Perry Alexander

Efficient Specification-Based Component Retrieval

In this paper we present a mechanism for making specification-based component retrieval more efficient by limiting the amount of theorem proving required at query time. This is done by using a classification scheme to reduce the number of specification matching proofs that are required to process a query. Components are classified by assigning features that correspond to necessary conditions implied by the component specifications. We show how this method of feature assignment can be used to approximate reusability relationships between queries and library components. The set of possible classification features are formally defined, permitting automation of the classification process. The classification process itself is made efficient by using a specialized theorem proving tactic to prove feature implication. The retrieval mechanism was implemented and evaluated experimentally using a library of list manipulation components. The results indicate a better response time than existing formal approaches. The approach provides higher levels of consistency and automation than informal methods, with comparable retrieval performance.

Declarative specification of software architectures

Scaling formal methods to large, complex systems requires methods of modeling systems at high levels of abstraction. In this paper, we describe such a method for specifying system requirements at the software architecture level. An architecture represents a way breaking down a system into a set of interconnected components. We use architecture theories to specify the behavior of a system in terms of the behavior of its components via a collection of axioms. The axioms describe the effects and limits of component variation and the assumptions a component can make about the environment provided by the architecture. As a result of the method the verification of the basic architecture can be separated from the verification of the individual component instantiations. We present an example of using architecture theories to model the task coordination architecture of a multi-threaded plan execution system.

Classification and retrieval of reusable components using semantic features

Automated assistance for software component reuse involves supporting retrieval, adaptation and verification of software components. The informality of feature-based software classification schemes is an impediment to formally verifying the reusability of a software component. The use of formal specifications to model and retrieve reusable components alleviates the informality, but the formal reasoning required for retrieval introduces questions of scalability. To provide scalability, current retrieval systems resort to syntactic classification at some level of abstraction, abandoning the semantic information provided by the specification. We propose a methodology that shifts the overhead of formal reasoning from the retrieval to the classification phase of reuse. Software components are classified using semantic features that are derived from their formal specification. Retrieval of functionally similar components can then be accomplished based on the stored feature sets. Formal verification can be applied to precisely determine the reusability of the set of similar components.

VSPEC: A Declarative Requirements Specification Language for VHDL

VHDL allows a designer to describe a digital system by specifying a specific design artifact that implements the desired behavior of the system. However, the operational style used by VHDL forces the designer to make design decisions too early in the design process. In addition, there is no means for specifying non-functional performance constraints such as heat dissipation, propagation delay, clock speed, power consumption and layout area in standard VHDL. Thus, VHDL is not appropriate for high level requirements representation. VSPEC is a Larch interface language for VHDL that solves these problems. VSPEC adds seven clauses to the VHDL entity structure that allow a designer to declaratively describe the data transformation a digital system should perform and performance constraints the system must meet. The designer axiomatically specifies the transformation by defining predicates over entity ports and system state describing input precondition and output postconditions. A constraints section allows the user to specify timing, power, heat, clock speed and layout area constraints. In combination with the architecture declaration, collections of VSPEC specified components can define a high level architecture as interconnected collections of components where requirements of components are known (via a VSPEC description), but implementations are not. This work presents the VSPEC language and associated design methodology.

A formal specification and verification framework for Time Warp-based parallel simulation

The paper describes a formal framework developed using the Prototype Verification System (PVS) to model and verify distributed simulation kernels based on the Time Warp paradigm. The intent is to provide a common formal base from which domain specific simulators can be modeled, verified, and developed. PVS constructs are developed to represent basic Time Warp constructs. Correctness conditions for Time Warp simulation are identified, describing causal ordering of event processing and correct rollback processing. The PVS theorem prover and type-check condition system are then used to verify all correctness conditions. In addition, the paper discusses the frameworks reusability and extensibility properties in support of specification and verification of Time Warp extensions and optimizations.

