
- R Elmstrom
- P Larsen
- P Lassen
J. Draper. Applying the B-method to avionics software: an initial report on the MIST project. In Proc. of the ENCRESS Conference, 1995. [ 121 R. Elmstrom, P. Larsen, and P. Lassen. The IFAD VDM-SL toolbox: a practical approach to formal specifications. ACM SIGPWNotices, 29(9), 1994.
The Cogito tool architecture
- A Traynor
- Bloesch
Traynor and A. Bloesch. The Cogito tool architecture. In Australasian Computer Science Communications, Vo118:I, pages 97-106. ACSC96,1996.
Assigning Programs to Meanings State-basedmodel checking of event-driven systems requirements Cogito: A methodology and system for formal software development A formal reasoning environment for Sum-a Z based specification language
- J.-R Abrial
- J The B Book
- J Atlee
- A Gannon
- P Bloesch
- E Kearney
- J Kazmierczak
- Staples
J.-R. Abrial. The B Book: Assigning Programs to Meanings. Cambridge University Press, 1996. J. Atlee and J. Gannon. State-basedmodel checking of event-driven systems requirements. IEEE Transactions on SofnYare Engineering, 1993. A. Bloesch, E. Kazmierczak, P. Kearney, and 0. Traynor. Cogito: A methodology and system for formal software development. InternationalJournal of Software Engineering and Knowledge Engineering, (4):599-617,1995. A. Bloesch, P. Kearney, E. Kazmierczak, J. Staples, 0. Traynor, and M. Utting. A formal reasoning environment for Sum-a Z based specification language. In Australasian Computer Science Communications, Voll8:I, pages 45-54.
From Z specifications to func-tional implementations
- M Johnson
- P Sanders
M. Johnson and P. Sanders. From Z specifications to func-tional implementations. In J. Nicholls, editor, Proceedings ofZ User Workshop, Workshops in Computer Science, pages 86-112. Springer Verlag, 1989. [ 181 C. Jones. Systematic Sofhvare Development Using VDM. Prentice Hall, second edition, 1990.
A formal reasoning environment for SumâaZ based specification language
- A Bloesch
- P Kearney
- E Kazmierczak
- J Staples
- O Traynor
- M Utting