Willem-Paul de Roever

29 new unclarities in the semantics of UML 2.0 state machines

UML 2.0, which is the standard modeling language for object-oriented systems, has only an informally given semantics. This is in particular the case for UML 2.0 state machines, which are widely used for modeling the reactive behavior of objects. In this paper, a list of 29 newly detected trouble spots consisting of ambiguities, inconsistencies, and unnecessarily strong restrictions of UML 2.0 state machines is given and illustrated using 6 state machines having a problematic meaning; suggestions for improvement are presented. In particular, we show that the concepts of history, priority, and entry/exit points have to be reconsidered.

A Compositional Operational Semantics for JavaMT

Besides the features of a class-based object-oriented language, Java integrates concurrency via its thread-classes, allowing for a multithreaded flow of control. The concurrency model includes shared-variable concurrency via instance variables, coordination via reentrant synchronization monitors, synchronous message passing, and dynamic thread creation.

Inductive Proof Outlines for Monitors in Java

The research concerning Java’s semantics and proof theory has mainly focussed on various aspects of sequential sub-languages. Java, however, integrates features of a class-based object-oriented language with the notion of multi-threading, where multiple threads can concurrently execute and exchange information via shared instance variables. Furthermore, each object can act as a monitor to assure mutual exclusion or to coordinate between threads.

A Tool-Supported Proof System for Multithreaded Java

Besides the features of a class-based object-oriented language, Java integrates concurrency via its thread classes. The concurrency model includes shared-variable concurrency via instance variables, coordination via reentrant synchronization monitors, synchronous message passing, and dynamic thread creation.

Formal Semantics for Ward & Mellor's Transformation Schemas

A family of formal semantics is given for the Essential Model of the Transformation Schema of Ward & Mellor [WM85] using recent techniques developed for defining the semantics of Statecharts [Ha88] by Pnueli and Huizing. The models developed closely resemble those used for synchronous languages [Benveniste and Berry 92]. A number of ambiguities and inconsistencies in Ward & Mellor’s original definition are resolved.

Using Relative Refinement for Fault Tolerance

A general refinement methodology is presented based on ideas of Stark, and it is explained how these can be used for the systematic development of fault-tolerant systems. Highlights are: (1) A detailed and comprehensive exposition of Starks temporal logic and development methodology. (2) A formalization of a general systematic approach to the development of fault-tolerant systems, accomplishing increasing degrees of coverage with each successive refinement stage. That is, faults are already identified and modeled at the first implementation level, which is shown to be a relative refinement, i.e., correct for all computations in which faults do not occur. The second implementation is a fail-stop implementation, i.e., an implementation that stops on the first detected occurrence of a fault. This implementation is also a relative refinement, i.e., correct in all computations in which the program never stops. The final implementation is correct in all computations, except those that display severe faults that violate the fault-tolerance assumptions, such as all n components failing in an n-way redundant way in case of stable storage. (3) A detailed example of a multi-disk system providing stable storage, illustrating this general methodology.

Compositional Operational Semantics of a UML-Kernel-Model Language

We define a compositional operational semantics for state machines and their composition in UML. Each state machine describes the behavior of an object of a class. If a class of a newly generated object is active, a new activity group, which is a singly-threaded collection of objects, is generated. Communication of state machines between activity groups differs from the one inside an activity group. We introduce (i) two parallel combinators reflecting this difference, which return a SOS given that their arguments are SOS, (ii) an SOS for each state machine regarded in isolation.

Simulation of Specification Statements in Hoare Logic

Data refinement is a powerful technique to derive implementations in terms of low-level data structures like bytes from specification in terms of high-level data structures like queues. The higher level operations need not be coded as ordinary programs; it is more convenient to introduce specification statements to the programming language and use them instead of actual code. Specification statements represent the maximal program satisfying a given Hoare-triple. Sound and (relatively) complete simulation techniques allow for proving data refinement by local arguments. A major challenge for simulation consists of expressing the weakest lower level specification simulating a given higher level specification w.r.t. a given relation between these two levels of abstraction. We present solutions to this challenge for upward and downward simulation in both partial and total correctness frameworks, thus reducing the task of proving data refinement to proving validity of certain Hoare-triples.

Generalizing Abadi & Lamport's Method to Solve a Problem Posed by A. Pnueli

By adding a new technique and a simple proof strategy to Abadi & Lamports 1988 method [1] for proving refinement between specifications of distributed programs correct, the inherent limitation of their method, occurring when the abstract level of specification features so-called infinite invisible nondeterminism or internal discontinuity, can be sometimes overcome. This technique is applied to the cruel last step of a three step correctness proof for an algorithm for communication between migrating processes within a finite network due to Kleinman, Moscowitz, Pnueli & Shapiro [5].

Formalising Dijkstra’s Development Strategy within Stark’s Formalism

Dijkstra introduced an enticing development strategy in a paper addressing the readers/ writers problem. This strategy is as follows: one starts with some “stupid” (in the sense that it allows undesirable computations) first try and then tries in subsequent steps to “refine” this stupid try into a better one by eliminating (some) undesirable computations. In a number of steps one strives to get a good (in the sense that it no longer contains undesirable computations) implementation for the problem. Unfortunately this strategy is not very formal. In this paper we try to make it more formal by using Stark’s temporal logic based rely/guarantee formalism. We use this formalism in a special way in order to describe Dijkstra’s development strategy: the part intended to describe the liveness condition is used for the more general purpose of disallowing the undesirable sequences.