* Virtual Library * Formal Methods * Meetings

___________________

WIFT'95 Tool Demonstrations [Audio welcome]

___________________

Co-chairs:
Jonathan Bowen, Oxford University Computing Laboratory (UK)
Lynn Marshall, Bell-Northern Research Ltd. (Canada)

The following formal methods tools were demonstrated at the 1995 Workshop on Industrial-Strength Formal Specification Techniques (WIFT'95):

Date: Thursday, April 6, 1995 (5:30pm to 8pm)
Venue: Computer Science and Engineering Department, Florida Atlantic University

Tool Descriptions

FDR (Dave Jackson)

FDR - A verification tool for finite state systems

FDR (Failures-Divergence Refinement) is a software package which allows the automatic checking of many properties of finite state systems and the interactive investigation of processes which fail these checks. It is based on the mathematical theory of Communicating Sequential Processes (CSP), developed at Oxford University and subsequently applied successfully in a number of industrial applications. Systems with 10**7 states can be analysed in minutes on a standard low-end workstation. Unlike most packages of this type, FDR was specifically developed for industrial applications, in the first instance at Inmos where it is used to develop and verify communications hardware. Therefore it is constructed to make its capabilities understandable and usable, and has extensive debugging facilities to allow system development, rather than simply verification. Existing and potential applications include VLSI design, protocol development and implementation, networking and data distribution, control, signalling, fault-tolerant systems, telecommunications and man-machine interface.

FDR supports reasoning about communicating systems of finite-state processes using the untimed theory of CSP, where we are interested in the order, but not exact times, of events. The theory of refinement in CSP allows most correctness conditions (safety and liveness, but not fairness in the current version) to be encoded as the most nondeterministic process satisfying them. We can test whether an implementation meets the specification by deciding if it refines the specification process. FDR is therefore built around this decision question. It implements a normalisation procedure for the specification process, which represents the specification in a form where the implementation can be checked against it by model-checking techniques (exploring reachable states). Both the specification and the implementation must therefore be finite-state processes.

Because FDR is designed for the development of systems which have complex behaviour. Frequently a first attempt at an implementation will fail to meet its specification, and it is vital that the system developer has the means to understand why. When a refinement check fails, FDR provides the means to explore the way the error arose. It allows the user to explore the state of the implementation, and its subprocesses at the point where the error was detected, and during the prior evolution of the system.

Environment

The software currently runs on Sun SPARC systems (and clones) running SunOS or Solaris 2 and IBM RS/6000 workstations running AIX 3.2.2. Versions for Intel-based Unix systems are in testing, and alternative platforms are being investigated. We do not recommend using FDR on systems with less than 16Mb of physical memory; at least 60 Mb of virtual memory is recommended.

Further details

Please contact:
David Jackson,
Formal Systems (Europe) Ltd
3 Alfred Street
Oxford OX1 4EH
UK

Tel: +44 (0)1865 728460
Fax: +44 (0)1865 201114
E-mail: dave@fsel.com

VDM++ Toolset (Kevin Lano/Nico Plat)

The Venus Environment

General

The Venus environment provides support for the development of object-oriented concurrent systems, based on the combined application of graphical modelling (with Rumbaugh's OMT [4], one of the most popular object-oriented techniques) and formal specification (with VDM++ [1]). Objective of Venus is to provide added value through coupling pragmatic industrial methods with formal methods.

Venus components

Venus consists of three separate components:
  1. The LOV/OMT environment [6] supporting the OMT notation. It consists of a graphical editor for class diagrams (*) with checking facilities.
  2. The VPP environment [3] supporting the formal specification language VDM++.
  3. A coupling module [5], consisting of a transformer from class diagrams to VDM++ specifications (VDM++ generator) and graphical display facilities for the localisation of errors in VDM++ specifications. The VDM++ generator is based on so-called `G-templates' and can be customized to various generation strategies.

