Synthesis of verifiable concurrent Java components from formal models

  • Julio Mariño
  • Raúl N. N. Alborodo
  • Lars-Åke Fredlund
  • Ángel Herranz
Theme Section Paper


Concurrent systems are hard to program, and ensuring quality by means of traditional testing techniques is often very hard as errors may not show up easily and reproducing them is hard. In previous work, we have advocated a model-driven approach to the analysis and design of concurrent, safety-critical systems. However, to take full advantage of these techniques, they must be supported by code generation schemes for concrete programming languages. Ideally, this translation should be traceable, automated and should support the verification of the generated code. In our work, we consider the problem of generating a concurrent Java component from a high-level model of inter-process interaction (i.e., communication + synchronization). We call our formalism shared resources. From the model, which can be represented in mathematical notation or written as a Java interface annotated using an extension of JML, a Java component can be obtained by a semiautomatic translation. We describe how to obtain shared memory (using a priority monitors library) and message passing (using the JCSP library) implementations. Focusing on inter-process interaction for formal development is justified by several reasons, e.g., mathematical models are language-independent and allow to analyze certain concurrency issues, such as deadlocks or liveness properties prior to code generation. Also, the Java components produced from the shared resource model will contain all the concurrency-related language constructs, which are often responsible for many of the errors in concurrent software. We follow a realistic approach where the translation is semiautomatic (schemata for code generation) and the programmer still retains the power of coding or modifying parts of the code for the resource. The code thus obtained is JML-annotated Java with proof obligations that help with code traceability and verification of safety and liveness properties. As the code thus obtained is not automatically correct, there is still the need to verify its conformance to the original specs. We illustrate the methodology by developing a concurrent control system and verifying the code obtained using the KeY program verification tool. We also show how KeY can be used to find errors resulting from a wrong use of the templates.


CSP JCSP KeY Java JML Shared resources Verification Model-driven Concurrency Message passing 



This research has been partially funded by Comunidad de Madrid grant S2013/ICE-2731 (N-Greens Software) and Spanish MINECO grant TIN2012-39391-C04-03 (StrongSoft).


