CoCoSpec: A Mode-Aware Contract Language for Reactive Systems

  • Adrien Champion
  • Arie Gurfinkel
  • Temesghen Kahsai
  • Cesare Tinelli
Conference paper
Part of the Lecture Notes in Computer Science book series (LNCS, volume 9763)


Contract-based software development has long been a leading methodology for the construction of component-based reactive systems, embedded systems in particular. Contracts are an effective way to establish boundaries between components and can be used efficiently to verify global properties by using compositional reasoning techniques. A contract specifies the assumptions a component makes on its context and the guarantees it provides. Requirements in the specification of a component are often case-based, with each case describing what the component should do depending on a specific situation (or mode) the component is in. We introduce CoCoSpec, a mode-aware assume-guarantee-based contract language for embedded systems built as an extension of the Lustre language. CoCoSpec lets users specify mode behavior directly, instead of encoding it as conditional guarantees, thus preventing a loss of mode-specific information. Mode-aware model checkers supporting CoCoSpec can increase the effectiveness of the compositional analysis techniques found in assume-guarantee frameworks and improve scalability. Such tools can also produce much better feedback during the verification process, as well as valuable qualitative information on the contract itself. We presents the CoCoSpec language and illustrate the benefits of mode-aware model-checking on a case study involving a flight-critical avionics system. The evaluation uses Kind \(2\), a collaborative, parallel, SMT-based model checker extended to fully support CoCoSpec.


Model Checker Mode Logic Embed System Proof Obligation Reachability Graph 
These keywords were added by machine and not by the authors. This process is experimental and the keywords may be updated as the learning algorithm improves.