Formal verification and empirical analysis of rollback relaxation

Time Warp is the most common mechanism used for implementing optimistically synchronized Parallel Discrete Event Simulation (PDES). Rollback relaxation is an optimization to Time Warp that reduces the space and time requirements of rollback. Rollback relaxation is applicable to simulation systems that contain memoryless components (i.e., components whose output at any instant of time is determined completely by its inputs at that time). For such components, a complete rollback is not necessary for the correct completion of simulation. Instead, on the receipt of a straggler message, a rollback relaxed processes merely aligns the input set to send new, and validate already sent, output messages. This optimization has been implemented and has experimentally proven to enhance the performance of Time Warp simulations. However, no formal proof of the correctness of rollback relaxation exists (although correctness proofs of Time Warp do). In this paper, we formally specify and verify the correctness of rollback relaxation. The problem is specified using the Prototype Verification System (PVS) Specification Language and proved using the PVS Prover.

Using automatable proof obligations for component-based design checking

The complexity of modern systems is reflected in a proportionate increase in the complexity of their design and verification. Formal analysis methods are of particular interest because they provide the mathematical foundation necessary for rigorous analysis; successful formal analysis of a system provides a high level of assurance of correctness and conformance with specifications. Unfortunately for a number of reasons, formal analysis techniques have failed to scale to large systems. In traditional engineering disciplines, decomposition and component-based design activities have contributed substantially to effective design of large systems. Consequently, this paper presents some proof obligations that perform partial correctness checks on hierarchically designed systems. Since the obligations are applied locally, they avoid the state explosion associated with formal analysis of a large system. The obligations represent initial steps towards the goal of decompositional verification of designs.

Composing specifications in VSPEC

As systems become increasingly complex and existing methodologies become insufficient to handle the complexity, the design community is beginning to look at formal methods for a possible solution. Techniques involving a limited use of formal techniques (such as semi-formal methods and equivalence checking) have given a glimpse of what full usage of formal techniques can achieve. For the use of formal methods to be a widely accepted methodology among designers, it must provide the designers with the capabilities of structuring specifications in a manner similar to the structuring they are used to using with programming languages. In this paper, we provide a description of the structuring capabilities of VSPEC (VHDL SPECification), a requirements specification language for VHDL. These capabilities include the use of multiple pre- and post-condition pairs within a single specification and combination of specifications using common Boolean operators.

Formal Specification and Verification of the pGVT Algorithm

The time warp mechanism is a technique for optimistically synchronizing Parallel and distributed Discrete Event-driven Simulators (PDES). Within this synchronization paradigm lie numerous parallel algorithms, chief among them being an estimation of the Global Virtual Time (GVT) value for fossil collection and output commit. Because the optimistic synchronization strategy allows for temporary violations of causal relations in the system being simulated, developing algorithms that correctly estimate GVT can prove extremely difficult. Testing and debugging can also prove difficult as error situations are frequently not repeatable due to varying load conditions and processing orders. Consequently, the application of formal methods to develop and analyze such algorithms are of extreme importance. This paper addresses the application of formal methods for the development of GVT estimation algorithms. More precisely, the paper presents a formal specification for and verification of one specific GVT estimation algorithm, the pGVT algorithm. The specifications are presented in the Larch Shared Language and verification completed using the Larch Proof Assistant. The ultimate goal of this work is to develop a reusable infrastructure for GVT proof development that can be used by developers of new GVT estimation algorithms.

Large Scale Active Networks Simulation

With the addition of user-controllable computing capabilities to conventional data networks, the network can no longer be perceived as a passive conveyor of bits. It transforms into a generic computational engine or an “active network”. While such capabilities open up many exciting possibilities for network designers, simulation of such large scale high-performance networks is exacerbated by a number of issues. Issues such as scalability and expressibility, will be addressed by the simulator designer as simulation requires the designer to “implement” models of the active networks systems. This paper proposes the use of a parallel simulation (using relaxed synchronization strategies, such as Time Warp) environment to accurately simulate the behavior and profile the performance of large scale, active networks.