Software systems verification

Debugging large-scale parallel applications is challenging. In most HPC applications, parallel tasks progress in a coordinated fashion, and thus a fault in one task can quickly propagate to other tasks, making it difficult to debug. Finding the least-progressed tasks can significantly reduce the effort to identify the task where the fault originated. However, existing approaches for detecting them suffer low accuracy and large overheads; either they use imprecise static analysis or are unable to infer progress dependence inside loops. We present a loop-aware progress-dependence analysis tool, Prodometer, which determines relative progress among parallel tasks via dynamic analysis. Our fault-injection experiments suggest that its accuracy and precision are over 90% for most cases and that it scales well up to 16,384 MPI tasks. Further, our case study shows that it significantly helped diagnosing a perplexing error in MPI, which only manifested at large scale.

The formal methods community is in general very good at undertaking research into the mathematical aspects of formal methods, but not so good at promulgating the use of formal methods in an engineering environment and at an industrial scale. Technology transfer is an extremely important part of the overall effort necessary in the acceptance of formal techniques. This paper explores some of the more informal aspects of applying formal methods and presents some maxims with associated discussion that may help in the application of formal methods in an industrial setting.

This chapter presents a provably correct compilation scheme that converts a program into a network of abstract components that interact with each other by exchanging request and acknowledgement signals. We provide a systematic and modular
technique for correctly realizing the abstract components in
hardware device, and use a standard programming language to
describe both algorithms and circuits. The resulting circuitry, which behaves according to the program, has the same structure as the program. The circuit logic is asynchronous, with no global clock.

A general specification language, Z, based on set theory and developed at Oxford University is presented. A major advantage of a formal notation is that it is precise and unambiguous and thus the formal notation always provides the definitive description in the case of any misunderstanding. A number of examples are discussed, including network services, window systems, and microprocessor instruction sets. This paper is split into two main parts. The first half deals with the nature of formal specification and why it should be used. Additionally, a brief introduction to Z and how it is used is also presented in general terms, without covering the notation itself. The second half of the paper deals with the experiment gained using Z for the design and documentation of network services and during some case studies of existing systems. Finally some conclusions are drawn about the advantages and disadvantages of using a formal approach

A simple ‘shallow’ semantic embedding of the Z notation into the higher order logic, as supported by the HOL theorem proving system, is presented.Z is is typically used for human-readable formal specification whereas HOL is used for machine-checked verification. The paper is intended to show how a tool such as HOL can be used to provide mechanical support for Z,including mechanization of proofs. No specialized knowledge of Z or HOL is assumed. An explanation of shallow and deep embedding as well as a survey of other related research are also included.

Keywords: Formal methods, Higher Order Logic, Mechanical verification,Theorem proving, Z notation

Web Services have become more and more important in these years, and BPEL4WS (BPEL) is a de facto standard for the web service composition and orchestration. It contains several distinct features, including the scope-based compensation and fault handling mechanism. We have considered the operational semantics and denotational semantics for BPEL, where a set of algebraic laws can be achieved via these two models respectively.

In this paper, we consider the inverse work, deriving the operational semantics and denotational semantics from algebraic semantics for BPEL. In our model, we introduce four types of typical programs, by which every program can be expressed as the summation of these four types. Based on the algebraic semantics, the strategy for deriving the operational semantics is provided and a transition system is derived by strict proof. This can be considered as the soundness exploration for the operational semantics based on the algebraic semantics. Further, the equivalence between the derivation strategy and the derived transition system is explored, which can be considered as the completeness of the operational semantics. Finally, the derivation of the denotational semantics from algebraic semantics is explored, which can support to reason aboutmore program properties easily.

A simple `shallow' semantic embedding of the Z notation into the HOL logic is described. The Z notation is based on set theory and first order predicate logic and is typically used for human-readable formal specification. The HOL theorem proving system supports higher order logic and is used for machine-checked verification. A well-known case study is used as a running example. The presentation is intended to show people with
some knowledge of Z how a to ol such as HOL can be used to provide mechanical support for the notation, including mechanization of proofs. No specialized knowledge of HOL is assumed.