Venus supported activities

Venus supports the following types of activities during the software development process:

Hardware requirements

-----------------------------------------------------------------------
| Item             | Requirements                                     |
|==================|==================================================|
| Platform         | Sun-4 (SPARC)         | HP 9000/700 series       |
|------------------|-----------------------|--------------------------|
| Operating system | Sun-OS 4.1 or         | HP-UX version 9          |
|                  | Solaris 2.3           |                          |
|------------------|--------------------------------------------------|
| Window           | OSF Motif 1.1 or                                 |
| management       | OpenWindows version 2 or 3 (Sun-4 platform only) |
|------------------|--------------------------------------------------|
| Internal memory  | Minimum 16 Mbytes                                |
|------------------|--------------------------------------------------|
| Swap space       | Minimum 25 Mbytes                                |
|------------------|--------------------------------------------------|
| Disk space       | Minimum 25 Mbytes                                |
|------------------|--------------------------------------------------|
| Installation     | DC 6150 data cartridge tapes or                  |
| device needed    | Exabyte cartridges (112 m) or                    |
|                  | FTP connection (VPP only)                        |
-----------------------------------------------------------------------
A colour monitor is recommended.

More information

More information on Venus can be obtained from:
Mr. Philippe Leblanc
Verilog S.A.
150 rue Nicolas Vauquelin
B.P. 1310
31106 Toulouse Cedex
FRANCE

Tel: +33-61-192939
Fax: +33-61-408452
E-mail: leblanc@verilog.fr

or from:
Mr. Henrik Voss
IFAD
Forskerparken 10
5230 Odense M
DENMARK

Tel: +45-63-157131
Fax: +45-65-932999
E-mail: toolbox@ifad.dk

Acknowledgements

The development of Venus has been partially funded by the Commission of the European Communities (CEC) under the ESPRIT-III programme in the area of Information Processing Systems, project no. 6500: Applying Formal Methods to Real-sized Object Oriented Designs in Technical Environments (Afrodite).

References

[1]
E.H. Durr and N. Plat (editor). VDM++ Language Reference Manual. Afrodite (ESPRIT-III project number 6500) document AFRO/CG/ED/LRM/V10, Cap Volmac, February 1995.
[2]
Wilf R. LaLonde and John R. Pugh. Inside Smalltalk, volume 2. Prentice Hall International, 1990.
[3]
Nico Plat. VPP User Manual. Afrodite (ESPRIT-III project number 6500) document AFRO/CG/NP/VPPUM/V3, Cap Volmac, January 1995.
[4]
James Rumbaugh, Michael Blaha, William Premerlani, Frederick Eddy, and William Lorensen. Object-oriented Modeling and Design. Prentice Hall International, 1991.
[5]
Verilog. Venus User Manual; Combined Use of OMT and VDM++. Afrodite (ESPRIT-III project number 6500) document AFRO/VERILOG/PLB/UM/V2.2, Verilog, March 1995.
[6]
Verilog S.A. LOV Object Editor (user documentation), 1993.
(*) Similar editors are available for OMT's functional diagrams and behavioural diagrams from vendor Verilog S.A. These are, however, currently not part of Venus.

Cabernet (Mauro Pezzé)

Overview of the tool

Cabernet supports formal development of real-time systems. It provides an homogeneous framework for specifying, executing and validating real-time system specifications based on a temporal and functional extension of Petri nets. Main components of Cabernet are:

Cabernet is available free of charge since the beginning of 1994. More than 30 licences have been signed so far by universities, research institutions and private companies located in Europe, US, Canada, Central and South America, Japan. Cabernet has been validated on several case-studies provided by independent institutions. The most notable case-studies are: a gas burner, proposed in the literature, a node of an electrica switching network, proposed by the Italian Electricity Company, the control system of a robot arm, proposed by ESA, the control system of a railway crossing, proposed as working example for IWSSD94.

Cabernet is now background of an ESPRIT project (IDERS), that aims at building commercial tools based on the most innovative ideas that can find immediate success n the market. In particular the customization and animation components should be implemented to enhance Software through Picture, one of the main commercial tools that support the development of real-time systems.

