Verification Of Concurrent Systems Research Articles

Specification and verification of concurrent systems by causality and realizability

A logical theory for interface specification and verification of distributed, concurrent, interactive, real-time systems is worked out based on a semantic foundation including operational and denotational semantics. It supports a calculus for the specification and verification of concurrent interactive systems by interface assertions. Systems are composed acting concurrently and interacting via streams exchanged over their channels forming feedback loops. A denotational semantics is defined handling feedback communication by recursion and fixpoints based on strong causality and realizability instead of monotonicity. The resulting verification calculus for the specification logic is proved to be sound and relatively complete with respect to an operational semantics in terms of generalized Moore machines. Actually, two models of concurrent systems are defined, a more abstract one with communication and interaction modeled by untimed streams and a more concrete one working with timed streams. The untimed model is an abstraction of the timed model. The timed model allows expressing the laws of causality and realizability. Moreover, the timed model can be used to specify real-time properties.

Finite‐state model extraction and visualization from Java program execution

AbstractFinite‐state models are extensively used for discrete systems and they have also been adopted for the analysis and verification of concurrent systems. Programs that have a repetitive cycle, such as event‐driven servers and controllers, lend themselves to finite‐state modeling. In this article, we use the term model extraction to refer to the construction of a finite‐state model from an execution trace of a Java program and a set of key attributes, that is, a subset of the fields of the objects in the program execution. By choosing different sets of attributes, different finite‐state models (or views) of the execution can be obtained. Such models aid program comprehension and they can also be used in debugging a program. We present algorithms for model extraction and also for model abstraction in order to reduce the size of the extracted models so that they are amenable to visualization. For long executions, we show how to minimize the overhead of execution trace collection through a bytecode instrumentation technique; and, for large models, which are not amenable to visualization, we show how key properties of the extracted model can be checked against declarative specifications. We have implemented our techniques in the context of JIVE, an Eclipse plugin that supports runtime visualization and analysis of Java program executions. We illustrate our techniques through a collection of case studies of varying size and complexity, from classic problems of concurrency control to a medium‐size protocol for authorization (OAuth2.0 protocol) to a large‐scale software that underlies web applications (Apache Tomcat server).

Algebraic Structure of Step Traces and Interval Traces

Traces and their extensions as comtraces, step traces and interval traces are quotient monoids over sequences or step sequences that play an important role in the formal analysis and verification of concurrent systems. Step traces are generalizations of comtraces and classical traces while interval traces are specialized traces that can deal with interval order semantics. The algebraic structures and their properties as projections, hidings, canonical forms and other invariants are very well established for traces and fairly well established for comtraces. For step traces and interval traces they are the main subject of this paper.

Distribution-Based Behavioral Distance for Nondeterministic Fuzzy Transition Systems

Modal logics and behavioral equivalences play an important role in the specification and verification of concurrent systems. In this paper, we first present a new notion of bisimulation for nondeterministic fuzzy transition systems, which is distribution based and coarser than state-based bisimulation appeared in the literature. Then, we define a distribution-based bisimilarity metric as the least fixed point of a suitable monotonic function on a complete lattice, which is a behavioral distance and is a more robust way of formalizing behavioral similarity between states than bisimulations. We also propose an on-the-fly algorithm for computing the bisimilarity metric. Moreover, we present a fuzzy modal logic and provide a sound and complete characterization of the bisimilarity metric. Interestingly, this characterization holds for a class of fuzzy modal logics. In addition, we show the nonexpansiveness of a typical parallel composition operator with respect to the bisimilarity metric, which makes compositional verification possible.

