Wolf Zimmermann

Automatic Protocol Conformance Checking of Recursive and Parallel Component-Based Systems

Today model checking of security or safety properties of component-based systems based on finite protocols has the flaw that either parallel or sequential systems can be checked. Parallel systems can be described often by well known Petri nets, but it is not possible to model recursive behaviour. On the other hand sequential systems based on pushdown automata can capture recursion and recursive callbacks [27], but they do not provide parallel behaviour in general. n nIn this work we show how this gap can be filled if process rewrite systems (introduced by Mayr [16]) are used to capture the behaviour of components. The protocols of the components interfaces specified as finite state machines can be combined to a system equal to a process rewrite system. By calculating the reachability of the fault state range one gets a trace (counterexample) which does not satisfy the properties specified by all protocols of the combined components, if any error exists.

Automatic checking of component protocols in component-based systems

We statically check whether each component in a component-based system is used according to its protocol and provide counterexamples if such a check fails. The protocol is given by a finite state machine specifying legal sequences of procedure calls of the interface of a component. The main contribution is that we can deal with call-backs without any restrictions. We achieved this by using context-free grammars instead of finite state machines to describe the use of components.

On the correctness of transformations in compiler back-ends

This paper summarizes the results on the correctness of the transformations in compiler back-ends achieved in the DFG-project Verifix. Compiler back-ends transform intermediate languages into code of the target machine. Back-end generators allow to generate compiler back-ends from a set of transformation rules. This paper focuses on the correctness of these transformation rules and on the correctness of the whole transformation stemming from the transformation rules.

A framework for modeling the semantics of expression evaluation with abstract state machines

We present a framework for formalizing the semantics of expression evaluation using Abstract State Machines. Many programming languages allow some non-determinism for evaluating expressions. The semantics only have in common that arguments are evaluated before an operator is applied. The evaluation of one argument may be interleaved with the evaluation of the other arguments. However, programming languages usually restrict this most liberal evaluation order. For example, the expression evaluation may take into account short-circuit evaluation of boolean expressions which implies that right operands must not be evaluated before the complete left operand is evaluated. Our approach provides a generic expression evaluation semantics that only need to be instantiated adequatly. We demonstrate this approach by the example of Ada95, C, C++, Java, C#, and Fortran.

Automatic Protocol Conformance Checking of Recursive and Parallel BPEL Systems

Today model checking of Web Services formulated in BPEL is often reduced by transforming BPEL-processes to Petri nets. These can be model checked using traditional approaches. If recursion is present in the BPEL model this approach hides some possible violations of the wished behaviour. We present an approach which allows the Web Service developer to formulate more properties of the required usage of the Web Service and provide a tool that checks whether these requirements are satisfied in a Web Service based system. We use finite state machines to specify permitted sequences of receivable interactions and call them service protocols. In this paper we will show that it is possible to use BPEL representations and service protocols to check if a sequence of receivable interactions that violates a service protocol can occur. We achieve this result by translating BPEL to Process Algebra Nets (introduced by Mayr ) and applying the approach of Mayr for model checking Process Algebra Nets. Our approach computes counterexamples even for recursive and parallel programs including synchronization.

Termination analysis of business process workflows

For safety and deadlock analysis of workflows, Petri-Nets are frequently used. They provide a natural abstraction of workflows since they are able to describe parallel behavior. With a variety of model checking tools, it is possible to verify these workflows. The usual approach that abstracts business processes to Petri-Nets requires that each loop (whether purely internal or with external interactions) is terminating. In this paper, we show that without this termination assumption, there are real behaviors of business processes that are not represented by the Petri-Net abstractions and we provide a first approach towards termination analysis of loops in business processes thereby ensuring the preconditions required by many Petri-Net based approaches for analyzing business processes.

Translation validation for model-based code-generators for PLCs

The use of model-based code-generators for construction of controller software increases the reliability of the software in two ways: first, the models often can be checked for safety conditions. Second the use of code-generators prevents manual implementation faults. However, the reliability depends on the correctness of these code-generators, i.e., whether they really generate code that correctly implements the model. In this paper, we show how this correctness can be checked automatically for code-generators for PLCs

Lookahead Scheduling for Reconfigurable GRID Systems

This paper proposes an approach to continuously optimizing parallel scientific applications with dynamically changing architectures. We achieve this by combining a dynamic architecture and lookahead malleable task graph scheduling.

A Hoare-style verification calculus for control state ASMs

We present a Hoare-style calculus for control-state Abstract State Machines (ASM) such that verification of control-state ASMs is possible. In particular, a Hoare-Triple {ϕ}A{ψ} for an ASM A means that if an initial state T satisfies the precondition ϕ and a final state F is reached by A, then the final state satisfies the postcondition ψ. While it is straightforward to generalize the assignment axiom of the Hoare-Calculus to a single state transition, the composition of Hoare-Triples is challenging since typical programming language concepts are not present in ASMs.

Model Checking of Component Protocol Conformance -- Optimizations by Reducing False Negatives

In past years, a number of works considered behavioral protocols of components and discussed approaches for automatically checking of compatibality of protocols (protocol conformance) in component-based systems. The approaches are usually model-checking approaches, i.e., a positive answer guarantees protocol conformance for all executions while a negative answer provides example executions that may lead to protocol violations. It turned out that if behavioral abstractions take into account unbounded concurrency and unbounded recursion, the protocol conformance checking problem becomes undecidable. There are two possibilities to overcome this problem: (i) further behavioral abstraction to finite state systems or (ii) a conservative approximation of the protocol conformance checking problem. Both approaches may lead to spurious counterexamples, i.e., due to abstractions or approximations the shown execution can never happen. This work considers the second approach and shows a heuristics that reduces the number of spurious counterexamples by cutting off search branches that definitely do not contain real counterexamples.