Cabernet is available via anonymous FTP from ftp-se.elet.polimi.it: executable code, manuals, and related documentation are provided.

Hardware and software requirements

Cabernet requires a Sun SPARCstation with SunOS 4.1.1 or higher, X, and at least 15 MB of free disk. Availability of the C++ compiler gcc version 2.5.8 and the Motif libraries are preferable but not mandatory. Cabernet is currently available on HP and DEC stations as well, but not all functionalities are provided on these platforms.

Contact person

Professor Mauro Pezzé
Dipartimento di Elettronica
Politecnico di Milano
Piazza Leonardo da Vinci 32
20133 Milano
ITALY

Tel: +39-2-2399-3523
Fax: +39-2-2399-3411
E-mail: pezze@elet.polimi.it

VDM Toolbox (Peter Gorm Larsen)

VDM-SL is a wide-spectrum formal specification language

The Vienna Development Method (VDM) is one of the most mature formal methods, primarily intended for the formal specification and the subsequent development of functional aspects of software systems. A central element of VDM is its specification language: VDM-SL.

VDM-SL is a formal specification language which is used during the specification and design phases of a software development project and supports the production of correct and high quality software. Compared to traditional textual specifications, a formal specification is unambiguous and can be automatically checked for many inconsistencies and errors. Using the high-level constructs offered by VDM-SL a specification can be described formally without dealing with implementation details.

VDM-SL is a wide spectrum specification language: it can be used for both highly abstract specifications and for specifications at a very low level of abstraction, and it supports both functional and imperative specification styles.

VDM-SL is being standardised under the auspices of the International Standards Institution (ISO) and the British Standards Institution (BSI). The standard is expected to become finally accepted in 1994.

The IFAD VDM-SL Toolbox: a pragmatic approach to formal methods

What separates the Toolbox from most other CASE tools for formal methods is the way the functional aspects of a specification are analysed. Although it is possible to produce mathematical proofs of properties of a specification, proof is complex and resource demanding. Even for medium size specifications, the automated proof support tools are still not good enough.

Test Instead of Proof

The Toolbox represents a more pragmatic approach to the analysis of the functional aspects of a specification. Instead of supporting proof techniques, the Toolbox supports testing of executable specifications. Testing is a well-known approach from programming languages, and as proving specifications usually becomes almost impossible within the resources of a normal development project, testing becomes the only complement to reviews and static checks.

In order to test a specification it is necessary to be able to execute it, and the Toolbox therefore supports both execution and debugging facilities for all executable constructs in VDM-SL. The test coverage tool enables the specifier to see how well a test suite covers the specification by displaying the parts of the specification which have not been executed during the test.

The test suites which were used to test the specification, can often be re-used when testing the implementation. This will help to ensure a correct transformation from the specification into an implementation.

The IFAD VDM-SL Tools

The IFAD VDM-SL Toolbox is a set of tools which support the development of formal specifications using the latest version of the complete VDM-SL standard, extended with a structuring mechanism based on the concept of modules.

The Toolbox supports:

The tools have been designed and tested incrementally through actual use in medium to large-scale projects (5 - 10,000 lines of VDM-SL) with an emphasis on practical features.

All the tools in the IFAD VDM-SL Toolbox are integrated through an interface to the GNU Emacs text editor but they are also available as Unix command-line tools.

The interpreter executes VDM-SL specifications

The VDM-SL interpreter supports all executable constructs in VDM-SL. This range from simple value constructors like set comprehension and sequence enumeration to more advanced constructs like exception handling, lambda expressions, loose expressions and pattern matching. The interpreter also supports both polymorphic and higher order functions.

One of the benefits of executing specifications is that testing techniques can be used to assist validation of the specifications. In the development process small examples for parts of a specification can be executed to enhance the designer's knowledge of, and confidence in the specification. Furthermore an executable specification can form a running prototype.

