Concurrent systems are hard to program, and ensuring quality by means of traditional testing techniques is often very hard as errors may not show up easily and reproducing them is hard. In previous work, we have advocated a model-driven approach to the analysis and design of concurrent, safety-critical systems. However, to take full advantage of these techniques, they must be supported by code generation schemes for concrete programming languages. Ideally, this translation should be traceable, automated and should support the verification of the generated code. In our work, we consider the problem of generating a concurrent Java component from a high-level model of inter-process interaction (i.e., communication + synchronization). We call our formalism shared resources. From the model, which can be represented in mathematical notation or written as a Java interface annotated using an extension of JML, a Java component can be obtained by a semiautomatic translation. We describe how to obtain shared memory (using a priority monitors library) and message passing (using the JCSP library) implementations. Focusing on inter-process interaction for formal development is justified by several reasons, e.g., mathematical models are language-independent and allow to analyze certain concurrency issues, such as deadlocks or liveness properties prior to code generation. Also, the Java components produced from the shared resource model will contain all the concurrency-related language constructs, which are often responsible for many of the errors in concurrent software. We follow a realistic approach where the translation is semiautomatic (schemata for code generation) and the programmer still retains the power of coding or modifying parts of the code for the resource. The code thus obtained is JML-annotated Java with proof obligations that help with code traceability and verification of safety and liveness properties. As the code thus obtained is not automatically correct, there is still the need to verify its conformance to the original specs. We illustrate the methodology by developing a concurrent control system and verifying the code obtained using the KeY program verification tool. We also show how KeY can be used to find errors resulting from a wrong use of the templates.
This is a preview of subscription content, access via your institution.
Buy single article
Instant access to the full article PDF.
Price excludes VAT (USA)
Tax calculation will be finalised during checkout.
There are several patterns or tools for translating from other specification languages to JML specification sentences. An example of them is presented in ; in particular, OCL specifications can easily be translated into JML.
There are several patterns or tools for translating from other specification languages to JML specification sentences. An example of them is presented in , so OCL specifications can easily be translated into JML.
For simplicity, we are assuming that the Java code for checking a boolean condition can be represented by a call to an auxiliary method, which would be part of the outcome of Pred2Java. Of course, actual code may take a different, but equivalent, form.
Notice that JML assume statements are those expressions on which the code can “trust” to hold. In the case of the pre, it is assumed that the expression is valid before continuing the execution. However, assert expressions must be checked, and if some of those expressions do not hold, the code must halt or warn the user that the system is in an inconsistent state. In the case of the cpre, the expression must hold before continuing executing the critical section of the operation, indicating that the invariant holds and the access to the shared resource inner state variables is allowed.
A survey on the different monitor flavors, with an analysis of the pros and cons of each proposal, can be found in .
Also known as “condition variables,” “event queues,” etc., in the literature.
This idea can be traced back to .
Actually, we are assuming that the only distinction between threads blocked on such an operation is calling time, and thus, an FCFS policy is fine. Of course, this might not always be the case, and then, input parameters should be taken into account. For simplicity, we are not considering this possibility now.
The library allows to issue more than one signal before releasing the monitor, but then it can get rather difficult to ensure that cpres hold on resumption, so the template presented does not consider that possibility.
If the cpre is independent, the code only stores the new condition queue in a method associated list.
A map associates a specified value with a specified key in the structure. If the map previously contained a mapping for the key, the old value is replaced by the specified value.
The resemblance with the monitor templates should be evident. We are using synchronous channels to emulate the functionality provided by condition queues.
A ghost field is similar to a JML model field, in that it is also only present for purposes of specification and thus cannot be used outside of JML annotations.
Modifying this generic template for the if/else structure is straightforward.
Notice that the unblocking code is now separated into two different pieces, one per each iteration. The code for exitWarehouse operation is analogous and can be seen in .
The experimentation over those implementations that used “deferred request” techniques is not shown in this paper but downloadable from .
The analysis of the other scenario, when a exitWarehouse request is processed, is analogous to the presented one.
