Cornelis Huizing

Modeling Statecharts Behaviour in a Fully Abstract Way

We present a denotational, strictly syntax-directed, semantics for Statecharts, a graphical, mixed specification/programming language for real-time, developed by Harel [H]. This requires first of all defining a proper syntax for the graphical language. Apart from more conventional syntactical operators and their semantic counterparts, we encounter unconventional ones, dealing with the typical graphical structure of the language. The synchronous nature of Statecharts makes special demands on the semantics, especially with respect to the causal relation between simultaneous events, and requires a refinement of our techniques for obtaining a denotational semantics for OCCAM [HGR]. We prove that the model is fully abstract with respect to some natural notion of observable behaviour. The model presented will serve as a basis for a further study of specification and proof systems within the ESPRIT-project DESCARTES.

Semantics of Reactive Systems in Abstract Time

We explain that real-time reactive systems pose specific problems in defining languages to specify and program them. Three criteria are formulated, responsiveness, modularity, and causality, that are important to have for a high-level specification language for these systems. We prove that these properties can not be combined in one semantics. Since these properties are mandatory for a structured development of real-time reactive systems, we introduce a two-levelled semantics in which the three properties hold on different levels of the semantics: global events are treated more abstractly with respect to time than local events.

Introduction to design choices in the semantics of Statecharts

The notion of reactive system and the language Statecharts are introduced. For the first time the rationale behind the design decisions of Statecharts is explained in relation to the specific nature of reactive systems.

Invariants for Non-Hierarchical Object Structures

We present a Hoare-style specification and verification approach for invariants in sequential OO programs. It allows invariants over non-hierarchical object structures, in which update patterns that span several objects and methods occur frequently. This gives rise to invalidating and subsequent re-establishing of invariants in a way that compromises standard data induction, which assumes invariants hold when a method is called. We provide specification constructs (inc and coop) that identify objects and methods involved in such patterns, allowing a refined form of data induction. The approach now handles practical designs, as illustrated by a specification of the Observer Pattern.

Formal Semantics for Ward & Mellor's Transformation Schemas

A family of formal semantics is given for the Essential Model of the Transformation Schema of Ward & Mellor [WM85] using recent techniques developed for defining the semantics of Statecharts [Ha88] by Pnueli and Huizing. The models developed closely resemble those used for synchronous languages [Benveniste and Berry 92]. A number of ambiguities and inconsistencies in Ward & Mellor’s original definition are resolved.

Cooperation-based Invariants for OO Languages

In general, invariants may depend on the state of other objects. The approach introduced in this paper allows this for objects of mutually visible classes, in a way that supports modular verification. To this end, dependencies are made explicit by cooperation. In particular, invariants expressing non-hierarchical object relations are supported. Furthermore, an inc-set allows a method to specify explicitly that it does not depend on the validity of a certain invariant. This way, it can be called even when that invariant is violated.

Formal Semantics for Ward & Mellor's Transformation Schemas and the Specification of Faul Tolerant Systems

A family of formal semantics is given for the Essential Model of the Transformation Schema of Ward & Mellor [WM85] using recent techniques developed for defining the semantics of Statecharts [Har88] by Pnueli and Huizing. The models developed closely resemble those used for synchronous languages [BG92]. Each model has its own application area, e.g., one fits best for fault-tolerant systems, but only one model is modular. A number of ambiguities and inconsistencies in Ward & Mellors original definition is resolved.

Verification of atomicity preservation in model-to-code transformations using generic Java code

A challenging aspect of model-to-code transformations is to ensure that the semantic behavior of the input model is preserved in the output code. When constructing concurrent systems, this is mainly difficult due to the non-deterministic potential interaction between threads. In this paper, we consider this issue for a framework that implements a transformation chain from models expressed in the state machine based domain specific language SLCO to Java. In particular, we provide a fine-grained generic solution to preserve atomicity of SLCO statements in the Java implementation. We give its generic specification based on separation logic and verify it using the verification tool VeriFast. The solution can be regarded as a reusable module to safely implement atomic operations in concurrent systems.

Verifying atomicity preservation and deadlock freedom of a generic shared variable mechanism used in model-to-code transformations

A challenging aspect of model-to-code transformations is to ensure that the semantic behavior of the input model is preserved in the output code. When constructing concurrent systems, this is mainly difficult due to the non-deterministic potential interaction between threads. In this paper, we consider this issue for a framework that implements a transformation chain from models expressed in the state machine based domain specific language SLCO to Java. In particular, we provide a fine-grained generic mechanism to preserve atomicity of SLCO statements in the Java implementation. We give its generic specification based on separation logic and verify it using the verification tool VeriFast. The solution can be regarded as a reusable module to safely implement atomic operations in concurrent systems. Moreover, we also prove with VeriFast that our mechanism does not introduce deadlocks. The specification formally ensures that the locks are not reentrant which simplifies the formal treatment of the Java locks.

A small step for mankind

For many programming languages, the only formal semantics published is an SOS big-step semantics. Such a semantics is not suited for investigations that observe intermediate states, such as invariant techniques. In this paper, a construction is proposed that generates automatically a small-step SOS semantics from a big-step semantics. This semantics is based on the a priori technique pioneered by Willem-Paul de Roever et al.