A formal approach to scenario integration

The scenario technique is an interesting approach for eliciting requirements. A formal approach to scenario generation has made it even more attractive. The next logical step is to integrate several scenarios into one single, consistent, specification. In this work, a mixed approach, involving formal and informal steps is proposed for performing this task. The system's formal specification is expressed as a finite state machine. The specifications of two interacting scenarios are integrated in a procedure involving formal and informal steps. Then several algorithms based on the properties of the model, are applied to detect three classes of errors: mistakes made by the analyst during the informal steps of the integration, inconsistencies between the scenarios, and incompleteness of both scenarios. Each algorithm detects the corresponding specification errors and in addition, suggests the corrections to apply. The formal techniques applied in this work could be the basis of a CASE tool for scenario‐based requirements engineering.     

轨道交通控制软件中基于场景的需求分析方法

针对轨道交通控制软件的形式化方法,在实际工程应用中存在形式化建模和系统级场景验证困难的问题。提出一种面向轨道交通领域的形式化建模和需求确认及验证方法。通过非形式化、半形式化到形式化规约三步演化过程,为形式化规约构建提供模板。在对需求的确认和验证中,根据形式化规范建立需求模型,导出相关图表,基于此检查领域专家关注的场景。同时制定场景描述规则,使场景可以在需求模型中正确执行。在此基础上,从特殊变量、效率、场景质量三方面对场景进行优化,更充分地验证需求的正确性。实验结果表明,对于典型车载控制软件,该方法较传统分析方法可多探测到10%的潜在缺陷,效率提升80%以上。     

Formal Verification of a Partial-Order Reduction Technique for Model Checking

Mechanical theorem proving and model checking are the two main methods of formal verification, each with its own strengths and weaknesses. While mechanical theorem proving is more general, it requires intensive human guidance. Model checking is automatic, but is applicable to a more restricted class of problems. It is appealing to combine these two methods in order to take advantage of their different strengths. Prior research in this direction has focused on how to decompose a verification problem into parts each of which is manageable by one of the two methods. In this paper we explore another possibility: we use mechanical theorem proving to formally verify a meta-theory of model checking. As a case study, we use the mechanical theorem prover HOL to verify the correctness of a partial-order reduction technique for cutting down the amount of state search performed by model checkers. We choose this example for two reasons. First, this reduction technique has been implemented in the protocol analysis tool SPIN to significantly speed up the analysis of many practical protocols; hence its correctness has important practical consequences. Second, the correctness arguments involve nontrivial mathematics, the formalization of which we hope will become the basis of a formal meta-theory of other model-checking algorithms and techniques. Interestingly, our formalization led to a nontrivial generalization of the original informal theory. We discuss the lessons, both encouraging and discouraging, learned from this exercise. In the appendix we highlight the important definitions and theorems from each of our HOL theories. The complete listing of our HOL proof is given in a separate document because of space limitations.     

Notions of Sameness by Default and their Application to Anaphora, Vagueness, and Uncertain Reasoning

We motivate and formalize the idea of sameness by default: two objects are considered the same if they cannot be proved to be different. This idea turns out to be useful for a number of widely different applications, including natural language processing, reasoning with incomplete information, and even philosophical paradoxes. We consider two formalizations of this notion, both of which are based on Reiter’s Default Logic. The first formalization is a new relation of indistinguishability that is introduced by default. We prove that the corresponding default theory has a unique extension, in which every two objects are indistinguishable if and only if their non-equality cannot be proved from the known facts. We show that the indistinguishability relation has some desirable properties: it is reflexive, symmetric, and, while not transitive, it has a transitive “flavor.” The second formalization is an extension (modification) of the ordinary language equality by a similar default: two objects are equal if and only if their non-equality cannot be proved from the known facts. It appears to be less elegant from a formal point of view. In particular, it gives rise to multiple extensions. However, this extended equality is better suited for most of the applications discussed in this paper.     

Formalizing an Analytic Proof of the Prime Number Theorem

We describe the computer formalization of a complex-analytic proof of the Prime Number Theorem (PNT), a classic result from number theory characterizing the asymptotic density of the primes. The formalization, conducted using the HOL Light theorem prover, proceeds from the most basic axioms for mathematics yet builds from that foundation to develop the necessary analytic machinery including Cauchy’s integral formula, so that we are able to formalize a direct, modern and elegant proof instead of the more involved ‘elementary’ Erdös-Selberg argument. As well as setting the work in context and describing the highlights of the formalization, we analyze the relationship between the formal proof and its informal counterpart and so attempt to derive some general lessons about the formalization of mathematics.     

