From verified model to executable program: the PAT approach

  • Huiquan Zhu
  • Jing Sun
  • Jin Song Dong
  • Shang-Wei Lin
Original Paper


CSP# is a formal modeling language that emphasizes the design of communication in concurrent systems. PAT framework provides a model checking environment for the simulation and verification of CSP# models. Although the desired properties can be formally verified at the design level, it is not always straightforward to ensure the correctness of the system’s implementation conforms to the behaviors of the formal design model. To avoid human error and enhance productivity, it would be beneficial to have a tool support to automatically generate the executable programs from their corresponding formal models. In this paper, we propose such a solution for translating verified CSP# models into C# programs in the PAT framework. We encoded the CSP# operators in a C# library-“PAT.Runtime”, where the event synchronization is based on the “Monitor” class in C#. The precondition and choice layers are built on top of the CSP event synchronization to support language-specific features. We further developed a code generation tool to automatically transform CSP# models into multi-threaded C# programs. We proved that the generated C# program and original CSP# model are equivalent on the trace semantics. This equivalence guarantees that the verified properties of the CSP# models are preserved in the generated C# programs. Furthermore, based on the existing implementation of choice operator, we improved the synchronization mechanism by pruning the unnecessary communications among the choice operators. The experiment results showed that the improved mechanism notably outperforms the standard JCSP library.


Modeling checking CSP# Multi-threaded programming C# 



This work was partially supported by the TRF project “Research and Development in the Formal Verification of System Design and Implementation”.