The symbiosis of concurrency and verification: teaching and case studies

Concurrency is beginning to be accepted as a core knowledge area in the undergraduate CS curriculum—no longer isolated, for example, as a support mechanism in a module on operating systems or reserved as an advanced discipline for later study. Formal verification of system properties is often considered a difficult subject area, requiring significant mathematical knowledge and generally restricted to smaller systems employing sequential logic only. This paper presents materials, methods and experiences of teaching concurrency and verification as a unified subject, as early as possible in the curriculum, so that they become fundamental elements of our software engineering tool kit—to be used together every day as a matter of course. Concurrency and verification should live in symbiosis. Verification is essential for concurrent systems as testing becomes especially inadequate in the face of complex non-deterministic (and, therefore, hard to repeat) behaviours. Concurrency should simplify the expression of most scales and forms of computer system by reflecting the concurrency of the worlds in which they operate (and, therefore, have to model); simplified expression leads to simplified reasoning and, hence, verification. Our approach lets these skills be developed without requiring students to be trained in the underlying formal mathematics. Instead, we build on the work of those who have engineered that necessary mathematics into the concurrency models we use (CSP, {pi} -calculus), the model checker (FDR) that lets us explore and verify those systems, and the programming languages/libraries (occam-{pi}, Go, JCSP, ProcessJ) that let us design and build efficient executable systems within these models. This paper introduces a workflow methodology for the development and verification of concurrent systems; it also presents and reflects on two open-ended case studies, using this workflow, developed at the authors’ two universities. Concerns analysed include safety (don’t do bad things), liveness (do good things) and low probability deadlock (that testing fails to discover). The necessary technical background is given to make this paper self-contained and its work simple to reproduce and extend.

DEv-PROMELA: an extension of PROMELA for the modelling, simulation and verification of discrete-event systems

PROMELA is a well-known formalism for the modelling and the verification of concurrent systems. PROMELA deals with high-level specifications. As a result, PROMELA models are expressed in a high-level abstraction which does not consider explicit representation of time or events for example. But, the efficiency of the processes of verification and validation relies on the accuracy of the models. That is why we propose, in this paper, work to develop a new extension of PROMELA for the modelling of discrete-event systems. The verification of these models is then done by combining formal verification and simulation-based verification using SPIN and the tool DEv-PROMELA Studio, or using any existing DEVS simulators.

A mechanism of function calls in MSVL

Modeling, Simulation and Verification Language (MSVL) is a useful formalism for specification and verification of concurrent systems. To make it more practical and easier to use, we extend MSVL with external and internal function calls. To do so, the syntax of function definitions and function calls is formalized. Then, the syntax of expressions in MSVL is extended by including function calls. Further, the evaluation rules are redefined. Moreover, the set of statements in MSVL is also extended and the semantics of function call statements is formalized. In addition, the existence of minimal models of MSVL programs involving new added statements is proved. Finally, an example is given to illustrate how to interpret function calls in practice with MSVL.

Concurrency in Intuitionistic Linear-Time μ-Calculus: A Case study of Manufacturing System

Background: The design of concurrent systems has become more and more articulated during the last three decades, thus forcing radical modifications on the overall methodological approach. In concurrent systems multiple tasks are being performed in parallel, giving rise to nondeterminism in these situations. The goal of this work is to introduce a common formalized framework to improve the shortcomings of existing models of concurrency, most of which use an oversimplified model of time. Methods: In this paper we will model a manufacturing system having concurrent machines by Colored Petri Nets (CPN) technique. For verification of such systems, intuitionistic linear-time μ-calculus (IμTL) will be applied, which is based on Heyting algebra. IμTL is the extension of linear-time μ-calculus. Reasoning about composition in general, but especially concurrent composition, remains one of the greatest challenge. Findings: The IμTL rules will be used for verifying soundness and composition of safety properties, which are more general than previously discussed rules by using Linear-Time Temporal Logic (LTL). These results will also show the verification of concurrent systems using IμTL. Application: This research will provide new direction for modeling and verification of concurrent system.

Projecting transition systems: Overcoming state explosion in concurrent system verification

The paper introduces a method for overcoming state explosion arising when verifying concurrent and distributed computer systems. The method is based on projecting a system state space onto a number of subspaces associated with quite small and, generally speaking, overlapping groups of processes. Analysis of the system--checking whether a given property holds on the system states--is carried out by collaborative exploration of the projections' state graphs; the process is completed as soon as all transitions of all projections have been traversed (usually, this requires significantly less amount of time than exploring the state graph of the entire system). To increase controllability of the traversing process, it is suggested to use techniques for cooperative searching paths in the projections (the latter may appear to be highly nondeterministic due to the loss of information upon projecting). In this work, certain issues of the introduced verification scheme are investigated, and results of some experiments are given. The method described can be applied to model checking, as well as to model-based testing, namely for automatic test sequence generation.

