Skip to main content

Synthesis of verifiable concurrent Java components from formal models


Concurrent systems are hard to program, and ensuring quality by means of traditional testing techniques is often very hard as errors may not show up easily and reproducing them is hard. In previous work, we have advocated a model-driven approach to the analysis and design of concurrent, safety-critical systems. However, to take full advantage of these techniques, they must be supported by code generation schemes for concrete programming languages. Ideally, this translation should be traceable, automated and should support the verification of the generated code. In our work, we consider the problem of generating a concurrent Java component from a high-level model of inter-process interaction (i.e., communication + synchronization). We call our formalism shared resources. From the model, which can be represented in mathematical notation or written as a Java interface annotated using an extension of JML, a Java component can be obtained by a semiautomatic translation. We describe how to obtain shared memory (using a priority monitors library) and message passing (using the JCSP library) implementations. Focusing on inter-process interaction for formal development is justified by several reasons, e.g., mathematical models are language-independent and allow to analyze certain concurrency issues, such as deadlocks or liveness properties prior to code generation. Also, the Java components produced from the shared resource model will contain all the concurrency-related language constructs, which are often responsible for many of the errors in concurrent software. We follow a realistic approach where the translation is semiautomatic (schemata for code generation) and the programmer still retains the power of coding or modifying parts of the code for the resource. The code thus obtained is JML-annotated Java with proof obligations that help with code traceability and verification of safety and liveness properties. As the code thus obtained is not automatically correct, there is still the need to verify its conformance to the original specs. We illustrate the methodology by developing a concurrent control system and verifying the code obtained using the KeY program verification tool. We also show how KeY can be used to find errors resulting from a wrong use of the templates.

This is a preview of subscription content, access via your institution.

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9
Fig. 10
Fig. 11
Fig. 12
Fig. 13
Fig. 14
Fig. 15
Fig. 16
Fig. 17
Fig. 18
Fig. 19
Fig. 20
Fig. 21
Fig. 22
Fig. 23
Fig. 24
Fig. 25
Fig. 26
Fig. 27
Fig. 28


  1. There are several patterns or tools for translating from other specification languages to JML specification sentences. An example of them is presented in [15]; in particular, OCL specifications can easily be translated into JML.

  2. There are several patterns or tools for translating from other specification languages to JML specification sentences. An example of them is presented in [15], so OCL specifications can easily be translated into JML.

  3. For simplicity, we are assuming that the Java code for checking a boolean condition can be represented by a call to an auxiliary method, which would be part of the outcome of Pred2Java. Of course, actual code may take a different, but equivalent, form.

  4. Notice that JML assume statements are those expressions on which the code can “trust” to hold. In the case of the pre, it is assumed that the expression is valid before continuing the execution. However, assert expressions must be checked, and if some of those expressions do not hold, the code must halt or warn the user that the system is in an inconsistent state. In the case of the cpre, the expression must hold before continuing executing the critical section of the operation, indicating that the invariant holds and the access to the shared resource inner state variables is allowed.

  5. A survey on the different monitor flavors, with an analysis of the pros and cons of each proposal, can be found in [8].

  6. Also known as “condition variables,” “event queues,” etc., in the literature.

  7. This idea can be traced back to [19].

  8. Actually, we are assuming that the only distinction between threads blocked on such an operation is calling time, and thus, an FCFS policy is fine. Of course, this might not always be the case, and then, input parameters should be taken into account. For simplicity, we are not considering this possibility now.

  9. The library allows to issue more than one signal before releasing the monitor, but then it can get rather difficult to ensure that cpres hold on resumption, so the template presented does not consider that possibility.

  10. If the cpre is independent, the code only stores the new condition queue in a method associated list.

  11. A map associates a specified value with a specified key in the structure. If the map previously contained a mapping for the key, the old value is replaced by the specified value.

  12. Another popular CSP implementation is Communicating Threads in Java (CTJ) [18]. There is also available a detailed comparison between JCSP and CTJ in terms of their philosophies, similarities and differences, performance and usage scenarios in [28].

  13. The resemblance with the monitor templates should be evident. We are using synchronous channels to emulate the functionality provided by condition queues.

  14. Other systems examined—and discarded for various reasons—were Slam [5], Bogor [26] and TACO [14].

  15. A ghost field is similar to a JML model field, in that it is also only present for purposes of specification and thus cannot be used outside of JML annotations.

  16. Modifying this generic template for the if/else structure is straightforward.

  17. Notice that the unblocking code is now separated into two different pieces, one per each iteration. The code for exitWarehouse operation is analogous and can be seen in [2].