  1. 1.
    Backes, J., Cofer, D., Miller, S., Whalen, M.W.: Requirements analysis of a quad-redundant flight control system. In: Havelund, K., Holzmann, G., Joshi, R. (eds.) NFM 2015. LNCS, vol. 9058, pp. 82–96. Springer, Heidelberg (2015)Google Scholar
  2. 2.
    Barnes, J.G.P.: High Integrity Software - The SPARK Approach to Safety and Security. Addison-Wesley, Boston (2003)Google Scholar
  3. 3.
    Gheorghiu Bobaru, M., Păsăreanu, C.S., Giannakopoulou, D.: Automated assume-guarantee reasoning by abstraction refinement. In: Gupta, A., Malik, S. (eds.) CAV 2008. LNCS, vol. 5123, pp. 135–148. Springer, Heidelberg (2008)CrossRefGoogle Scholar
  4. 4.
    Brat, G., Bushnell, D., Davies, M., Giannakopoulou, D., Howar, F., Kahsai, T.: Verifying the safety of a flight-critical system. In: Bjørner, N., de Boer, F. (eds.) FM 2015. LNCS, vol. 9109, pp. 308–324. Springer, Heidelberg (2015)CrossRefGoogle Scholar
  5. 5.
    Champion, A., Mebsout, A., Sticksel, C., Tinelli, C.: The Kind 2 model checker. In: Chaudhuri, S., Farzan, A. (eds.) CAV 2016. LNCS, vol. 9780. Springer International Publishing, Switzerland (2016, to appear)Google Scholar
  6. 6.
    Cimatti, A., Roveri, M., Susi, A., Tonetta, S.: Validation of requirements for hybrid systems: a formal approach. ACM Trans. Softw. Eng. Methodol. 21(4), 22 (2012)CrossRefGoogle Scholar
  7. 7.
    Cimatti, A., Tonetta, S.: A property-based proof system for contract-based design. In: Cortellessa, V., Muccini, H., Demirörs, O. (eds.) 38th Euromicro Conference on Software Engineering and Advanced Applications, SEAA 2012. IEEE Computer Society (2012)Google Scholar
  8. 8.
    Cofer, D., Gacek, A., Miller, S., Whalen, M.W., LaValley, B., Sha, L.: Compositional verification of architectural models. In: Goodloe, A.E., Person, S. (eds.) NFM 2012. LNCS, vol. 7226, pp. 126–140. Springer, Heidelberg (2012)CrossRefGoogle Scholar
  9. 9.
    Dieumegard, A., Garoche, P., Kahsai, T., Taillar, A., Thirioux, X.: Compilation of synchronous observers as code contracts. In: Wainwright, R.L., Corchado, J.M., Bechini, A., Hong, J. (eds.) Proceedings of the 30th Annual ACM Symposium on Applied Computing, 2015. ACM (2015)Google Scholar
  10. 10.
    Dijkstra, E.W.: A Discipline of Programming. Prentice-Hall, Englewood Cliffs (1976)zbMATHGoogle Scholar
  11. 11.
    Halbwachs, N., Fernandez, J.C., Bouajjanni, A.: An executable temporal logic to express safety properties and its connection with the language lustre. In: Sixth International Symposium on Lucid and Intensional Programming, ISLIP 1993 (1993)Google Scholar
  12. 12.
    Halbwachs, N., Lagnier, F., Ratel, C.: Programming and verifying real-time systems by means of the synchronous data-flow language LUSTRE. IEEE Trans. Software Eng. 18(9), 785–793 (1992)CrossRefzbMATHGoogle Scholar
  13. 13.
    Halbwachs, N., Lagnier, F., Raymond, P.: Synchronous observers and the verification of reactive systems. In: Nivat, M., Rattray, C., Rus, T., Scollo, G. (eds.) Algebraic Methodology and Software Technology (AMAST). Workshops in Computing, pp. 83–96. Springer, London (1993)Google Scholar
  14. 14.
    Hoare, C.A.R.: An axiomatic basis for computer programming. Commun. ACM 12(10), 576–580 (1969)CrossRefzbMATHGoogle Scholar
  15. 15.
    Hueschen, R.M.: Development of the Transport Class Model (TCM) aircraft simulation from a sub-scale Generic Transport Model (GTM) simulation. Technical report, NASA, Langley Research Center (2011)Google Scholar
  16. 16.
    Jézéquel, J., Meyer, B.: Design by contract: the lessons of Ariane. IEEE Comput. 30(1), 129–130 (1997)CrossRefGoogle Scholar
  17. 17.
    Jones, C.: Development methods for computer programs including a notion of interference. Ph.D. thesis, Oxford University (1981)Google Scholar
  18. 18.
    Kahsai, T., Tinelli, C.: PKind: A parallel k-induction based model checker. In: Barnat, J., Heljanko, K. (eds.) Proceedings 10th International Workshop on Parallel and Distributed Methods in VerifiCation, PDMC 2011. EPTCS, vol. 72 (2011)Google Scholar
  19. 19.
    Kamp, J.: Tense logic and the theory of order. Ph.D. Thesis, UCLA (1968)Google Scholar
  20. 20.
    Kirchner, F., Kosmatov, N., Prevosto, V., Signoles, J., Yakobowski, B.: Frama-C: a software analysis perspective. Form. Asp. Comput. 27(3), 573–609 (2015)MathSciNetCrossRefGoogle Scholar
  21. 21.
    Leavens, G.T., Baker, A.L., Ruby, C.: JML: a notation for detailed design. In: Kilov, H., Rumpe, B., Simmonds, I. (eds.) Behavioral Specifications of Businesses and Systems. The Springer International Series in Engineering and Computer Science, vol. 523, pp. 175–188. Springer, New York (1999)CrossRefGoogle Scholar
  22. 22.
    Leino, K.R.M.: Dafny: an automatic program verifier for functional correctness. In: Clarke, E.M., Voronkov, A. (eds.) LPAR-16 2010. LNCS, vol. 6355, pp. 348–370. Springer, Heidelberg (2010)CrossRefGoogle Scholar
  23. 23.
    Manna, Z., Pnueli, A.: Temporal Verification of Reactive Systems. Springer, New York (1995)CrossRefzbMATHGoogle Scholar
  24. 24.
    McMillan, K.L.: Circular compositional reasoning about liveness. In: Pierre, L., Kropf, T. (eds.) CHARME 1999. LNCS, vol. 1703, pp. 342–346. Springer, Heidelberg (1999)CrossRefGoogle Scholar
  25. 25.
    Meyer, B.: Applying “design by contract”. IEEE Comput. 25(10), 40–51 (1992)CrossRefGoogle Scholar
  26. 26.
    Parnas, D.L.: Inspection of safety-critical software using program-function tables. In: Duncan, K.A., Krueger, K.H. (eds.) Linkage and Developing Countries, Information Processing, 1994, IFIP Transactions, vol. A-53. North-Holland (1994)Google Scholar

Copyright information

© Springer International Publishing Switzerland 2016

Authors and Affiliations

  • Adrien Champion
    • 1
  • Arie Gurfinkel
    • 2
  • Temesghen Kahsai
    • 3
  • Cesare Tinelli
    • 1
  1. 1.The University of IowaIowa CityUSA
  2. 2.SEI/Carnegie Mellon UniversityPittsburghUSA
  3. 3.NASA Ames/Carnegie Mellon UniversityPittsburghUSA

Personalised recommendations