Formal Description of Alvis Language with α0 System Layer

The paper presents a formal description of a subset of the Alvis language designed for the modelling and formal verification of concurrent systems. Alvis combines possibilities of a formal models verification with flexibility and simplicity of practical programming languages. Alvis provides a graphical modelling of interconnections among agents and a high level programming language used for the description of agents behaviour. Its semantic depends on the so-called system layer. The most universal system layer α0, described in the paper, makes Alvis similar to other formal languages like Petri nets, process algebras, time automata, etc.

Algebraic Structure of Combined Traces

Traces and their extension called combined traces (comtraces) are two formal models used in the analysis and verification of concurrent systems. Both models are based on concepts originating in the theory of formal languages, and they are able to capture the notions of causality and simultaneity of atomic actions which take place during the process of a system's operation. The aim of this paper is a transfer to the domain of comtraces and developing of some fundamental notions, which proved to be successful in the theory of traces. In particular, we introduce and then apply the notion of indivisible steps, the lexicographical canonical form of comtraces, as well as the representation of a comtrace utilising its linear projections to binary action subalphabets. We also provide two algorithms related to the new notions. Using them, one can solve, in an efficient way, the problem of step sequence equivalence in the context of comtraces. One may view our results as a first step towards the development of infinite combined traces, as well as recognisable languages of combined traces.

ROSECON: a Computer Tool for Synthesis and Verification of Concurrent Systems Specified by Information Systems

In the paper, a computer tool called ROSECON, used for modeling and analyzing systems of concurrent processes, is described. A special attention is focused on synthesis and verification of concurrent systems specified by information systems. Two kinds of models, synchronous and asynchronous, are considered. In the first approach, all processes included in the modeled system are synchronized globally whereas in the second one, each process is synchronized individually. The presented tool allows generating automatically an appropriate model of a system of concurrent processes, in the form of colored Petri nets, from the specification given by an information system. Analysis of the model behaviors enables users to verify the correctness and/or optimality of the obtained models and to provide some modification procedures to get correct and/or more optimal solutions. Examples of selected well known problems in concurrency, in the paper, emphasize usefulness of the tool in the designing systems of concurrent processes.

Scheduling and control of real-time systems based on a token player approach

Petri nets are a powerful formalism for the specification and verification of concurrent systems, such as sequential systems and manufacturing systems. To deal with real-time systems whose time issues become essential, different extensions of Petri nets with time have been proposed in the literature. In this paper, a new scheduling and control technique for real-time systems modeled by ordinary P-time Petri nets is proposed. Its goal is to provide a scheduling for a particular firing sequence, without any violation of timing constraints ensuring that no deadline is missed. It is based on the firing instant notion and it consists in determining an inequality system generated for a possible evolution (in terms of a feasible firing sequence for the untimed underlying Petri net) of the model. This system can be used to check reachability problems as well as evaluating the performances of the model considered and determining the associated control for a definite functioning mode and it introduces partial order on the execution of particular events.

The sweep-line state space exploration method

The sweep-line method exploits intrinsic progress in concurrent systems to alleviate the state explosion problem in explicit state model checking. The concept of progress makes it possible to delete states from the memory during state space exploration and thereby reduce peak memory usage. The contribution of this paper is twofold. First, we provide a coherent presentation of the sweep-line theory and the many variants of the method that have been developed over the past 10 years since the basic idea of the method was conceived. Second, we survey a selection of case studies where the sweep-line method has been put into practical use for the verification of concurrent systems.

Complete Axiomatization for Projection Temporal Logic with Finite Time

为采用定理证明的方法对并发及交互式系统进行验证,研究了有穷论域下有穷时间一阶投影时序逻辑(projection temporal logic,简称PTL)的一个完备公理系统.在介绍PTL 的语法、语义并给出公理系统后,提出了PTL公式的正则形(normal form,简称NF)和正则图(normal form graph,简称NFG).基于NF 给出了NFG 的构造算法,并利用NFG可描述公式模型的性质证明PTL 公式的可满足性判定定理和公理系统的完备性.最后,结合实例展示了PTL及其公理系统在系统验证中的应用.结果表明,基于PTL 的定理证明方法可方便用于并发系统的建模与验证.;To verify the properties of concurrent and reactive systems based on the theorem proving approach, a complete axiomatization is formulized over finite domains for first order projection temporal logic (PTL) with finite time. First, the syntax, semantics and the axiomatization of PTL are presented; next, a normal form (NF) and a normal form graph (NFG) of PTL formulas are defined respectively; further, the algorithm for constructing the NFG is formalized upon the NF; moreover, the decision theorem for PTL formulas and the completeness of the axiomatic system have been proven to be based on the property that the NFG can-describe the models of PTL formulas; finally, an example is given to illustrate how to do system verification based on PTL and its axiomatic system, and the results indicate that the PTL based theorem proving approach can be conveniently applied to modeling and verification of concurrent systems.