Ahrendt, W., Baar, T., Beckert, B., Bubel, R., Giese, M., Hähnle, R., Menzel, W., Mostowski, W., Roth, A., Schlager, S., Schmitt, H.P.: The key tool. Soft. Syst. Model. 4(1), 32–54 (2005). doi:10.1007/s10270-004-0058-x
Alborodo, R.N.N., Mariño, J., Ángel H.: The shared resources home page. http://babel.upm.es/~rnnalborodo/sr_web/ (2014)
Araújo, J.E., Rebêlo, H., Lima, R., Mota, A., Kulesza, U., Sant’Anna, C.: An annotation-based approach for jcsp concurrent programming: a quantitative study. In: Proceedings of the 1st Workshop on Modularity in Systems Software, MISS ’11, pp. 7–11. ACM, New York, NY (2011). doi:10.1145/1960518.1960521
Baker, P., Loh, S., Weil, F.: Model-Driven Engineering in a Large Industrial Context—Motorola Case Study, pp. 476–491. Springer, Berlin (2005). doi:10.1007/11557432_36
Ball, T., Cook, B., Levin, V., Rajamani, S., Ball, T.: Slam and static driver verifier: technology transfer of formal methods inside microsoft. Technical Report (2004)
Beckert, B., Hähnle, R., Schmitt, P.H. (eds.): Verification of Object-Oriented Software: The KeY Approach. LNCS 4334. Springer (2007)
Brinch-Hansen, P.: Structured multiprogramming. Commun. ACM 15(7), 574–578 (1972). (One of Brinch–Hansen’s seminal works on monitors)
Buhr, P.A., Fortier, M., Coffin, M.H.: Monitor classification. ACM Comput. Surv. 27(1), 63–107 (1995). doi:10.1145/214037.214100
BV, V.S.T.: Dezyne home page. http://www.verum.com/ (2015)
Carro, M., Herranz, Ángel, Mariño, J.: A model-driven approach to teaching concurrency. Trans. Comput. Educ. 13(1), 5:1–5:19 (2013)
Carro, M., Mariño, J., Ángel Herranz, Moreno-Navarro, J.J.: Teaching how to derive correct concurrent programs (from state-based specifications and code patterns). In: Dean, C., Boute, R. (eds.) Teaching Formal Methods, CoLogNET/FME Symposium, TFM 2004, Ghent, Belgium, LNCS, vol. 3294, pp. 85–106. Springer, NewYork (2004). ISBN 3-540-23611-2
Cok, D.R.: Openjml: software verification for Java 7 using JML, openjdk, and eclipse. In: Proceedings 1st Workshop on Formal Integrated Development Environment, F-IDE 2014, Grenoble, France, April 6, 2014, pp. 79–92 (2014). doi:10.4204/EPTCS.149.8
Fredlund, L., Herranz-Nieva, Á., Alborodo, R.N.N., Mariño, J.: A testing-based approach to ensure the safety of shared resource concurrent systems (revised version of conference publication). J. Risk Reliab. (2015) (Accepted for publication, to appear in 2016)
Galeotti, J.P., Rosner, N., Lopez Pombo, C., Frias, M.: Taco: analysis of invariants for efficient bounded verification. In: Orso, T. (eds.) International Symposium on Software Testing and Analysis. Trento (2010). http://publicaciones.dc.uba.ar/Publications/2010/GRLF10a
Hamie, A.: Using Patterns to Map OCL Constraints to JML Specifications. Springer, Cham (2015). doi:10.1007/978-3-319-25156-1_3
Herranz, A., Mariño, J.: A verified implementation of priority monitors in Java. In: Proceedings of the 2011 International Conference on Formal Verification of Object-Oriented Software, FoVeOOS’11, pp. 160–177. Springer, Berlin (2012). doi:10.1007/978-3-642-31762-0_11
Herranz, A., Mariño, J., Carro, M., Moreno Navarro, J.J.: Modeling concurrent systems with shared resources. In: Alpuente, M., Cook, B., Joubert, C. (eds.) Formal Methods for Industrial Critical Systems. Lecture Notes in Computer Science, vol. 5825, pp. 102–116. Springer, Berlin (2009). doi:10.1007/978-3-642-04570-7_9
Hilderink, G., Broenink, J., Vervoort, W., Bakkers, A.: Communicating java threads. In: Parallel Programming and Java. Concurrent Systems Engineering Series, vol. 50, pp. 48–76. IOS Press, Amsterdam (1997). http://doc.utwente.nl/16613/
