Skip to main content
SpringerLink
Log in

CoCoSpec: A Mode-Aware Contract Language for Reactive Systems

  • Conference paper
  • First Online:
Book cover Software Engineering and Formal Methods (SEFM 2016)

Part of the book series: Lecture Notes in Computer Science ((LNTCS,volume 9763))

Included in the following conference series:

Abstract

Contract-based software development has long been a leading methodology for the construction of component-based reactive systems, embedded systems in particular. Contracts are an effective way to establish boundaries between components and can be used efficiently to verify global properties by using compositional reasoning techniques. A contract specifies the assumptions a component makes on its context and the guarantees it provides. Requirements in the specification of a component are often case-based, with each case describing what the component should do depending on a specific situation (or mode) the component is in. We introduce CoCoSpec, a mode-aware assume-guarantee-based contract language for embedded systems built as an extension of the Lustre language. CoCoSpec lets users specify mode behavior directly, instead of encoding it as conditional guarantees, thus preventing a loss of mode-specific information. Mode-aware model checkers supporting CoCoSpec can increase the effectiveness of the compositional analysis techniques found in assume-guarantee frameworks and improve scalability. Such tools can also produce much better feedback during the verification process, as well as valuable qualitative information on the contract itself. We presents the CoCoSpec language and illustrate the benefits of mode-aware model-checking on a case study involving a flight-critical avionics system. The evaluation uses Kind \(2\), a collaborative, parallel, SMT-based model checker extended to fully support CoCoSpec.

This material is based upon work funded and supported by NASA under Grant # NNX14AI09G, and by the Department of Defense under Contract # FA8721-05-C-0003 with Carnegie Mellon University for the operation of the Software Engineering Institute, a federally funded research and development center. This material has been approved for public release and unlimited distribution. DM-0002921.

This is a preview of subscription content, log in via an institution to check access.

Access this chapter

Log in via an institution
Chapter
USD 29.95
Price excludes VAT (USA)
  • Available as PDF
  • Read on any device
  • Instant download
  • Own it forever
eBook
USD 39.99
Price excludes VAT (USA)
  • Available as EPUB and PDF
  • Read on any device
  • Instant download
  • Own it forever
Softcover Book
USD 54.99
Price excludes VAT (USA)
  • Compact, lightweight edition
  • Dispatched in 3 to 5 business days
  • Free shipping worldwide - see info

Tax calculation will be finalised at checkout

Purchases are for personal use only

Institutional subscriptions

Notes

  1. 1.

    Intuitively, \({{\mathbf {\mathsf{{H}}}}}\,P\) states that P has been true in all states of an execution up to the current state.

  2. 2.

    We will identify sets of formulas, such as \(R_i\) and \(E_i\), with the conjunction of their elements.

  3. 3.

    The node, called MODE_LOGIC_AltAndFPAMode in the original model, was slightly altered and its specification simplified for readability and simplicity.

  4. 4.

    What the altitude and the FPA controllers actually do is not important at this point.

  5. 5.

    It is true in this instance because in the switch mode, off has priority over on.

  6. 6.

    Kind \(2\) is available at http://kind.cs.uiowa.edu/.

  7. 7.

    Full data on the case study, including models, contracts, reachability graphs, and instructions on how to reproduce our experimental results using the CoCoSpec version of Kind \(2\) are available at https://github.com/kind2-mc/cocospec_tcm_experiments.

  8. 8.

    Full contracts for times, divid, and divid_bounded_num are available on the case study website.

  9. 9.

    This is possible in principle if these signals come from distinct physical on/off buttons, as opposed to a switch, that are released at the same time.

