Computers are being used for more and more complex applications. Some of these applications are safety-critical, i.e., their failure results in loss of human life or severe property damage. Air traffic controllers, nuclear power plants, collision avoidance systems are all examples of safety-critical systems. Some other applications are not safety-critical in their ``orthodox'' sense, but it is still extremely important to get them right: kernels of operating systems, network protocols, etc. Some aspects of these systems, like real-time deadlines and concurrency, make them extremely hard to verify manually.
A graduate class CSC2108 ``Automated Verification'' was set up to expose students to various automatic techniques for verifying correctness of software. Application of these techniques typically involves modeling behavior of a system in a modeling language and formulating desired properties of the system in logic. Model-checking or theorem-proving techniques are then used to verify that the properties hold in the model. In Fall'97, we have looked at the following tools and techniques: model checking (SMV, Spin), theorem-proving (PVS), term-rewriting (Larch), process algebras (Concurrency Workbench), temporal logics (branching-time and linear-time) and data structures for manipulating logical expressions (BDDs). Students were required to model behavior of a simple elevator system and verify its correctness using SMV, Spin, Concurrency Workbench and PVS. For more information about the course, please refer to
http://www.cs.toronto.edu/~chechik/courses97/csc2108.The final part of the course was a substantial project. Students were given a lot of freedom in choosing the topics - anything that dealt with formal methods and verification was a fair game. Projects were done individually or in teams of two.
This volume contains six project reports. The first three reports are on case-studies of applying formal modeling techniques to non-trivial examples. Topics for the other three reports range from Petri Nets to Object-Oriented formalisms to essays on the future of formal methods in general. I hope you find these interesting. Several reports became the basis of papers submitted to formal methods conferences and workshops.
A recent trend in visual modeling tools has created a number of tools with reduced expressiveness but an intuitive, user-friendly interface. In the first report, Andre Wong looks into usability of one of such tools, UPPAAL. UPPAAL, a combined effort by Danish and Swedish researchers, is a tool box for modeling, simulating and verifying real-time systems. The report describes features of the toolset and presents a case-study: specification and analysis of a well-known bus protocol SCSI.
The second report, by Bernd Biechele and Dimi Paun, summarizes another case-study: a Production Cell benchmark, suggested by researchers at Karlsruhe. This is a real-time system with several parallel processes and a large number of desired properties. This system was modeled using the model-checker SPIN, and the properties were translated into linear-time temporal logic. In their report, Bernd and Dimi describe issues that came up while verifying properties and generating C code from the specifications.
A useful application of formal methods to communication protocols is presented in the third report. In this report, Hai Wang and T.S. Teoh describe the Go-Back-N (sliding-window) protocol which is widely used for error control in computer-communication networks, and note that in cases with high error rates or large propagation delays, performance of this protocol can be dramatically improved. But how do we guarantee that the ``improved'' protocol still provides the same services to the applications? The authors suggest to model the protocols using Concurrency Workbench - a process algebra-based tool which allows to check that two models exhibit the same external behavior. Concurrency Workbench can also be used to formulate and prove deadlock-freedom properties of protocols.
In the next report, Cathy Jansen and Alberto Paccanaro concern themselves with the problem of simplifying Petri Nets. The authors show how Place/Transition and Colored Petri Nets can be represented as Term Rewriting Systems. Term simplification and completion can then be used to reason about the nets: express the movement of tokens, prove properties, etc. The report also describes the implementation of this approach using LP, the Larch Prover.
The fifth report, by Wei Ding, gives a broad overview of the state of the art in object-oriented modeling. UML and ROOM, although not completely formal, are probably the best developed, most formal modeling methodologies. The report outlines an evolution of techniques that UML and ROOM are based on, and describes several commercial OO modeling tools.
What is the future of formal methods? Will they be embraced by everyone in computer industry or will they forever remain expensive assurance mechanisms for safety-critical systems? In his report, Danny House compares cost of application, skills required of developers, and expected impact of formal methods and higher-order languages, and draws some quite surprising conclusions.
Considering that majority of the students were first year masters students, with at most two semester-long courses in formal methods, the projects are quite impressive. I hope you will find the reports informative. Please send your comments and suggestions to chechik@cs.toronto.edu.
Marsha Chechik
Assistant Professor
Instructor for CSC2108