Using hypertext for semiformal representation in requirements engineering practice

Abstract

Requirements engineering is insufficiently supported in practice, especially the issue of appropriate formality of the requirements’ representation during their definition is yet unsolved. Since informal natural language has its disadvantages and immediate formal representation is very difficult, a mediating representation is needed. Therefore, we developed a novel approach to requirements engineering — with tool support — that is based on hypertext. We utilize hypertext primarily for semiformal representation, that can help to bridge the informality/formality gap between human and computer. We have applied our approach in real-world projects, and our experience suggests its usefulness. As a consequence, we recommend the use of hypertext for the specification of requirements in practice.     

Behavioral specification of reactive systems using stream-based I/O tables

A core problem in formal methods is the transition from informal requirements to formal specifications. Especially when specifying the behavior of reactive systems, many formalisms require the user to either understand a complex mathematical theory and notation or to derive details not given in the requirements, such as the state space of the problem. For many approaches also a consistent set of requirements is needed, which enforces to resolve requirements conflicts prior to formalization. This paper describes a specification technique, where not states but signal patterns are the main elements. The notation is based on tables of regular expressions and supports a piece-wise formalization of potentially inconsistent requirements. Many properties, such as input completeness and consistency, can be checked automatically for these specifications. The detection and resolution of conflicts can be performed within our framework after formalization. Besides the formal foundation of our approach, this paper presents prototypical tool support and results from an industrial case study.     

Modeling and detecting semantic-based interactions in aspect-oriented scenarios

Interactions between dependent or conflicting aspects are a well-known problem with aspect-oriented development (as well as related paradigms). These interactions are potentially dangerous and can lead to unexpected or incorrect results when aspects are composed. To date, the majority of aspect interaction detection methods either have been based on purely syntactic comparisons or have relied on heavyweight formal methods. We present a new approach that is based instead on lightweight semantic annotations of aspects. Each aspect is annotated with domain-specific markers and a separate influence model describes how semantic markers from different domains influence each other. Automated analysis can then be used both to highlight semantic aspect conflicts and to trade-off aspects. We apply this technique to early aspects, namely, aspect scenarios, because it is desirable to detect aspect interactions as early in the software lifecycle as possible. We evaluate the technique using two case studies—one from industry and one posed as a challenge problem by the community—and show that the technique detects interactions that cannot be discovered using syntactic techniques. In addition, we show that the technique can apply to many languages through the use of different aspect-oriented scenario notations in the case studies, namely, MATA sequence diagrams and Aspect-oriented Use Case Maps.     

Compositionality and Model-Theoretic Interpretation

The present paper studies the general implications of theprinciple of compositionality for the organization of grammar.It will be argued that Janssen's (1986) requirement that syntax andsemantics be similar algebras is too strong, and that the moreliberal requirement that syntax be interpretable into semanticsleads to a formalization that can be motivated and applied more easily,while it avoids the complications that encumber Janssen's formalization.Moreover, it will be shown that this alternative formalization evenallows one to further complete the formal theory of compositionality, inthat it is capable of clarifying the role played by translation,model-theoretic interpretation and meaning postulates,of which the latter two aspects received little or no attention inMontague (1970) and Janssen (1986).     

Minimizing worst-case and average-case makespan over scenarios

We consider scheduling problems over scenarios where the goal is to find a single assignment of the jobs to the machines which performs well over all scenarios in an explicitly given set. Each scenario is a subset of jobs that must be executed in that scenario. The two objectives that we consider are minimizing the maximum makespan over all scenarios and minimizing the sum of the makespans of all scenarios. For both versions, we give several approximation algorithms and lower bounds on their approximability. We also consider some (easier) special cases. Combinatorial optimization problems under scenarios in general, and scheduling problems under scenarios in particular, have seen only limited research attention so far. With this paper, we make a step in this interesting research direction.     