Constraint graph-based approach for the analysis and the control of time critical systems

The increasing complexity of manufacturing systems gives rise to the development of new formal methods allowing to handle their particularities. Petri nets are a powerful formalism for the specification and verification of concurrent systems including sequential systems and manufacturing systems. To deal with systems whose time issues become fundamental, different time Petri nets extensions have been developed in the literature, each one being dependent on the application considered. For the time critical systems, their correctness depends not only on the logic correctness but also on the time constraints. Timing issues are essential. In this paper, a new method of analysis and control for P-time Petri nets is proposed. It is based on the firing instant notion and exploits a constraint graph approach.

Using Mobile TLA as a Logic for Dynamic I/O Automata

Input/Output (I/O) automata and the Temporal Logic of Actions (TLA) are two well-known techniques for the specification and verification of concurrent systems. Over the past few years, they have been extended to the so-called dynamic I/O automata and, respectively, Mobile TLA (MTLA) in order to be more appropriate for mobile agent systems. Dynamic I/O automata is just a mathematical model, whereas MTLA is a logic with a formally defined language. In this paper, therefore, we investigate how MTLA could be used as a formal language for the specification of dynamic I/O automata. We do this by writing an MTLA specification of a travel agent system which has been specified semi-formally in the literature on that model. In this specification, we deal with always existing agents as well as with an initially unknown number of dynamically created agents, with mobile and non-mobile agents, with I/O-automata-style communication, and with the changing communication capabilities of mobile agents. We have previously written a TLA specification of this system. This paper shows that an MTLA specification of such a system can be more elegant and faithful to the dynamic I/O automata definition because the agent existence and location can be expressed directly by using agent and location names instead of special variables as in TLA. It also shows how the reuse of names for dynamically created and destroyed agents within the dynamic I/O automata framework can be specified in MTLA.

A TOKEN PLAYER ALGORITHM FOR THE CONTROL OF TIME CRITICAL SYSTEMS

Petri nets are a powerful formalism for the specification and verification of concurrent systems, such as sequential systems and manufacturing systems. To deal with systems whose time issues become essential, different extensions of Petri nets with time have been proposed in the literature, each one being dependent on the application considered. In this paper, a new control technique for time Petri nets is proposed. It is based on the firing instant notion and it consists in determining an inequalities system generated for a possible evolution (in terms of a feasible firing sequence for the untimed underlying Petri net) of the model considered. This system can be used to check reachability problems as well as evaluating the performances of the model considered and determining the associated control for a definite functioning mode. Furthermore, the proposed approach is not restricted to subclasses or safe Petri nets.

Distributed Partial Order Reduction of State Spaces

State space explosion is a fundamental obstacle in formal verification of concurrent systems. Several techniques for combating this problem have emerged in the past few years, among which the two we are interested in are: partial order reduction and distributed memory state exploration. While the first one tries to reduce the problem to a smaller one, the other one tries to extend the computational power to solve the same problem. In this paper, we consider a combination of these two approaches and propose a distributed memory algorithm for partial order reduction.

Cluster-Based Partial-Order Reduction

The verification of concurrent systems through an exhaustive traversal of the state space suffers from the infamous state-space-explosion problem, caused by the many interleavings of actions of different processes in the system. Partial-order reduction is a well-known technique to tackle this problem. In this paper, we present an enhancement of the partial-order-reduction scheme of Holzmann and Peled that uses the hierarchical structure of concurrent systems. Our technique tries to contain dependencies between actions within clusters of processes, capitalizing on the independence of actions in different clusters to reduce the state space to be verified while preserving properties of interest. The paper starts with a formalization of the partial-order-reduction technique and continues with a presentation of our enhanced technique, including a correctness argument. The new technique has been implemented in the verification tool SPIN. We present implementation details, some small experiments, and one larger case study using a cache coherency protocol. The experimental results are encouraging. Compared to standard partial-order reduction, improvements in reductions are obtained from 21% up to 98% in the number of states and 34% up to 99% in the number of state transitions.