Specifications can be debugged during execution

A source-level debugger is essential when working with executable specifications. The VDM-SL debugger supports the functionality found in debuggers for ordinary programming languages including:

A powerful type checker supports static checks of specifications

The static semantic analyzer is an advanced type checker and it supports most of the static semantics levels prescribed by the ISO proto-standard. It contains a powerful type inference mechanism which also shows proof obligations with respect to the type system.

Generating and inspecting test coverage information

Test coverage information can be automatically recorded during the evaluation of a test-suite. The specifier can at any point check which parts of the specification are most frequently evaluated and which parts have not been covered at all.

The test coverage information is displayed directly in the source-file, in a comprehensive form which is easy to read.

Technical Information

Hardware: Software: Content of delivery: Documentation includes: Optional Add-on feature: Further information:
Peter Gorm Larsen
IFAD
Forskerparken 10
5230 Odense M
DENMARK

Tel: +45 63 15 71 31
Fax: +45 65 93 29 99
E-mail: toolbox@ifad.dk

PVS (John Rushby)

The PVS Verification System

Computer Science Laboratory
SRI International
Menlo Park, CA, USA
pvs-request@csl.sri.com

PVS provides mechanized support for formal specification and verification. It builds on over 15 years experience at SRI in building and using tools to support formal methods, and we believe you will find it among the most effective verification systems for several classes of applications. The system is freely available under license from SRI and has been installed at over 30 sites in North America, Europe, and Asia.

PVS consists of a specification language, a number of predefined theories, a theorem prover, various utilities, documentation, and several examples that illustrate different methods of using the system in several application areas. PVS exploits the synergy between a highly expressive specification language and powerful automated deduction; for example, some elements of the specification language are made possible because the typechecker can use theorem proving. This distinguishing feature of PVS has allowed perspicuous and efficient treatment of many examples that are considered difficult for other verification systems.

The specification language of PVS is based on classical, typed higher-order logic. The base types include uninterpreted types that may be introduced by the user, and built-in types such as the booleans, integers, reals, and the ordinals up to epsilon_0; the type-constructors include functions, sets, tuples, records, enumerations, and recursively-defined abstract data types. Predicate subtypes and dependent types can be used to introduce constraints, such as the type of prime numbers. These constrained types may incur proof obligations during typechecking, but greatly increase the expressiveness and naturalness of specifications. In practice, most of the obligations are discharged automatically by the theorem prover. PVS specifications are organized into parameterized theories that may contain assumptions, definitions, axioms, and theorems. Definitions are guaranteed to provide conservative extension; to ensure this, recursive function definitions generate proof obligations. PVS expressions provide the usual arithmetic and logical operators, function application, lambda abstraction, and quantifiers, within a natural syntax. Names may be freely overloaded, including those of the built-in operators such as AND and +.

The PVS theorem prover provides a collection of powerful primitive inference procedures that are applied interactively under user guidance. The primitive inferences include propositional and quantifier rules, induction, rewriting, and decision procedures for linear arithmetic. User-defined procedures can combine these primitive inferences to yield higher-level proof strategies. Proofs yield scripts that can be edited, attached to additional formulas, and rerun. This allows many similar theorems to be proved efficiently, permits proofs to be adjusted economically to follow changes in requirements or design, and encourages the development of readable proofs.

PVS uses GNU Emacs to provide an integrated interface to its specification language and prover, and provides many status-reporting and browsing tools, as well as the ability to generate typeset specifications (in user-defined notation) using LaTeX.

PVS is mainly intended for the formalization of requirements and design-level specifications, and for the analysis of intricate and difficult problems. It (and its predecessors) have been chiefly applied to algorithms and architectures for fault-tolerant flight control systems, and to problems in hardware and real-time system design. Several examples are described in papers available from the SRI Formal Methods WWW page. Recent work has developed PVS methodologies for hardware verification (including integration with a BDD-based decision procedure for large propositional formulas and with a model checker), and for concurrent and real-time systems (including a transparent embedding of the duration calculus). Collaborative projects involving PVS are ongoing with NASA and several aerospace companies; applications include a microprocessor for aircraft flight-control, diagnosis and scheduling algorithms for fault-tolerant architectures, and requirements specification for the Jet-Select function of the Space Shuttle flight-control system.