  1. 1.
    Baier C, Katoen J (2008) Principles of model checking. The MIT Press, CambridgezbMATHGoogle Scholar
  2. 2.
    Bjørndalen JM, Vinter B, Anshus OJ (2007) PyCSP—communicating sequential processes for python. In: McEwan AA, Schneider SA, Ifill W, Welch PH (eds) The 30th communicating process architectures conference (CPA’07), pp 229–248Google Scholar
  3. 3.
    Brown N (2007) C++CSP2: a many-to-many threading model for multicore architectures. In: Communicating process architectures 2007: WoTUG-30, pp 183–205Google Scholar
  4. 4.
    Brown N, Welch P (2003) An introduction to the Kent C++ CSP Library. Commun Process Archit 2003:139–156Google Scholar
  5. 5.
    Brown NC (2004) C++ CSP networked. Commun Process Archit 2004:185–200Google Scholar
  6. 6.
    East I, Martin J, Welch P, Duce D, Green M (2004) gCSP: a graphical tool for designing CSP systems. Commun Process Archit 2004 27:233Google Scholar
  7. 7.
    Freitas L (2002) JACK: a process algebra implementation in Java. Ph.D. thesis, Centro de Informatica, Universidade Federal de PernambucoGoogle Scholar
  8. 8.
    Gardner W (2000) CSP++: an object-oriented application framework for software synthesis from CSP specifications. Ph.D. thesis, Politecnico di Milano, ItalyGoogle Scholar
  9. 9.
    Gardner W (2003) Bridging CSP and C++ with selective formalism and executable specifications. In: Proceedings of first ACM and IEEE international conference on formal methods and models for co-design (MEMOCODE’03). IEEE, pp 237–245Google Scholar
  10. 10.
    Gardner W (2005) CSP++: how faithful to CSPm. In: Proc. communicating process architectures 2005 (WoTUG-27), pp 129–146Google Scholar
  11. 11.
    Hilderink G, Bakkers A, Broenink J (2000) A distributed real-time Java system based on CSP. In: Proceedings of third IEEE international symposium on object-oriented real-time distributed computing (ISORC’00). IEEE, pp 400–407Google Scholar
  12. 12.
    Hoare C (1974) Monitors: an operating system structuring concept. Commun ACM 17(10):549–557CrossRefzbMATHGoogle Scholar
  13. 13.
    Hoare C (1985) Communicating sequential processes. In: Prentice-Hall international series in computer science. Prentice/Hall International, LondonGoogle Scholar
  14. 14.
    Howard JH (1976) Proving monitors. Commun ACM 19(5):273–279. doi: 10.1145/360051.360079 CrossRefzbMATHGoogle Scholar
  15. 15.
    Jones G (1986) Programming in Occam. Prentice-Hall International, LondonGoogle Scholar
  16. 16.
    Kleine M (2009) Using CSP for software verification. In: Proceedings of formal methods 2009 doctoral symposium. Eindhoven University of Technology, pp 8–13Google Scholar
  17. 17.
    Kleine M (2011) CSP as a coordination language. In: Coordination models and languages. Springer, New York, pp 65–79Google Scholar
  18. 18.
    Lee SJ, Dobbie G, Sun J, Groves L (2010) Theorem prover approach to semistructured data design. Form Methods Syst Des 37(1):1–60. doi: 10.1007/s10703-010-0099-4 CrossRefzbMATHGoogle Scholar
  19. 19.
    Lehmberg A, Olsen M (2006) An introduction to CSP.NET. Commun Process Archit 2006:13–30Google Scholar
  20. 20.
    Li Y, Dong JS, Sun J, Liu Y, Sun J (2014) Model checking approach to automated planning. Form Methods in Syst Des 44(2):176–202. doi: 10.1007/s10703-013-0197-1 CrossRefzbMATHGoogle Scholar
  21. 21.
    Liang H, Dong JS, Sun J (2007) Evolution and runtime monitoring of software systems. In: SEKE’07: Proceedings of the 19th international conference on software engineering and knowledge engineering. Knowledge Systems Institute Graduate School, Skokie, pp 343–348Google Scholar
  22. 22.
    Liang H, Dong JS, Sun J, Duke R, Seviora RE (2006) Formal specification-based online monitoring. In: ICECCS’06: proceedings of the 11th IEEE international conference on engineering of complex computer systems. IEEE Computer Society, Washington, DC, pp 152–160. doi: 10.1109/ICECCS.2006.1690364
  23. 23.
    Lin SW, Liu Y, Hsiung PA, Sun J, Dong JS (2012) Automatic generation of provably correct embedded systems. In: Formal methods and software engineering. Springer, New York, pp 214–229Google Scholar
  24. 24.
    Liu Y, Sun J, Dong JS (2011) PAT 3: an extensible architecture for building multi-domain model checkers. In: ISSRE, pp 190–199Google Scholar
  25. 25.
    Mahony B, Dong JS (1998) Blending object-Z and timed CSP: an introduction to TCOZ. In: Proceedings of the 20th international conference on software engineering (ICSE’98). IEEE Computer Society, pp 95–104Google Scholar
  26. 26.
    Schaller N, Hilderink G, Welch P (2000) Using Java for parallel computing: JCSP versus CTJ, a comparison. In: Communicating process architectures, pp 205–226Google Scholar
  27. 27.
    Summerfield M (2012) Programming in Go: creating applications for the 21st century. Addison-Wesley Professional, Menlo ParkGoogle Scholar
  28. 28.
    Sun J, Dong JS, Jarzabek S, Wang H (2006) Computer-aided dispatch system family architecture and verification: an integrated formal approach. IEE Proc Softw 153(3):102–112. doi: 10.1049/ip-sen:20050014
  29. 29.
    Sun J, Liu Y, Dong JS, Chen C (2009) Integrating specification and programs for system modeling and verification. In: Proceedings of the third IEEE international symposium on theoretical aspects of software engineering (TASE’09), pp 127–135Google Scholar
  30. 30.
    Sun J, Liu Y, Dong JS, Liu Y, Shi L (2013) Étienne André: modeling and verifying hierarchical real-time systems using stateful timed CSP. ACM Trans Softw Eng Methodol 22(1):3:1–3:29. doi: 10.1145/2430536.2430537
  31. 31.
    Sun J, Liu Y, Dong JS, Pang J (2009) PAT: towards flexible verification under fairness. In: Proceedings of the 21th international conference on computer aided verification (CAV’09). Lecture notes in computer science, vol 5643. Springer, New York, pp 709–714Google Scholar
  32. 32.
    Sun J, Liu Y, Dong JS, Sun J (2008) Compositional encoding for bounded model checking. Front Comput Sci China 2(4):368–379. doi: 10.1007/s11704-008-0035-6 CrossRefGoogle Scholar
  33. 33.
    Welch P, Brown N, Moores J, Chalmers K, Sputh B (2007) Integrating and extending JCSP. Commun Process Archit 2007(65):349–370Google Scholar
  34. 34.
    Welch P, Martin J (2000) A CSP model for Java multithreading. In: Proceedings of international symposium on software engineering for parallel and distributed systems, pp 114–122Google Scholar
  35. 35.
    Welch P, Martin J (2000) Formal analysis of concurrent java systems. Commun Process Archit 58:275–301Google Scholar
  36. 36.
    Yang L, Poppleton M (2007) JCSProB: implementing integrated formal specifications in concurrent Java. Commun Process Archit 65:67–88Google Scholar
  37. 37.
    Yang L, Poppleton M (2010) Java implementation platform for the integrated state-and event-based specification in PROB. Concurr Comput Pract Exp 22(8):1007–1022CrossRefGoogle Scholar
  38. 38.
    Yuan L, Dong JS, Sun J, Basit HA (2006) Generic fault tolerant software architecture reasoning and customization. IEEE Trans Reliab 55(3):421–435. doi: 10.1109/TR.2006.879605
  39. 39.
    Zhang J, Liu Y, Sun J, Dong JS, Sun J (2012) Model checking software architecture design. In: 2012 IEEE 14th international symposium on high-assurance systems engineering (HASE), pp 193–200. doi: 10.1109/HASE.2012.12

Copyright information

© Springer-Verlag London 2015

Authors and Affiliations

  • Huiquan Zhu
    • 1
  • Jing Sun
    • 2
  • Jin Song Dong
    • 1
  • Shang-Wei Lin
    • 3
  1. 1.Department of Computer ScienceNational University of SingaporeSingaporeSingapore
  2. 2.Department of Computer ScienceUniversity of AucklandAucklandNew Zealand
  3. 3.School of Computer EngineeringNanyang Technological UniversitySingaporeSingapore

Personalised recommendations