Formal verification of distributed systems is essential, especially in mission-critical systems that cannot be restarted. Such are space systems in which satellites read sensor values and autonomously make actuator decisions based on them, and ground services only set general pat-terns of behavior. The verification formalism should correspond to the essential characteristics of a distributed system, such as node autonomy and asynchrony of actions and communication, as in our Integrated Model of Distributed Systems (IMDS). It is also crucial that the formalism allows for finding partial deadlocks and checking partial termination, where only a subset of the system nodes is involved while the rest can perform their own tasks at the same time.
This article presents the idea of using monitoring agents—observers prepared in the IMDS for-malism. Observers check the state of individual system components by polling, allowing verification without knowing the global state of the system. Such an agent is an ideal prototype of a runtime observer that checks if the actual operation of the system corresponds to a design that has previously been proven correct.

One major problem in maintaining a software system is to understand how many functional features in the system and how these features are implemented. In this paper a novel approach for locating features in code by semantic and dynamic analysis is proposed. The method process consists of three steps: The first uses the execution traces as text corpus and the method calls involved in the traces as terms of document. The second ranks the method calls in order to filter out omnipresent methods by setting a threshold. And the third step treats feature-traces as first class entities and extracts identifiers from the rest method source code and a trace-by-identifier matrix is generated. Then a semantic analysis model-LDA is applied on the matrix to extract topics, which act as functional features. Through building several corresponding matrices, the relations between features and code can be obtained for comprehending the system functional intents. A case study is presented and the execution results of this approach can be used to guide future research.

Environmental changes, failures, collisions or even terrorist attacks can cause serious malfunctions of the delivery systems. We have presented a novel approach improving resilience of Autonomous Moving Platforms AMPs. The approach is based on multi-level state diagrams describing environmental trigger specifications, movement actions and synchronization primitives. The upper level diagrams allowed us to model advanced interactions between autonomous AMPs and detect irregularities such as deadlocks, live-locks etc. The techniques were presented to verify and analyze combined AMPs' behaviors using model checking technique. The described system, Dedan verifier, is still under development. In the near future, a graphical form of verified system representation is planned.

Complex software systems typically involve features like time, concurrency and probability, with probabilistic computations playing an increasing role. However, it is currently challenging to formalize languages incorporating all those features. Recently, the language PTSC has been proposed to integrate probability and time with shared-variable concurrency (Zhu et al. (2006, 2009)  and ), where the operational semantics has been explored and a set of algebraic laws has been investigated via bisimulation. This paper investigates the link between the operational and algebraic semantics of PTSC, highlighting both its theoretical and practical aspects.

The link is obtained by deriving the operational semantics from the algebraic semantics, an approach that may be understood as establishing soundness of the operational semantics with respect to the algebraic semantics. Algebraic laws are provided that suffice to convert any PTSC program into a form consisting of a guarded choice or an internal choice between programs, which are initially deterministic. That form corresponds to a simple execution of the program, so it is used as a basis for an operational semantics. In that way, the operational semantics is derived from the algebraic semantics, with transition rules resulting from the derivation strategy. In fact the derived transition rules and the derivation strategy are shown to be equivalent, which may be understood as establishing completeness of the operational semantics with respect to the algebraic semantics.

That theoretical approach to the link is complemented by a practical one, which animates the link using Prolog. The link between the two semantics proceeds via head normal form. Firstly, the generation of head normal form is explored, in particular animating the expansion laws for probabilistic interleaving. Then the derivation of the operational semantics is animated using a strategy that exploits head normal form. The operational semantics is also animated. These animations, which again supports to claim soundness and completeness of the operational semantics with respect to the algebraic, are interesting because they provide a practical demonstration of the theoretical results.

In this short paper we discuss our experience with the lightweight formal verification of properties in the Linux kernel, an open source code base of approaching seven million lines of code in size, written in mixed C and assembler for twenty-five different hardware platforms. We project this experience toward possible ways of achieving the long-term integration of at least some formal methods into that most paradigmal of open source development processes.