PVS is implemented in Common Lisp and runs on most modern workstations (we can probably port it to any Unix machine for which GNU Emacs and a Common Lisp compiler with integrated CLOS are available). A version in Allegro Lisp for Sun SPARCstations is available by anonymous FTP. All PVS installations must be licensed by SRI International, but there is no charge. (We do charge for tapes and for nonstandard versions). The system is fully documented in three volumes (language, system, and prover), and a tutorial is also available.

To obtain a copy of PVS by anonymous FTP, retrieve the files README and INSTALL from directory /pub/pvs on ftp.csl.sri.com [192.12.33.94] and follow the instructions. These files can also be reached via via WWW. For further information on PVS, please send a message to pvs-request@csl.sri.com.

Note: The current version of PVS is a beta-release. The documentation is not too well organized, and is incomplete. There are very few introductory examples (look in /pub/pvs/examples for what there are). For this reason, we do not advertise the availability of PVS very widely; most of the active users of PVS have spent at least a few days here at SRI learning to use the system under our guidance. We expect to release a new version of the system in the spring of 1995, with substantial extensions, uptodate documentation (with an index!), and several introductory examples.

(Information adapted from an on-line overview.)

Luigi Logrippo: ELUDO LOTOS Toolset.

ELUDO: The University of Ottawa LOTOS Toolkit

Over the past several years, a toolkit for LOTOS has been under development at the University of Ottawa. The interpreter is called ELUDO (Environnement LOTOS de l'Universite d'Ottawa), and XELUDO in its X window version.

The main currently operational tools in ELUDO are ISLA, SELA, and GOAL. LMC and LOTEST are also functional, however their user interface is not integrated, thus it is somewhat more difficult to use them.

ISLA: Step-by-step Execution Mode

The execution of a LOTOS specification can be represented as a tree, where the root of the tree is the specification itself, the intermediate nodes are behavior expressions and the branches of the tree represent LOTOS actions. Once a LOTOS specification is written, the user can invoke ISLA to simulate the sequence of possible actions that are permitted by the specification. The user may choose to simulate the whole specification at once, or only parts of it (certain processes). At each step, during simulation, the user is prompted with a menu of possible next actions. The user chooses the next action to be executed and, if the selected action requires data to be supplied by the environment (the user plays the role of the environment), then data must be entered for the simulation to continue. A menu-driven facility prompts the user with appropriate choices for data. Also, at any point during simulation, the user may ask to see the current behavior of the system or the behavior that will result by executing one of the possible next actions.

SELA: The Symbolic Expander for LOTOS Applications

The step-by-step execution mode is very useful but it is also time consuming. ELUDO allows one to compute the tree of all possible next actions from the current point, or any given point in the tree. This is known as the symbolic execution tree because expressions are computed in terms of (not necessarily) bounded value identifiers. In terms of LOTOS theory, the calculation of this tree is called 'expansion'. When generating a symbolic tree, guards and predicates, whose values depend on interactions with the environment, are assumed to be true. In addition, the user is required to set limits on the depths and widths of the symbolic tree to be generated.

LMC: LOTOS Model Checker

LMC performs CTL model-checking on the tree produced by SELA, using the well-known algorithms of Clarke, Emerson, and Sistla.

LOTEST: LOTOS Test Case Generator

LOTEST performs test case generation for LOTOS specifications, according to the standard CO-OP method.

Goal-Oriented Execution

Both ISLA and SELA suffer the well-known problem of state explosion: for most practical specifications, execution trees grow very quickly. Goal-oriented execution attempts to relieve this problem. In this type of execution, the tool attempts to find execution sequence(s) leading to a certain action or sequence of actions (these are the 'goals'). The specification is scanned statically to find where the action(s) can be found. Then the inference rules are applied, taking into consideration this information. The result are sets of execution sequences reaching the goals.