References

  1. Backes, J., Cofer, D., Miller, S., Whalen, M.W.: Requirements analysis of a quad-redundant flight control system. In: Havelund, K., Holzmann, G., Joshi, R. (eds.) NFM 2015. LNCS, vol. 9058, pp. 82–96. Springer, Heidelberg (2015)

    Google Scholar 

  2. Barnes, J.G.P.: High Integrity Software - The SPARK Approach to Safety and Security. Addison-Wesley, Boston (2003)

    Google Scholar 

  3. Gheorghiu Bobaru, M., Păsăreanu, C.S., Giannakopoulou, D.: Automated assume-guarantee reasoning by abstraction refinement. In: Gupta, A., Malik, S. (eds.) CAV 2008. LNCS, vol. 5123, pp. 135–148. Springer, Heidelberg (2008)

    Chapter  Google Scholar 

  4. Brat, G., Bushnell, D., Davies, M., Giannakopoulou, D., Howar, F., Kahsai, T.: Verifying the safety of a flight-critical system. In: Bjørner, N., de Boer, F. (eds.) FM 2015. LNCS, vol. 9109, pp. 308–324. Springer, Heidelberg (2015)

    Chapter  Google Scholar 

  5. Champion, A., Mebsout, A., Sticksel, C., Tinelli, C.: The Kind 2 model checker. In: Chaudhuri, S., Farzan, A. (eds.) CAV 2016. LNCS, vol. 9780. Springer International Publishing, Switzerland (2016, to appear)

    Google Scholar 

  6. Cimatti, A., Roveri, M., Susi, A., Tonetta, S.: Validation of requirements for hybrid systems: a formal approach. ACM Trans. Softw. Eng. Methodol. 21(4), 22 (2012)

    Article  Google Scholar 

  7. Cimatti, A., Tonetta, S.: A property-based proof system for contract-based design. In: Cortellessa, V., Muccini, H., Demirörs, O. (eds.) 38th Euromicro Conference on Software Engineering and Advanced Applications, SEAA 2012. IEEE Computer Society (2012)

    Google Scholar 

  8. Cofer, D., Gacek, A., Miller, S., Whalen, M.W., LaValley, B., Sha, L.: Compositional verification of architectural models. In: Goodloe, A.E., Person, S. (eds.) NFM 2012. LNCS, vol. 7226, pp. 126–140. Springer, Heidelberg (2012)

    Chapter  Google Scholar 

  9. Dieumegard, A., Garoche, P., Kahsai, T., Taillar, A., Thirioux, X.: Compilation of synchronous observers as code contracts. In: Wainwright, R.L., Corchado, J.M., Bechini, A., Hong, J. (eds.) Proceedings of the 30th Annual ACM Symposium on Applied Computing, 2015. ACM (2015)

    Google Scholar 

  10. Dijkstra, E.W.: A Discipline of Programming. Prentice-Hall, Englewood Cliffs (1976)

    MATH  Google Scholar 

  11. Halbwachs, N., Fernandez, J.C., Bouajjanni, A.: An executable temporal logic to express safety properties and its connection with the language lustre. In: Sixth International Symposium on Lucid and Intensional Programming, ISLIP 1993 (1993)

    Google Scholar 

  12. Halbwachs, N., Lagnier, F., Ratel, C.: Programming and verifying real-time systems by means of the synchronous data-flow language LUSTRE. IEEE Trans. Software Eng. 18(9), 785–793 (1992)

    Article  MATH  Google Scholar 

  13. Halbwachs, N., Lagnier, F., Raymond, P.: Synchronous observers and the verification of reactive systems. In: Nivat, M., Rattray, C., Rus, T., Scollo, G. (eds.) Algebraic Methodology and Software Technology (AMAST). Workshops in Computing, pp. 83–96. Springer, London (1993)

    Google Scholar 

  14. Hoare, C.A.R.: An axiomatic basis for computer programming. Commun. ACM 12(10), 576–580 (1969)

    Article  MATH  Google Scholar 

  15. Hueschen, R.M.: Development of the Transport Class Model (TCM) aircraft simulation from a sub-scale Generic Transport Model (GTM) simulation. Technical report, NASA, Langley Research Center (2011)

    Google Scholar 

  16. Jézéquel, J., Meyer, B.: Design by contract: the lessons of Ariane. IEEE Comput. 30(1), 129–130 (1997)

    Article  Google Scholar 

  17. Jones, C.: Development methods for computer programs including a notion of interference. Ph.D. thesis, Oxford University (1981)