  18. The experimentation over those implementations that used “deferred request” techniques is not shown in this paper but downloadable from [2].

  19. The analysis of the other scenario, when a exitWarehouse request is processed, is analogous to the presented one.


  1. Ahrendt, W., Baar, T., Beckert, B., Bubel, R., Giese, M., Hähnle, R., Menzel, W., Mostowski, W., Roth, A., Schlager, S., Schmitt, H.P.: The key tool. Soft. Syst. Model. 4(1), 32–54 (2005). doi:10.1007/s10270-004-0058-x

    Article  Google Scholar 

  2. Alborodo, R.N.N., Mariño, J., Ángel H.: The shared resources home page. (2014)

  3. Araújo, J.E., Rebêlo, H., Lima, R., Mota, A., Kulesza, U., Sant’Anna, C.: An annotation-based approach for jcsp concurrent programming: a quantitative study. In: Proceedings of the 1st Workshop on Modularity in Systems Software, MISS ’11, pp. 7–11. ACM, New York, NY (2011). doi:10.1145/1960518.1960521

  4. Baker, P., Loh, S., Weil, F.: Model-Driven Engineering in a Large Industrial Context—Motorola Case Study, pp. 476–491. Springer, Berlin (2005). doi:10.1007/11557432_36

    Google Scholar 

  5. Ball, T., Cook, B., Levin, V., Rajamani, S., Ball, T.: Slam and static driver verifier: technology transfer of formal methods inside microsoft. Technical Report (2004)

  6. Beckert, B., Hähnle, R., Schmitt, P.H. (eds.): Verification of Object-Oriented Software: The KeY Approach. LNCS 4334. Springer (2007)

  7. Brinch-Hansen, P.: Structured multiprogramming. Commun. ACM 15(7), 574–578 (1972). (One of Brinch–Hansen’s seminal works on monitors)

    Article  MATH  Google Scholar 

  8. Buhr, P.A., Fortier, M., Coffin, M.H.: Monitor classification. ACM Comput. Surv. 27(1), 63–107 (1995). doi:10.1145/214037.214100

    Article  Google Scholar 

  9. BV, V.S.T.: Dezyne home page. (2015)

  10. Carro, M., Herranz, Ángel, Mariño, J.: A model-driven approach to teaching concurrency. Trans. Comput. Educ. 13(1), 5:1–5:19 (2013)

    Article  Google Scholar 

  11. Carro, M., Mariño, J., Ángel Herranz, Moreno-Navarro, J.J.: Teaching how to derive correct concurrent programs (from state-based specifications and code patterns). In: Dean, C., Boute, R. (eds.) Teaching Formal Methods, CoLogNET/FME Symposium, TFM 2004, Ghent, Belgium, LNCS, vol. 3294, pp. 85–106. Springer, NewYork (2004). ISBN 3-540-23611-2

  12. Cok, D.R.: Openjml: software verification for Java 7 using JML, openjdk, and eclipse. In: Proceedings 1st Workshop on Formal Integrated Development Environment, F-IDE 2014, Grenoble, France, April 6, 2014, pp. 79–92 (2014). doi:10.4204/EPTCS.149.8

  13. Fredlund, L., Herranz-Nieva, Á., Alborodo, R.N.N., Mariño, J.: A testing-based approach to ensure the safety of shared resource concurrent systems (revised version of conference publication). J. Risk Reliab. (2015) (Accepted for publication, to appear in 2016)

  14. Galeotti, J.P., Rosner, N., Lopez Pombo, C., Frias, M.: Taco: analysis of invariants for efficient bounded verification. In: Orso, T. (eds.) International Symposium on Software Testing and Analysis. Trento (2010).

  15. Hamie, A.: Using Patterns to Map OCL Constraints to JML Specifications. Springer, Cham (2015). doi:10.1007/978-3-319-25156-1_3

    Book  Google Scholar 

  16. Herranz, A., Mariño, J.: A verified implementation of priority monitors in Java. In: Proceedings of the 2011 International Conference on Formal Verification of Object-Oriented Software, FoVeOOS’11, pp. 160–177. Springer, Berlin (2012). doi:10.1007/978-3-642-31762-0_11

  17. Herranz, A., Mariño, J., Carro, M., Moreno Navarro, J.J.: Modeling concurrent systems with shared resources. In: Alpuente, M., Cook, B., Joubert, C. (eds.) Formal Methods for Industrial Critical Systems. Lecture Notes in Computer Science, vol. 5825, pp. 102–116. Springer, Berlin (2009). doi:10.1007/978-3-642-04570-7_9

  18. Hilderink, G., Broenink, J., Vervoort, W., Bakkers, A.: Communicating java threads. In: Parallel Programming and Java. Concurrent Systems Engineering Series, vol. 50, pp. 48–76. IOS Press, Amsterdam (1997).