Hoare, C.A.R.: Monitors: an operating system structuring concept. Commun. ACM 17(10), 549–557 (1974). doi:10.1145/355620.361161
Howard, J.H.: Signaling in monitors. In: Proceedings of the 2nd International Conference on Software Engineering, ICSE ’76, pp. 47–52. IEEE Computer Society Press, Los Alamitos, CA (1976). http://dl.acm.org/citation.cfm?id=800253.807647
Klein, J., Levinson, H., Marchetti, J.: Model-driven engineering: automatic code generation and beyond. Technical Report CMU/SEI-2015-TN-005, Software Engineering Institute, Carnegie Mellon University, Pittsburgh, PA (2015). http://resources.sei.cmu.edu/library/asset-view.cfm?AssetID=435414
Larsen, K.G., Pettersson, P., Yi, W.: Uppaal in a nutshell. STTT 1, 134–152 (1997)
Leavens, G.T., Baker, A.L., Ruby, C.: JML: A notation for detailed design. In: Kilov, H., Rumpe, B., Simmonds, I. (eds.) Behavioral Specifications of Businesses and Systems. The Springer International Series in Engineering and Computer Science, vol. 523, pp. 175–188. Springer, NewYork (1999). doi:10.1007/978-1-4615-5229-1_12
Mariño, J., Alborodo, R.N.N.: Communicating Process Architectures, chap. A Model-driven Methodology for Generating and Verifying CSP-based Java Code, pp. 85–108. Open Channel Publishing Ltd., Oxford (2015) (Accepted for publication, to appear in 2016)
Pajic, M., Jiang, Z., Lee, I., Sokolsky, O., Mangharam, R.: From verification to implementation: a model translation tool and a pacemaker case study. In: 2012 IEEE 18th Real Time and Embedded Technology and Applications Symposium, Beijing, April 16–19, 2012, pp. 173–184 (2012). doi:10.1109/RTAS.2012.25
Robby, Dwyer, M.B., Hatcliff, J.: Bogor: An extensible and highly-modular software model checking framework. In: Proceedings of the 9th European Software Engineering Conference Held Jointly with 11th ACM SIGSOFT International Symposium on Foundations of Software Engineering, ESEC/FSE-11, pp. 267–276. ACM, New York, NY (2003). doi:10.1145/940071.940107
Rodríguez, E., Dwyer, M., Flanagan, C., Hatcliff, J., Leavens, G., Robby: extending JML for modular specification and verification of multi-threaded programs. In: Black, A. (ed.) ECOOP 2005—Object-Oriented Programming, Lecture Notes in Computer Science, vol. 3586, pp. 551–576. Springer, Berlin (2005). doi:10.1007/11531142_24
Schaller, N.C., Hilderink, G.H., Welch, P.H.: Using Java for parallel computing: JCSP versus CTJ, a comparison. In: Welch, P.H., Bakkers, A.W.P. (eds.) Communicating Process Architectures, pp. 205–226 (2000)
Welch, P.H., Austin, P.D., Brown, N.C.C.: Communicating Sequential Processes for Java (JCSP). http://www.cs.kent.ac.uk/projects/ofa/JCSP/ (2012)
This research has been partially funded by Comunidad de Madrid grant S2013/ICE-2731 (N-Greens Software) and Spanish MINECO grant TIN2012-39391-C04-03 (StrongSoft).
Communicated by Dr. F. Ciccozzi, J. Carlson, P. Pelliccione, and M. Tivoli.
Appendix 1: fairSelect and server loop instrumentation using synchronized methods
Server loop instrumentation for KeY when requests can be directly processed or refused. The server loop condition is changed from
Appendix 2: WarehouseAccessMonitorNaive instrumentation
Code corresponding to the instrumentation of the unblocking code of each operation belonging to the WarehouseAccessMonitorNaive class.
Appendix 3: Instrumented unblocking code of WarehouseAccessMonitorOpt
1.1 Unblocking code for exitWarehouse operation
1.2 Unblocking code for enterWarehouse operation
About this article
Cite this article
Mariño, J., Alborodo, R.N.N., Fredlund, LÅ. et al. Synthesis of verifiable concurrent Java components from formal models. Softw Syst Model 18, 71–105 (2019). https://doi.org/10.1007/s10270-017-0581-1