Ángel Herranz

Formal extreme (and extremely formal) programming

This paper is an exploratory work were the authors study how the technology of Formal Methods (FM) can interact with agile process in general and with Extreme Programming (XP) in particular. Our thesis is that most of XP practices (pair programming, daily build, the simplest design or the metaphor) are technology independent and therefore can be used in FM based developments. Additionally, other essential pieces like test first, incremental development and refactoring can be improved by using FM. In the paper we explore in a certain detail those pieces: when you write a formal specification you are saying what your code must do, when you write a test you are doing the same so the idea is to use formal specifications as tests. Incremental development is quite similar to the refinement process in FM: specifications evolve to code maintaining previous functionality. Finally FM can help to remove redundancy, eliminate unused functionality and transform obsolete designs into new ones, and this is refactoring.

A model-driven approach to teaching concurrency

We present an undergraduate course on concurrent programming where formal models are used in different stages of the learning process. The main practical difference with other approaches lies in the fact that the ability to develop correct concurrent software relies on a systematic transformation of formal models of inter-process interaction (so called shared resources), rather than on the specific constructs of some programming language. Using a resource-centric rather than a language-centric approach has some benefits for both teachers and students. Besides the obvious advantage of being independent of the programming language, the models help in the early validation of concurrent software design, provide students and teachers with a lingua franca that greatly simplifies communication at the classroom and during supervision, and help in the automatic generation of tests for the practical assignments. This method has been in use, with slight variations, for some 15 years, surviving changes in the programming language and course length. In this article, we describe the components and structure of the current incarnation of the course—which uses Java as target language—and some tools used to support our method. We provide a detailed description of the different outcomes that the model-driven approach delivers (validation of the initial design, automatic generation of tests, and mechanical generation of code) from a teaching perspective. A critical discussion on the perceived advantages and risks of our approach follows, including some proposals on how these risks can be minimized. We include a statistical analysis to show that our method has a positive impact in the student ability to understand concurrency and to generate correct code.

Property-Based Testing of JSON Based Web Services

This article describes a systematic approach to testing behavioural aspects of Web Services that communicate using the JSON data format. As a key component, the Quviq QuickCheck property-based testing tool is used to automatically generate a large number of test cases from an abstract description of the service behaviour in the form of a finite state machine. The same behavioural description is also used to decide whether the execution of a test case is successful or not. To generate random JSON data for populating tests we have developed a new library, jsongen, which given a characterisation of the JSON data as a JSON schema, automatically derives a QuickCheck generator which is capable of generating an infinite number of JSON values that validate against the schema.

Rapid prototyping and incremental evolution using SLAM

The paper shows the outlines of the SLAM system that allows for an effective use of Formal Methods (FM) in Rapid Application Development (RAD) and other prototyping processes. The SLAM system, includes an expressive object oriented specification language and a development environment that, among other features, is able to generate efficient and readable code in a high level object oriented language (Java, C++, ...). SLAM is able to generate prototypes that can be used to validate the requirements with the user. The additional advantage is that the prototype is not throw-away because most part of the generated code can be directly used and the other part can be optimised with the additional help of assertions automatically included.

Modeling Concurrent Systems with Shared Resources

Testing is the more widely used approach to (partial) system validation in industry. The introduction of concurrency makes exhaustive testing extremely costly or just impossible, requiring shifting to formal verification techniques. We propose a methodology to design and verify a concurrent system that splits the verification problem in two independent tasks: internal verification of shared resources, where some concurrency aspects like mutual exclusion and conditional synchronisation are isolated, and external verification of processes, where synchronisation mechanisms are not relevant. Our method is language independent, non-intrusive for the development process, and improves the portability of the resulting system. We demonstrate it by actually checking several properties of an example application using the TLC model checker.

A verified implementation of priority monitors in java

Java monitors as implemented in the java.util.concurrent.locks package provide no-priority nonblocking monitors. That is, threads signalled after blocking on a condition queue do not proceed immediately, but they have to wait until both the signalling thread and possibly some of the others which have requested the lock release it. This can be a source of errors (if threads that get in the middle leave the monitor in a state incompatible with the signalled thread re-entry) or inefficiency (if repeated evaluation of preconditions is used to ensure safe re-entry). A concise implementation of priority nonblocking monitors in Java is presented. Curiously, our monitors are implemented on top of the standard no-priority implementation. In order to verify the correctness of our solution, a formal transition model (that includes a formalisation of Java locks and conditions) has been defined and checked using Uppaal. This model has been adapted to PlusCal in order to obtain a formal proof in TLA independent of the number of threads.

Automatic coding rule conformance checking using logic programming

An extended practice in the realm of Software Engineering and programming in industry is the application of coding rules. Coding rules are customarily used to constrain the use (or abuse) of certain programming language constructions. However, these rules are usually written using natural language, which is intrinsically ambiguous and which may complicate their use and hinder their automatic enforcement. This paper presents some early work aiming at defining a framework to formalise and check for coding rule conformance using logic programming. We show how a certain class of rules - structural rules - can be reformulated as logic programs, which provides both a framework for formal specification and also for automatic conformance checking using a Prolog engine. Some examples of rules belonging to actual, third-party coding rule sets are discussed, along with the corresponding Prolog code. Experimental data regarding the practicality and impact of their application to real-life software projects is presented and discussed.

Teaching How to Derive Correct Concurrent Programs from State-Based Specifications and Code Patterns

The fun of teaching and learning concurrent programming is sometimes darkened by the difficulty in getting concurrent programs to work right. In line with other programming subjects in our department, we advocate the use of formal specifications to state clearly how a concurrent program must behave, to reason about this behavior, and to be able to produce code from specifications in a semi-automatic fashion. We argue that a mild form of specification not only makes it possible to get programs running easier, but it also introduces students to a quite systematic way of approaching programming: reading and understanding specifications is seen as an unavoidable step in the programming process, as they are really the only place where the expected conduct of the system is described. By using formal techniques in these cases, where they are undoubtedly appropriate, we introduce formality without the need to resort to justifications with artificial or overly complicated examples.

Declarative Reflection and its Application as a Pattern Language

Abstract The paper presents the reflection facilities of the specification language Slam-sl. Slam-sl is an object oriented specification language where class methods are specified by pre and postconditions. The reflection capabilities allow managing these pre and postconditions in specifications what means that semantic reflection is possible. The range of interesting applications is very wide: formal specification of interfaces and abstract classes, specification of component based software, formalization of design pattern, using Slam-sl as a pattern language, etc. The paper discusses the last two advantages in some detail.

Execution and Verification of UML State Machines with Erlang

Validation of a system design enables to discover specification errors before it is implemented (or tested), thus hopefully reducing the development cost and time. The Unified Modelling Language (UML) is becoming widely accepted for the early specification and analysis of requirements for safety-critical systems, although a better balance between UML’s undisputed flexibility, and a precise unambiguous semantics, is needed. In this paper we introduce UMerL, a tool that is capable of executing and formally verifying UML diagrams (namely, UML state machine, class and object diagrams) by means of a translation of its behavioural information into Erlang. The use of the tool is illustrated with an example in embedded software design.