Xianghua Deng

Cadena: an integrated development, analysis, and verification environment for component-based systems

The use of component models such as Enterprise Java Beans and the CORBA Component Model (CCM) in application development is expanding rapidly. Even in real-time safety/mission-critical domains, component-based development is beginning to take hold as a mechanism for incorporating non-functional aspects such as real-time, quality-of-service, and distribution. To form an effective basis for development of such systems, we believe that support for reasoning about correctness properties of component-based designs is essential. In this paper, we present Cadena - an integrated environment for building and modeling CCM systems. Cadena provides facilities for defining component types using CCM IDL, specifying dependency information and transition System semantics for these types, assembling systems from CCM components, visualizing various dependence relationships between components, specifying and verifying correctness properties of models of CCM systems derived from CCM IDL, component assembly information, and Cadena specifications, and producing CORBA stubs and skeletons implemented in Java. We are applying Cadena to avionics applications built using Boeings Bold Stroke framework.

Invariant-based specification, synthesis, and verification of synchronization in concurrent programs

Concurrency is used in modern software systems as a means of addressing performance, availability, and reliability requirements. The collaboration of multiple independently executing components is fundamental to meeting such requirements and such collaboration is realized by synchronizing component execution.Using current technologies developers are faced with a tension between correct synchronization and performance. Developers can be confident when simple forms of synchronization are used, for example, locking all accesses to shared data. Unfortunately, such simple approaches can result in significant run-time overhead, and, in fact, there are many cases in which such simple approaches cannot implement required synchronization policies. Implementing more sophisticated (and less constraining) synchronization policies may improve run-time performance and satisfy synchronization requirements, but fundamental difficulties in reasoning about concurrency make it difficult to assess their correctness.This paper describes an approach to automatically synthesizing complex synchronization implementations from formal high-level specifications. Moreover, the generated coded is designed to be processed easily by software model-checking tools such as Bandera. This enables the generated synchronization solutions to be verified for important system correctness properties. We believe this is an effective approach because the tool-support provided makes it simple to use, it has a solid semantic foundation, it is language independent, and we have demonstrated that it is powerful enough to solve numerous challenging synchronization problems.

Model-checking Middleware-based Event-driven Real-time Embedded Software ?

Component frameworks such as the CORBA Component Model (CCM) and middleware services such as the CORBA Event Service are increasingly being used to build safety / mission-critical distributed real-time embedded (DRE) systems. In this paper, we present a novel model-checking infrastructure for checking global temporal properties of DRE systems built on top of a Real-Time CORBA Event Service using CCM architectures. We describe how (a) building support for OO structures and communication layers directly in an extensible model-checker and (b) leveraging domain properties related to priorities, scheduling, and timing can dramatically reduce the costs of checking realistic systems.

Space Reductions for Model Checking Quasi-Cyclic Systems

Despite significant research on state-space reductions, the poor scalability of model checking for reasoning about behavioral models of large, complex systems remains the chief obstacle to its broad acceptance. One strategy for making further progress is to exploit characteristics of classes of systems to develop domain-specific reductions.

Cadena: An Integrated Development Environment for Analysis, Synthesis, and Verification of Component-Based Systems

This tool paper gives an overview of Cadena – an integrated environment for building and modeling systems built using the CORBA Component Model (CCM). Cadena provides facilities for defining component types using CCM IDL, specifying dependency information and transition system semantics for these types, assembling systems from CCM components, visualizing various dependence relationships between components, specifying and verifying correctness properties of models of CCM systems derived from CCM IDL, component assembly information, and Cadena specifications, and producing CORBA stubs and skeletons implemented in Java. Cadena has been applied to build applications in Boeing’s Bold Stroke framework for avionics mission-control systems. Cadena is implemented in IBM’s Eclipse open-source IDE and is freely available.

Bakar Kiasan: flexible contract checking for critical systems using symbolic execution

SPARK, a subset of Ada for engineering safety and security-critical systems, is designed for verification and includes a software contract language for specifying functional properties of procedures. Even though SPARK and its static analysis components are beneficial and easy to use, its contract language is almost never used due to the burdens the associated tool support imposes on developers. In this paper, we present: (a) SymExe techniques for checking software contracts in embedded critical systems, and (b) Bakar Kiasan, a tool that implements these techniques in an integrated development environment for SPARK. We describe a methodology for using Bakar Kiasan that provides significant increases in automation, usability, and functionality over existing Spark tools, and we present results from experiments on its application to industrial examples.

Kiasan: A Verification and Test-Case Generation Framework for Java Based on Symbolic Execution

Best program practices in software engineering emphasize software components that are loosely coupled and can be independently developed by different vendors. While these approaches improve the process of software development, however, they present a number of challenges involving reasoning about the correctness of individual components as well as their integration. Design-by-contract reasoning offers a promising approach to reason about software components by requiring software contracts that describe the behaviors of the components. This allows one to focus at satisfying the contract of each component, i.e., it allows compositional reasoning. In this paper, we present Kiasan, a technique that combines symbolic execution, model checking, theorem proving, and constraint solving to support design-by-contract reasoning of object-oriented software. There are a number of interesting tradeoffs between Kiasan other approaches such as ESC/Java. While checking in Kiasan is sometime more expensive, Kiasan can check much stronger behavioral properties of object-oriented software including properties/software that makes extensive use of heap-allocated data. In addition, Kiasan naturally generates counter examples, visualization of code effects, and JUnit test cases that are driven by code and user-supplied specifications. We present Kiasan and describe how it is implemented on top of the Bogor framework. Furthermore, we present a case study in which Kiasan is applied to a variety of examples and we discuss insights gained from our experience.

SyncGen: An aspect-oriented framework for synchronization

This paper describes SyncGen – a tool for automatically synthesizing complex synchronization implementations from formal high-level specifications. In SyncGen, synchronization specifications are phrased using first-order logic or user-friendly specification patterns. From a high-level specification, a language independent synchronization solution in an intermediate guarded-command language is synthesized. Back-end translators can translate this intermediate solution into a variety of implementation frameworks including Java, C++/C with POSIX threads, and Controller Area Network message passing primitives. SyncGen has been used extensively in courses at Kansas State University. Its breadth of applicability has been demonstrated by using it to solve virtually all of the exercises given in the well-known concurrency text books of Andrews [1,2] and Hartley [4], as well as a variety of real-world problems in the embedded computing domain. The tool, along with supporting documentation and an example repository, is publicly available [6].

Efficient symbolic execution of value-based data structures for critical systems

Symbolic execution shows promise for increasing the automation of verification tasks in certified safety/security-critical systems, where use of statically allocated value-based data structures is mandated. In fact Spark/Ada, a subset of Ada designed for verification and used for building critical systems, only permits data structures that are statically allocated. This paper describes a novel and efficient graph-based representation for programs making use of value-based data structures and procedure contracts. We show that our graph-based representation offers performance superior to a logic-based representation that is used in many approaches that delegate array reasoning to a decision procedure.

Enhancing spark's contract checking facilities using symbolic execution

Spark, a subset of Ada for engineering safety and security-critical systems, is one of the best commercially available frameworks for formal-methods-supported development of critical software. Spark is designed for verification and includes a software contract language for specifying functional properties of procedures. Even though Spark and its static analysis components are beneficial and easy to use, its contract language is rarely used for stating properties beyond simple constraints on scalar values due to the burdens the associated tool support imposes on developers. Symbolic execution (SymExe) techniques have made significant strides in automating reasoning about deep semantic properties of source code. However, most work on SymExe has focused on bug-finding and test case generation as opposed to tasks that are more verification-oriented such as contract checking. In previous work we have presented: (a) SymExe techniques for checking software contracts in embedded critical systems, and (b) Bakar Kiasan, a tool that implements these techniques in an integrated development environment for Spark. In this paper, we give a detailed walk-through of Bakar Kiasan as it is applied to an industrial code base for an embedded security device. We illustrate how Bakar Kiasan provides significant increases in automation, usability, and functionality over existing Spark contract checking tools, and we present results from performance evaluations of its application to industrial examples.