The Machine Scenario: A Computational Perspective on Alternative Representations of Indeterminism

In philosophical logic and metaphysics there is a long-standing debate around the most appropriate structures to represent indeterministic scenarios concerning the future. We reconstruct here such a debate in a computational setting, focusing on the fundamental difference between moment-based and history-based structures. Our presentation is centered around two versions of an indeterministic scenario in which a programmer wants a machine to perform a given task at some point after a specified time. One of the two versions includes an assumption about the future behaviour of the machine that cannot be encoded in any programming instruction; such version has models over history-based structures but no model over a moment-based structure. Therefore, our work adds a new stance to the debate: moment-based structures can be said to rule out certain indeterministic scenarios that are computationally unfeasible.

     

可信系统性质的分类和形式化研究综述

计算机系统被应用于各种重要领域,这些系统的失效可能会带来重大灾难.不同应用领域的系统对于可信性具有不同的要求,如何建立高质量的可信计算机系统,是这些领域共同面临的巨大挑战.近年来,具有严格数学基础的形式化方法已经被公认为开发高可靠软硬件系统的有效方法.目标是对形式化方法在不同系统的应用进行不同维度的分类,以更好地支撑可信软硬件系统的设计.首先从系统的特征出发,考虑6种系统特征:顺序系统、反应式系统、并发与通信系统、实时系统、概率随机系统以及混成系统.同时,这些系统又运行在众多应用场景,分别具有各自的需求.考虑4种应用场景:硬件系统、通信协议、信息流以及人工智能系统.对于以上的每个类别,介绍和总结其形式建模、性质描述以及验证方法与工具.这将允许形式化方法的使用者对不同的系统和应用场景,能够更准确地选择恰当的建模、验证技术与工具,帮助设计人员开发更加可靠的系统.     

A notion of task relatedness yielding provable multiple-task learning guarantees

The approach of learning multiple “related” tasks simultaneously has proven quite successful in practice; however, theoretical justification for this success has remained elusive. The starting point for previous work on multiple task learning has been that the tasks to be learned jointly are somehow “algorithmically related”, in the sense that the results of applying a specific learning algorithm to these tasks are assumed to be similar. We offer an alternative approach, defining relatedness of tasks on the basis of similarity between the example generating distributions that underlie these tasks. We provide a formal framework for this notion of task relatedness, which captures a sub-domain of the wide scope of issues in which one may apply a multiple task learning approach. Our notion of task similarity is relevant to a variety of real life multitask learning scenarios and allows the formal derivation of generalization bounds that are strictly stronger than the previously known bounds for both the learning-to-learn and the multitask learning scenarios. We give precise conditions under which our bounds guarantee generalization on the basis of smaller sample sizes than the standard single-task approach. Editors: Daniel Silver, Kristin Bennett, Richard Caruana. A preliminary version of this paper appears in the proceedings of COLT’03, (Ben-David and Schuller 2003).     

Formal Techniques for Analysing Scenarios using Message Sequence Charts

This paper describes light-weight formal techniques based on Message Sequence Charts (MSCs) for capturing and validating early requirements and design. Our focus is on ease of use in specifying, simulating and validating scenarios, and checking their desired properties efficiently. We discuss how the formalism of High Level Message Sequence Charts (HMSCs or MSC'96), can be used to capture scenarios in use cases, thus enabling the use of tools for analysing them. We then present two formal semantics for HMSCs – an intuitive linear time semantics based on runs, and an operational semantics in terms of a labelled transition system. Next we present a way of describing desired properties of use case scenarios using templates, for validating scenarios with respect to informal requirements. The correctness properties of a collection of MSCs can then be established by efficient algorithms for finding paths in a directed graph representing the precedence relation on the events of the MSCs. We have implemented the operational semantics and the verification algorithms in the form of a simulation and verification tool for analysing scenarios.     

Automated traceability analysis for UML model refinements

During iterative, UML-based software development, various UML diagrams, modeling the same system at different levels of abstraction are developed. These models must remain consistent when changes are performed. In this context, we refine the notion of impact analysis and distinguish horizontal impact analysis–that focuses on changes and impacts at one level of abstraction–from vertical impact analysis–that focuses on changes at one level of abstraction and their impacts on another level. Vertical impact analysis requires that some traceability links be established between model elements at the two levels of abstraction. We propose a traceability analysis approach for UML 2.0 class diagrams which is based on a careful formalization of changes to those models, refinements which are composed of those changes, and traceability links corresponding to refinements. We show how actual refinements and corresponding traceability links are formalized using the OCL. Tool support and a case study are also described.