  1. 1.
    Ahrendt, W., Baar, T., Beckert, B., Bubel, R., Giese, M., Hähnle, R., Menzel, W., Mostowski, W., Roth, A., Schlager, S., Schmitt, H.P.: The key tool. Soft. Syst. Model. 4(1), 32–54 (2005). doi: 10.1007/s10270-004-0058-x CrossRefGoogle Scholar
  2. 2.
    Alborodo, R.N.N., Mariño, J., Ángel H.: The shared resources home page. (2014)
  3. 3.
    Araújo, J.E., Rebêlo, H., Lima, R., Mota, A., Kulesza, U., Sant’Anna, C.: An annotation-based approach for jcsp concurrent programming: a quantitative study. In: Proceedings of the 1st Workshop on Modularity in Systems Software, MISS ’11, pp. 7–11. ACM, New York, NY (2011). doi: 10.1145/1960518.1960521
  4. 4.
    Baker, P., Loh, S., Weil, F.: Model-Driven Engineering in a Large Industrial Context—Motorola Case Study, pp. 476–491. Springer, Berlin (2005). doi: 10.1007/11557432_36 Google Scholar
  5. 5.
    Ball, T., Cook, B., Levin, V., Rajamani, S., Ball, T.: Slam and static driver verifier: technology transfer of formal methods inside microsoft. Technical Report (2004)Google Scholar
  6. 6.
    Beckert, B., Hähnle, R., Schmitt, P.H. (eds.): Verification of Object-Oriented Software: The KeY Approach. LNCS 4334. Springer (2007)Google Scholar
  7. 7.
    Brinch-Hansen, P.: Structured multiprogramming. Commun. ACM 15(7), 574–578 (1972). (One of Brinch–Hansen’s seminal works on monitors)CrossRefzbMATHGoogle Scholar
  8. 8.
    Buhr, P.A., Fortier, M., Coffin, M.H.: Monitor classification. ACM Comput. Surv. 27(1), 63–107 (1995). doi: 10.1145/214037.214100 CrossRefGoogle Scholar
  9. 9.
    BV, V.S.T.: Dezyne home page. (2015)
  10. 10.
    Carro, M., Herranz, Ángel, Mariño, J.: A model-driven approach to teaching concurrency. Trans. Comput. Educ. 13(1), 5:1–5:19 (2013)CrossRefGoogle Scholar
  11. 11.
    Carro, M., Mariño, J., Ángel Herranz, Moreno-Navarro, J.J.: Teaching how to derive correct concurrent programs (from state-based specifications and code patterns). In: Dean, C., Boute, R. (eds.) Teaching Formal Methods, CoLogNET/FME Symposium, TFM 2004, Ghent, Belgium, LNCS, vol. 3294, pp. 85–106. Springer, NewYork (2004). ISBN 3-540-23611-2Google Scholar
  12. 12.
    Cok, D.R.: Openjml: software verification for Java 7 using JML, openjdk, and eclipse. In: Proceedings 1st Workshop on Formal Integrated Development Environment, F-IDE 2014, Grenoble, France, April 6, 2014, pp. 79–92 (2014). doi: 10.4204/EPTCS.149.8
  13. 13.
    Fredlund, L., Herranz-Nieva, Á., Alborodo, R.N.N., Mariño, J.: A testing-based approach to ensure the safety of shared resource concurrent systems (revised version of conference publication). J. Risk Reliab. (2015) (Accepted for publication, to appear in 2016)Google Scholar
  14. 14.
    Galeotti, J.P., Rosner, N., Lopez Pombo, C., Frias, M.: Taco: analysis of invariants for efficient bounded verification. In: Orso, T. (eds.) International Symposium on Software Testing and Analysis. Trento (2010).
  15. 15.
    Hamie, A.: Using Patterns to Map OCL Constraints to JML Specifications. Springer, Cham (2015). doi: 10.1007/978-3-319-25156-1_3 CrossRefGoogle Scholar
  16. 16.
    Herranz, A., Mariño, J.: A verified implementation of priority monitors in Java. In: Proceedings of the 2011 International Conference on Formal Verification of Object-Oriented Software, FoVeOOS’11, pp. 160–177. Springer, Berlin (2012). doi: 10.1007/978-3-642-31762-0_11
  17. 17.
    Herranz, A., Mariño, J., Carro, M., Moreno Navarro, J.J.: Modeling concurrent systems with shared resources. In: Alpuente, M., Cook, B., Joubert, C. (eds.) Formal Methods for Industrial Critical Systems. Lecture Notes in Computer Science, vol. 5825, pp. 102–116. Springer, Berlin (2009). doi: 10.1007/978-3-642-04570-7_9
  18. 18.
    Hilderink, G., Broenink, J., Vervoort, W., Bakkers, A.: Communicating java threads. In: Parallel Programming and Java. Concurrent Systems Engineering Series, vol. 50, pp. 48–76. IOS Press, Amsterdam (1997).
  19. 19.
    Hoare, C.A.R.: Monitors: an operating system structuring concept. Commun. ACM 17(10), 549–557 (1974). doi: 10.1145/355620.361161 CrossRefzbMATHGoogle Scholar
  20. 20.
    Howard, J.H.: Signaling in monitors. In: Proceedings of the 2nd International Conference on Software Engineering, ICSE ’76, pp. 47–52. IEEE Computer Society Press, Los Alamitos, CA (1976).
  21. 21.
    Klein, J., Levinson, H., Marchetti, J.: Model-driven engineering: automatic code generation and beyond. Technical Report CMU/SEI-2015-TN-005, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA (2015).
  22. 22.
    Larsen, K.G., Pettersson, P., Yi, W.: Uppaal in a nutshell. STTT 1, 134–152 (1997)CrossRefzbMATHGoogle Scholar
  23. 23.
    Leavens, G.T., Baker, A.L., Ruby, C.: JML: A notation for detailed design. In: Kilov, H., Rumpe, B., Simmonds, I. (eds.) Behavioral Specifications of Businesses and Systems. The Springer International Series in Engineering and Computer Science, vol. 523, pp. 175–188. Springer, NewYork (1999). doi: 10.1007/978-1-4615-5229-1_12
  24. 24.
    Mariño, J., Alborodo, R.N.N.: Communicating Process Architectures, chap. A Model-driven Methodology for Generating and Verifying CSP-based Java Code, pp. 85–108. Open Channel Publishing Ltd., Oxford (2015) (Accepted for publication, to appear in 2016)Google Scholar
  25. 25.
    Pajic, M., Jiang, Z., Lee, I., Sokolsky, O., Mangharam, R.: From verification to implementation: a model translation tool and a pacemaker case study. In: 2012 IEEE 18th Real Time and Embedded Technology and Applications Symposium, Beijing, April 16–19, 2012, pp. 173–184 (2012). doi: 10.1109/RTAS.2012.25
  26. 26.
    Robby, Dwyer, M.B., Hatcliff, J.: Bogor: An extensible and highly-modular software model checking framework. In: Proceedings of the 9th European Software Engineering Conference Held Jointly with 11th ACM SIGSOFT International Symposium on Foundations of Software Engineering, ESEC/FSE-11, pp. 267–276. ACM, New York, NY (2003). doi: 10.1145/940071.940107
  27. 27.
    Rodríguez, E., Dwyer, M., Flanagan, C., Hatcliff, J., Leavens, G., Robby: extending JML for modular specification and verification of multi-threaded programs. In: Black, A. (ed.) ECOOP 2005—Object-Oriented Programming, Lecture Notes in Computer Science, vol. 3586, pp. 551–576. Springer, Berlin (2005). doi: 10.1007/11531142_24
  28. 28.
    Schaller, N.C., Hilderink, G.H., Welch, P.H.: Using Java for parallel computing: JCSP versus CTJ, a comparison. In: Welch, P.H., Bakkers, A.W.P. (eds.) Communicating Process Architectures, pp. 205–226 (2000)Google Scholar
  29. 29.
    Welch, P.H., Austin, P.D., Brown, N.C.C.: Communicating Sequential Processes for Java (JCSP). (2012)

Copyright information

© Springer-Verlag Berlin Heidelberg 2017

Authors and Affiliations

  1. 1.School of Computer Science & EngineeringUniversidad Politécnica de MadridBoadilla del Monte, MadridSpain
  2. 2.IMDEA Software InstitutePozuelo de Alarcón, MadridSpain

Personalised recommendations