    Google Scholar 

  18. Kahsai, T., Tinelli, C.: PKind: A parallel k-induction based model checker. In: Barnat, J., Heljanko, K. (eds.) Proceedings 10th International Workshop on Parallel and Distributed Methods in VerifiCation, PDMC 2011. EPTCS, vol. 72 (2011)

    Google Scholar 

  19. Kamp, J.: Tense logic and the theory of order. Ph.D. Thesis, UCLA (1968)

    Google Scholar 

  20. Kirchner, F., Kosmatov, N., Prevosto, V., Signoles, J., Yakobowski, B.: Frama-C: a software analysis perspective. Form. Asp. Comput. 27(3), 573–609 (2015)

    Article  MathSciNet  Google Scholar 

  21. Leavens, G.T., Baker, A.L., Ruby, C.: JML: a notation for detailed design. In: Kilov, H., Rumpe, B., Simmonds, I. (eds.) Behavioral Specifications of Businesses and Systems. The Springer International Series in Engineering and Computer Science, vol. 523, pp. 175–188. Springer, New York (1999)

    Chapter  Google Scholar 

  22. Leino, K.R.M.: Dafny: an automatic program verifier for functional correctness. In: Clarke, E.M., Voronkov, A. (eds.) LPAR-16 2010. LNCS, vol. 6355, pp. 348–370. Springer, Heidelberg (2010)

    Chapter  Google Scholar 

  23. Manna, Z., Pnueli, A.: Temporal Verification of Reactive Systems. Springer, New York (1995)

    Book  MATH  Google Scholar 

  24. McMillan, K.L.: Circular compositional reasoning about liveness. In: Pierre, L., Kropf, T. (eds.) CHARME 1999. LNCS, vol. 1703, pp. 342–346. Springer, Heidelberg (1999)

    Chapter  Google Scholar 

  25. Meyer, B.: Applying “design by contract”. IEEE Comput. 25(10), 40–51 (1992)

    Article  Google Scholar 

  26. Parnas, D.L.: Inspection of safety-critical software using program-function tables. In: Duncan, K.A., Krueger, K.H. (eds.) Linkage and Developing Countries, Information Processing, 1994, IFIP Transactions, vol. A-53. North-Holland (1994)

    Google Scholar 

Download references

Author information

Authors and Affiliations

  1. The University of Iowa, Iowa City, USA

    Adrien Champion & Cesare Tinelli

  2. SEI/Carnegie Mellon University, Pittsburgh, USA

    Arie Gurfinkel

  3. NASA Ames/Carnegie Mellon University, Pittsburgh, USA

    Temesghen Kahsai

Authors
  1. Adrien Champion
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Arie Gurfinkel
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Temesghen Kahsai
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Cesare Tinelli
    View author publications

    You can also search for this author in PubMed Google Scholar

Corresponding author

Correspondence to Adrien Champion .

Editor information

Editors and Affiliations

  1. IMT - School for Advanced Studies, Lucca, Italy

    Rocco De Nicola

  2. Institute of Computer Languages, TU Wien, Wien, Austria

    Eva Kühn

Rights and permissions

Reprints and permissions

Copyright information

© 2016 Springer International Publishing Switzerland

About this paper

Cite this paper

Champion, A., Gurfinkel, A., Kahsai, T., Tinelli, C. (2016). CoCoSpec: A Mode-Aware Contract Language for Reactive Systems. In: De Nicola, R., Kühn, E. (eds) Software Engineering and Formal Methods. SEFM 2016. Lecture Notes in Computer Science(), vol 9763. Springer, Cham. https://doi.org/10.1007/978-3-319-41591-8_24

Download citation

  • DOI: https://doi.org/10.1007/978-3-319-41591-8_24

  • Published:

  • Publisher Name: Springer, Cham

  • Print ISBN: 978-3-319-41590-1

  • Online ISBN: 978-3-319-41591-8

  • eBook Packages: Computer ScienceComputer Science (R0)

Publish with us

Policies and ethics

Search

Navigation