Hardware Requirements

The toolkit should function on any reasonably sized Sun SPARCstation.

HyTech (Pei-Hsin Ho)

HyTech: A Symbolic Model Checker for hybrid systems

Thomas A. Henzinger, Pei-Hsin Ho, Howard Wong-Toi
Computer Science Department, Cornell University
(tah|ho|howard)@cs.cornell.edu

We will demonstrate HyTech, the Cornell Hybrid Technology Tool, on the verification and analysis of several hybrid-system benchmarks.

Hybrid systems are computing systems that react, in real time, to both discrete and continuous activities (such as analog signals, real time, and real speed). Typical examples of hybrid systems are embedded systems. Due to the rapid development of digital processor technology, hybrid systems directly control much of what we depend on in our daily lives. Many hybrid systems, ranging from automobiles to aircraft, operate in safety-critical situations, and therefore call for rigorous analysis techniques. Model checking is an algorithmic technique for analyzing finite-state systems that has recently been extended to certain infinite-state systems, including linear hybrid systems [AHH93].

HyTech (The Cornell Hybrid Technology Tool) is a symbolic model checker for linear hybrid systems. We represent hybrid systems as "hybrid automata", an extension of finite-state machines with continuous variables whose dynamics are governed by differential equations. We write requirement specifications in "integrator computation tree logic" (Ictl), a branching-time temporal logic with clock variables for specifying timing constraints. Given a hybrid automaton describing a system and an Ictl formula describing a requirement, HyTech computes the set of system states that satisfy the requirement.

The current version of HyTech consists of a Mathematica main program, and a set of C++ subroutines that make use of Halbwachs' polyhedron manipulation library [HRP94]. We are also re-implementing HyTech entirely in C++. We have applied HyTech to verify more than 30 hybrid-system benchmarks, including a Philips audio control protocol.

The system requirement for this tool is a Sun SPARC workstation.

References

[AHH93]
R.~Alur, T.A. Henzinger, and P.-H. Ho. "Symbolic verification of embedded systems," in Proceedings of the 14th Annual Real-time Systems Symposium, pages 2--11. IEEE Computer Society Press, 1993.
[HRP94]
N.~Halbwachs, P.~Raymond, and Y.-E. Proy. "Verification of linear hybrid systems by means of convex approximation," in Proceedings of the First Static Analysis Symposium, 1994.

Amphion (Thomas Pressburger)

Amphion: Automatic Programming for Component Libraries

Michael Lowry, Andrew Philpot, Thomas Pressburger

Amphion is a system that guides a user in developing a diagrammatic formal specification of a problem and then automatically synthesizes a program to solve the problem from this specification. The program consisting of calls to components from a component library, e.g. subroutines from a subroutine library. Amphion is a generic architecture that is specialized to a particular domain and subroutine library through a domain theory and domain-specific theorem-proving tactics. Program synthesis is based upon deductive synthesis (theorem proving); therefore, the synthesized program correctly implements the specification if the domain theory is correct. The demo will show Amphion/NAIF, the application of Amphion to the domain of solar system kinematics as supported by a subroutine library called SPICELIB. SPICELIB was developed at JPL to support the planetary science community in planning and analyzing the observation geometries of solar system bodies in interplanetary scientific missions. A typical example of the kinds of problems that can be solved using Amphion/NAIF is predicting the location of the shadows of the moons of Jupiter on Jupiter's surface as seen by the Galileo spacecraft. The Amphion/NAIF domain theory has been extended to include the theory of a graphics display library also developed at JPL, so that Amphion can generate programs that display wireframe animations of astronomical situations.

Hardware requirements

Sun OS 4.1.3 (not Solaris) and X11R5.

The information in this page was prepared by Jonathan Bowen J.P.Bowen@reading.ac.uk and Lynn Marshall lynnmar@bnr.ca. It was last substantiatially updated on 18 April 1995, and as such may now be out of date. This page was provided remotely for WIFT'95 as part of the OUCL archive.