  19. Hoare, C.A.R.: Monitors: an operating system structuring concept. Commun. ACM 17(10), 549–557 (1974). doi:10.1145/355620.361161

    Article  MATH  Google Scholar 

  20. Howard, J.H.: Signaling in monitors. In: Proceedings of the 2nd International Conference on Software Engineering, ICSE ’76, pp. 47–52. IEEE Computer Society Press, Los Alamitos, CA (1976).

  21. Klein, J., Levinson, H., Marchetti, J.: Model-driven engineering: automatic code generation and beyond. Technical Report CMU/SEI-2015-TN-005, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA (2015).

  22. Larsen, K.G., Pettersson, P., Yi, W.: Uppaal in a nutshell. STTT 1, 134–152 (1997)

    Article  MATH  Google Scholar 

  23. Leavens, G.T., Baker, A.L., Ruby, C.: JML: A notation for detailed design. In: Kilov, H., Rumpe, B., Simmonds, I. (eds.) Behavioral Specifications of Businesses and Systems. The Springer International Series in Engineering and Computer Science, vol. 523, pp. 175–188. Springer, NewYork (1999). doi:10.1007/978-1-4615-5229-1_12

  24. Mariño, J., Alborodo, R.N.N.: Communicating Process Architectures, chap. A Model-driven Methodology for Generating and Verifying CSP-based Java Code, pp. 85–108. Open Channel Publishing Ltd., Oxford (2015) (Accepted for publication, to appear in 2016)

  25. Pajic, M., Jiang, Z., Lee, I., Sokolsky, O., Mangharam, R.: From verification to implementation: a model translation tool and a pacemaker case study. In: 2012 IEEE 18th Real Time and Embedded Technology and Applications Symposium, Beijing, April 16–19, 2012, pp. 173–184 (2012). doi:10.1109/RTAS.2012.25

  26. Robby, Dwyer, M.B., Hatcliff, J.: Bogor: An extensible and highly-modular software model checking framework. In: Proceedings of the 9th European Software Engineering Conference Held Jointly with 11th ACM SIGSOFT International Symposium on Foundations of Software Engineering, ESEC/FSE-11, pp. 267–276. ACM, New York, NY (2003). doi:10.1145/940071.940107

  27. Rodríguez, E., Dwyer, M., Flanagan, C., Hatcliff, J., Leavens, G., Robby: extending JML for modular specification and verification of multi-threaded programs. In: Black, A. (ed.) ECOOP 2005—Object-Oriented Programming, Lecture Notes in Computer Science, vol. 3586, pp. 551–576. Springer, Berlin (2005). doi:10.1007/11531142_24

  28. Schaller, N.C., Hilderink, G.H., Welch, P.H.: Using Java for parallel computing: JCSP versus CTJ, a comparison. In: Welch, P.H., Bakkers, A.W.P. (eds.) Communicating Process Architectures, pp. 205–226 (2000)

  29. Welch, P.H., Austin, P.D., Brown, N.C.C.: Communicating Sequential Processes for Java (JCSP). (2012)

Download references


This research has been partially funded by Comunidad de Madrid grant S2013/ICE-2731 (N-Greens Software) and Spanish MINECO grant TIN2012-39391-C04-03 (StrongSoft).

Author information

Authors and Affiliations


Corresponding author

Correspondence to Raúl N. N. Alborodo.

Additional information

Communicated by Dr. F. Ciccozzi, J. Carlson, P. Pelliccione, and M. Tivoli.


Appendix 1: fairSelect and server loop instrumentation using synchronized methods

figure bs

Server loop instrumentation for KeY  when requests can be directly processed or refused. The server loop condition is changed from

figure bt


figure bu

Appendix 2: WarehouseAccessMonitorNaive instrumentation

Code corresponding to the instrumentation of the unblocking code of each operation belonging to the WarehouseAccessMonitorNaive class.

figure bv
figure bw

Appendix 3: Instrumented unblocking code of WarehouseAccessMonitorOpt

1.1 Unblocking code for exitWarehouse operation

figure bx

1.2 Unblocking code for enterWarehouse operation

figure by
figure bz

Rights and permissions

Reprints and Permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Mariño, J., Alborodo, R.N.N., Fredlund, LÅ. et al. Synthesis of verifiable concurrent Java components from formal models. Softw Syst Model 18, 71–105 (2019).

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: